If you own a Drupal website version 7 then your site may be affected by the recently discovered Drupal flaw which allows an attacker to modify or even take over a site.





Drupal warned about it earlier this month, but millions of Drupal sites still vulnerable to this attack. Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection





Updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website. If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised - some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.





How To Recover Compromised Websites

Attackers may have created access points for themselves in the database, code, files directory and other locations. Attackers could compromise other services on the server or escalate their access.





Removing a compromised website’s backdoors is difficult because it is not possible to be certain all backdoors have been found.





The Drupal security team recommends that you consult with your hosting provider. If they did not patch Drupal for you or otherwise block the SQL injection attacks within hours of the announcement of Oct 15th, 4pm UTC, restore your website to a backup from before 15 October 2014:





✔ Take the website offline by replacing it with a static HTML page.





✔ Notify the server’s administrator emphasizing that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack.





✔ Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.)





✔ Restore the website (Drupal files, uploaded files and database) from backups from before 15 October 2014.





✔ Update or patch the restored Drupal core code.





✔ Put the restored and patched/updated website back online.





✔ Manually redo any desired changes made to the website since the date of the restored backup.





✔ Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with.





While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch.