Security Update:Critical Alert - Drupal 7 Websites (non-centrally managed) May be Compromised - Immediate Action Required
Date and Time
Drupal 7 Users
Drupal announced that automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of the SQL injection vulnerability announced on October 15, 2014.
Drupal states you should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.
Advanced Users: For the full Public Announcement refer to Drupal Core - Highly Critical - Public Service announcement - PSA-2014-003 at https://www.drupal.org/PSA-2014-003.
- Drupal 7 websites not managed by UCSF IT
Note: Per UCSF IT (centralized Drupal administrators) sites hosted by central IT was patched within the time frame listed.
WHAT'S THE PROBLEM?
Attackers may have copied all data out of your site and could use it maliciously; and there may be no trace of the attack.
WHAT DO YOU NEED TO DO?
- Simply updating to Drupal 7.32 will not remove backdoors.
- If you have not updated or applied this patch, do so immediately, then continue reading the announcement, Drupal Core - Highly Critical - Public Service announcement - PSA-2014-003 at https://www.drupal.org/PSA-2014-003.
Note: Updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website.
- If you find that your site is already patched but you didn’t do it that can be a symptom that the site was compromised - some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.
- If your website is compromised, refer to Drupals Help - “Your Drupal site got hacked, now what” at https://www.drupal.org/node/2365547 on how to recover.
- Once you’ve contained the compromise, report the breach to IT Security by submitting a ticket through the IT Service Desk at http://help.ucsf.edu.