Drupal – Public Service Announcement

Drupal - Public Service Announcement

Drupal has reported on its website a serious security vulnerability to Drupal 7 websites. This Drupal Public Service Announcement is a follow up to SA-CORE-2014-005 - Drupal core - SQL injection. (This is not an announcement of a new vulnerability in Drupal.)



Drupal - Public Service Announcement

Automated attacks are compromising Drupal 7 websites that are not patched or updated to Drupal 7.32. Drupal users should proceed under the assumption that every Drupal 7 website has been compromised, unless updated or patched before Oct 15th, 11pm UTC.

We recommend all customers with a Drupal website, to update their software as soon as possible.

Damage control

Attackers may have created access points for themselves (“backdoors”) in the your database, code, files directory and other locations. In addition they may have copied your data from your site, and are using it maliciously.

Take a look Drupals help documentation regarding: If your Drupal site gets hacked- now what and read here to learn more about Drupal security.

Versions affected: Drupal core 7.x versions prior to 7.32.

Solution: Install the latest version. Upgrade to Drupal core 7.32.

Updating to version 7.32 or applying the patch fixes does not fix an already compromised website. If you find that, your site is already patched but you did not do it, this could be a symptom the site was compromised. In some attacks, the patch is applied to guarantee hackers are in control of the site.

Attackers may have created access points for themselves (sometimes called “backdoors”) in the database, code, files directory and other locations. In addition to copying all your data from your site and using it maliciously

Please read the following information from Drupal and follow the recovery steps to ensure your website is secure.

For more information about downloads read Drupals core project page.

Related posts