 |
 |
From the SANS Newsbites Digest: http://www.sans.org/newsletters/newsbites/xvi/87#304 DRUPAL TEAM WARNS USERS TO ASSUME SITES ARE COMPROMISED (OCTOBER 29 & 30, 2014) The Drupal security team says that users should assume that all Drupal 7 websites have been compromised unless they were patched within seven hours of the October 15, 11pm UTC announcement of a vulnerability that could be exploited through an SQL injection attack. Automated attacks were launched within hours of the flaw's disclosure. While updating to the most recent version, 7.32, does fix the vulnerability, websites that were compromised prior to the update will remain compromised. The team recommends that sites be restored with backups created before October 15. -http://www.scmagazine.com/assume-drupal-7-sites-are-compromised-unless-patched-or-updated-to-732-within-hours/article/380303/ -http://www.computerworld.com/article/2841320/drupal-warns-unpatched-users-assume-your-site-was-hacked.html -http://www.theregister.co.uk/2014/10/30/drupal_sites_considered_hosed_if_sqli_hole_unclosed/ -http://www.zdnet.com/drupal-warns-unless-you-patched-within-seven-hours-youre-hacked-7000035219/ [Editor's Note (Ullrich): Please don't underestimate this Drupal vulnerability. We received multiple reports of compromises that took advantage of this vulnerability. For the most part, the attacks were pretty simple and it should be easy to spot an affected system. Many of the compromised systems are being used as DDoS bots. As usual, start by getting a good inventory of Drupal sites either passively by observing traffic, or by using standard vulnerability scanning tools. ]