Warning: All unpatched Drupal 7 sites assumed to be compromised

Attention Drupal users: Drupal has published a Highly Critical Security Advisory.

If you use Drupal 7 to manage your website and you did not update to version 7.32 within a few hours of the latest Drupal vulnerability disclosure on October 15th, you should assume your website has been compromised by hackers and take immediate action. If you have not yet updated to v7.32, applying the update now will not guarantee that attackers haven’t installed a backdoor in your website. Furthermore, if the update has been applied – and your website administrator was not the one who applied it – this may actually indicate compromise, as hackers will do this to prevent their competition from compromising your site as well.

For comprehensive protection, Drupal recommends recovering your website from backups or rebuilding it entirely, as soon as possible. Step-by-step instructions can be found here.

More information on this threat

In the hours that followed Drupal’s October 15th vulnerability disclosure, hackers launched an automated attack that scanned the web for Drupal 7 sites that had not yet applied the patch. When a website was found, attackers would then install a backdoor to allow for future, remote access. Backdoor access to a website not only compromises administrator and user information, but it can also be sold for the purposes of hosting illegal content and spreading malware. Approximately 1.1 million people currently use Drupal, to develop and manage hundreds of thousands of websites.

More general information on what to do if your Drupal site is hacked can be found here.

Have a nice (malware-free) day!