Drupal Websites Likely Compromised Unless Patched Within Hours Of October 15 Warning

Chuck Bednar for redOrbit.com – Your Universe Online
As many as 12 million websites powered by the Drupal open source content management platform may have been compromised by cyber attacks exploiting a bug in the software, various media outlets reported late last week.
According to BBC News, representatives of the free and open-source content-management framework have said that anyone using Drupal to manage web content, images, text and video that did not apply a patch for a recently-discovered vulnerability should operate under the assumption that they had been victimized by automated attacks which can allow hackers to take control of their websites.
In an announcement posted to the company’s website, members of the Drupal Security Team said that websites using Drupal 7 that had not patched to version 7.32 within seven hours of an October 15 announcement “should proceed under the assumption” that their website “was compromised.”
“If you have not updated or applied this patch, do so immediately,” they added. However, they cautioned that updating to version 7.32 or applying the patch will fix the vulnerability, but will not fix a website that had already been compromised. “If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised,” as some hackers used it to ensure that no one else gains control of the website.
Mark Stockley, an analyst at security firm Sophos, told BBC News that the warning issued by Drupal was “shocking,” and that the vulnerability made it possible for attackers to seize control of a server or use websites to infect unsuspecting users with malware. Stockley estimated that up to 5.1 percent of the billions of websites on the Internet use Drupal 7 to manage content, meaning that upwards of 12 million websites may need to be patched.
“Content management systems have become an increasingly popular target of attackers over the past three years,” noted Robert Lemos of Ars Technica. “Last year, for example, attackers used brute-force password guessing to attempt to gain control over Web servers running a variety of content management systems,” including Drupal and WordPress.
“Content management systems are frequently used by large companies, and these tend to be slow to patch their systems,” he added. “Such sites would likely take days to patch, not hours, and would be vulnerable if not protected by additional security, according to Daniel Cid, chief technology officer and founder of website security firm Sucuri. Compromised corporate Web servers could mean that sites that are widely trusted had begun distributing malware.”
“This is a recipe for disaster,” Cid said in a blog post, according to Lemos. “If it’s true and those websites are in fact compromised, they could be leveraged and daisy chained for a massive malware distribution campaign. Take that into consideration with the size and audience of brands and the impact grows exponentially.”
The Drupal security team also posted recovery instructions for users who might have been affected by the security flaw, especially in cases where attackers may have created backdoors or access points in the site’s database, code, files directory and other locations. First, they recommend that website owners contact their hosting providers to check and see if they patched Drupal or blocked SQL injection attacks following the October 15 announcement.
If they did not, the Drupal team encourages restoring the website to a backup version dated prior to October 15. First, website owners should take their pages offline and replace them with a static HTML page, then they should notify the server’s administrator emphasizing that other sites or applications hosted on the same server might have been compromised through a backdoor installed during the initial attack.
They also said that users should either consider obtaining a new server, or removing all of the website’s files and database from the existing one before restoring the website. They should then update or patch the restored Drupal core code, put the restored and patched/updated website back online, and manually redo any changes that had been made to the website since the date of the restored backup.
“Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with.” they added. “While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch.”
—–
Follow redOrbit on Twitter, Facebook and Pinterest.