Attackers who exploited a bug in version 7 of the Drupal open-source content management platform may have compromised up to 12 million websites.
Drupal has issued a security warning and said that organisations that did not apply the patch within seven hours of the bug’s discovery on 15 October should presume their websites have been hacked.
There may be no trace of the attack, so organisations should investigate whether hackers have taken any data.
This will cause a major problem for many websites as:
- If you update to the patch, it won’t get rid of any backdoor that the hackers may have already implanted into your system.
- Some hackers may have applied the patch to some websites in order to keep out rival hackers, making it harder for the owners to determine whether their website has been compromised.
If you think you may have been affected, Drupal recommends that you:
- Take the website offline by replacing it with a static HTML page.
- Notify the server’s administrator, emphasising that other sites or applications hosted on the same server may have been compromised via a backdoor installed by the initial attack.
- Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.)
- Restore the website (Drupal files, uploaded files and database) from backups made before 15 October 2014.
- Update or patch the restored Drupal core code.
- Put the restored and patched/updated website back online.
- Manually redo any desired changes made to the website since the date of the restored backup.
- Audit anything merged from the compromised website, such as custom code, configuration, files, or other artefacts, to confirm they are correct and have not been tampered with.
It’s recommended that all websites perform regular penetration tests to identify their vulnerabilities. IT Governance is a CREST member company, meaning that our penetration tests meet rigorous standards mandated by CREST. For more information on conducting a penetration test, email us or call +44 (0) 845 070 1750.