Assume Every Drupal 7 Site Was Compromised Unless Patched Instantly

Threatpost.com reported on 30th October, 2014 quoting a warning of the maintainers of the Drupal CMS (content management system) as "any website owners who haven't fixed a critical flaw in Drupal Core revealed in early October 2014 should consider their websites to be compromised."

On 15th October, 2014 the vulnerability became public which is a flaw in SQL injection in a Drupal module that is designed especially to thwart SQL injection attacks. Shortly after the leakage of the vulnerability, cybercriminals started abusing it employing automated attacks. One of the reasons for making this vulnerability so challenging is that it enables an attacker to compromise a target website without an account and there may be no sign of the attack later.

Threatpost.com reported on 30th October, 2014 quoting a maintainer of Drupal as "You should proceed assuming that every Drupal 7 site was compromised unless patched or updated before 15th October, 11pm UTC which is 7 hours later than the announcement."

Attackers are exploiting the vulnerability by employing automated tools and installing a backdoor Trojan on compromised machines in some cases and then fixing the fault to ensure that no other cybercriminal can gain access to the target website.

While users are advised to apply the patch immediately, it's essential to realize that applying the patch will not secure an already compromised website.

Securityweek.com published a report on 29th October, 2014 quoting an explanation in an advisory as "If you find your site is already patched without doing it by you, then it may be a symptom of compromising of site as some attacks apply patch to guarantee that they are the only attacker controlling the site."

Attackers might have copied the data of the site and could use it maliciously leaving no sign behind.

It is very difficult to clean the websites of all the backdoors which might have been planted by hackers and it does not guarantee that all access points have been found. This is the reason for the Drupal Security Team to recommend rebuilding from scratch or restoring a backup of the site taken before the disclosure of the vulnerability on 15th October, 2014.

» SPAMfighter News - 11/10/2014