On October 15, the Drupal Security Team announced they had found a vulnerability that allowed attackers to build a backdoor to Drupal 7 websites and to steal data from them. 

A patch was quickly released (Drupal v. 7.32) by the Drupal security team to remove this vulnerability.

However, attackers quickly went to work by trying to access millions of Drupal websites and their data. Today, the Drupal Security Team announced that anyone who had not applied the patch within hours of the announcement (by 11PM UTC on October 15, 4PM Pacific Time or 7PM Eastern Time on October 15) has probably been compromised.

How do I know if I’ve been hacked?

According to the Drupal Security Team, it can be difficult to know if your site has been compromised. Interestingly,

If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.

Otherwise, it can be very difficult to figure out if your site has been compromised. Backdoors often hide deep within your website’s code or database and it can take a very long time to comb through everything.

So, no matter whether you can prove that you’ve been hacked or not, unless you applied the patch within hours of the October 15 annoucement, you should assume that you have been compromised, and act accordingly.

Okay, so what do I do now?

There are a few ways to deal with a compromised website. You can either keep it and painstakingly discover and eliminate the backdoors. You can revert to a pre-October 15 version of your website (with the patch applied, of course). As a last resort, you can scrap your current website and start from sractch.

Whatever you do, however, make sure that you first save a copy of your current website (called a “forensic copy”) for future reference.

Keeping your website

This is the least advisable option given the risks and the time involved in securing your data. You might need the help of a forensic security analyst depending on the size of your website, which may involve high costs.

This is also not a recommended action by the Drupal Security Team.

Reverting to an older copy

If you keep backup versions of your website (and you absolutely should), choose a pre-October 15 version of your website to restore. 

Here’s the procedure from the Drupal announcement:

  1. Take the website offline by replacing it with a static HTML page
  2. Notify the server’s administrator emphasizing that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack
  3. Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.)
  4. Restore the website (Drupal files, uploaded files and database) from backups from before 15 October 2014
  5. Update or patch the restored Drupal core code
  6. Put the restored and patched/updated website back online
  7. Manually redo any desired changes made to the website since the date of the restored backup
  8. Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with.

For more details on this procedure, visit the Drupal website.

Scrapping your website

The last and most radical option is to scrap your website altogether and build a new one. If you were going to update soon anyway, it might be a good idea to not spend too much time and effort remediating the problem and to simply have the new website launched.

However, if your website isn’t quite ready, you might need to revert to an older copy first.

For more information on what to do when your website is hacked, visit this FAQ page on the Drupal website.

VERY IMPORTANT

No matter what you choose to do, you MUST update your Drupal version to 7.32 NOW. 

You can contact us by phone (1-800-215-6702) or by email ([email protected]) if you have any questions or concerns about this security threat.