Assume Every Drupal 7 Website is Compromised

SektionEins, a German security firm, discovered an SQL injection flaw in Drupal 7.x websites last October 15, 2014. This vulnerability is in Drupal’s database abstraction API, which allows the execution of specially crafted requests that can result to SQL injection. Through it, a malicious user can launch a wide variety of attacks like access rights escalation and arbitrary PHP execution. Drupal had issued a highly critical security advisory (SA-CORE-2014-005 | CVE-2014-3704) and a patch update Drupal core 7.32 to address this issue.

On the heels of this advisory, numerous exploits rapidly began appearing in the wild, launching automated attacks to unpatched systems. Last October 29, 2014, Drupal issued a separate public advisory warning users to “proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before October 15th, 11 PM UTC, that is 7 hours after the announcement.”

The advisory further says that simply updating to version 7.32 is not enough. If the website was not patched immediately after the advisory release, then there is a chance that said site is already compromised. The patch cannot remove any backdoors that may have already been installed. Moreover, if the user did not update the system and yet finds it already patched, this could be a sign of compromise as an attacker may have applied the patch himself to guarantee sole control.

Drupal recommends contacting your hosting provider to know if they already applied the latest patch. If they did not update or if they failed to block any SQL injection attacks within the hours following the October 15 announcement, do the following measures:

  1. Take your website offline and replace it with a static HTML page.
  2. Notify your server’s administrator as other sites or applications hosted on the same server with your site might have already been compromised too.
  3. Consider transferring to a new server or removing all of your website’s files and database (DB) from the current server. Do keep copies of your files and DBs, as these can be useful for later analysis.
  4. Restore the website from backups done before October 15, 2014.
  5. Update or patch the restored Drupal core code.
  6. Put the restored and patched/updated website back online.
  7. Manually redo any changes made to the website since the date of the restored backup.
  8. Audit anything merged from the compromised website like custom code, configuration, files or other artifacts. Doing this helps you confirm that they have not been tampered with.

Note: Drupal’s advisory discourages recovery that does not restore from backup as it may not remove all installed backdoors.

Drupal is a major player in the field of open-source website content management. About 24% of .GOV websites use Drupal.

Comments are closed.