Drupal is an open source software package which provides a Content management system (CMS) for websites including MTV, Popular Science, Sony Music, Harvard and MIT. Drupal is used to power roughly 1 billion websites on Internet, which puts Drupal in third place behind the juggernaut Wordpress and then Joomla.
Drupal’s security team has released a "public service announcement" on Wednesday for its users to warn them of the SQL injection attack revealed two weeks ago, compromising almost 12 million of the widely used Drupal 7 websites. Users are asked to immediately update their websites to Drupal 7.32 within seven hours of the announcement of the vulnerability.
"Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before October 15, 11pm UTC, that is seven hours after the announcement," the Drupal security announcement said.
The vulnerability became public on October 15 and, according to Drupal security team, shortly after the disclosure, attackers began exploiting it using "automated attacks." The most worrying part of the bug is that it allows a hacker to compromise a target website without the need of authentication and the attack leave no trace afterward.
The "highly critical" SQL injection vulnerability actually resides in the Drupal Core that’s designed specifically to help prevent SQL injection attacks. By exploiting the flaw in a vulnerable version of the Drupal CMS, hackers could steal personal information from the website or in some cases could install a backdoor on compromised systems to allow them remote access. In short, it can lead to a complete website compromise.
Moreover, Drupal security team also says that in some cases attackers may have actually installed a backdoor on compromised systems and then applied the patch for website admins in order to ensure that no other hacker can get access to the target site.
"Updating to version 7.32 or applying the patch fixes the vulnerability, but does not fix an already compromised website. If you find that your site is already patched but you didn't do it, that can be a symptom that the site was compromised — some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site."
In case, if an attacker have added any backdoor to a system upon which a vulnerable Drupal 7 is installed, then, according to the Drupal security team, you are recommended to take the sites offline, delete all their files and databases, restore them from backups made before Oct. 15 and then patch the sites before bringing them back online.
You can also follow below points to restore a vulnerable site:
- Take the website offline by replacing it with a static HTML page
- Notify the server's administrator emphasizing that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack
- Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.)
- Restore the website (Drupal files, uploaded files and database) from backups from before 15 October 2014
- Update or patch the restored Drupal core code
- Put the restored and patched/updated website back online
- Manually redo any desired changes made to the website since the date of the restored backup
- Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with.
Users can download the latest and updated Drupal version 7.32 against the Highly critical vulnerability from the official Drupal website.