The popular Drupal CMS has suffered from a major SQL injection vulnerability that was patched a few weeks ago. However, shortly after the patch was made available, automated remote exploits targeting the vulnerability started making their rounds.
From the PSA announcement posted on their website:
Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.
Just in time for Halloween there is a spooky angle to the exploit. If you find that your Drupal instance has already been patched and you or your hosting provider didn’t do it, it might be a sign the system has been compromised.
The announcement states “some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.” It also states that the site and data may have already been copied and there may be no trace that the system was compromised.
The announcement states that if you or the hosting provider did not patch your Drupal instance, or block the SQL injection attacks you should revert your installation from backup to before October 15th and install the patch immediately.
The full extent of this compromise will unfold over the coming days, weeks and months due to the popularity and broad distribution of the CMS. Many popular websites, including famous brands and publications, use Drupal. There are more than a million websites using vulnerable versions, according to Drupal’s own statistics, which is based off of the Update Status module.