Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

Assume Drupal 7 sites are compromised, unless patched or updated to 7.32 within hours

Any Drupal 7 website not patched or updated to Drupal 7.32 within seven hours of the announcement of a highly critical SQL injection vulnerability – CVE-2014-3704 – should be considered compromised, according to a public service announcement posted to the Drupal website on Wednesday.

Automated attacks came quickly, the post indicates, explaining some attackers applied the patch to ensure they are the only person in control of the site. Applying the patch or updating to Drupal 7.32 now does not remove backdoors, which could exist in the database, code, files directory and other locations.

“Attackers may have copied all data out of your site and could use it maliciously,” according to the post. “There may be no trace of the attack.”

The Drupal security team recommends restoring to a backup from prior to Oct. 15, or rebuilding from scratch.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.