I think that I will start this Diary with the following statement:
If you use an open source CMS, and you do not update it frequently, there is a very high chance that your website if not only compromised but also part of a botnet.
You probably already saw several of our diaries mentioning vulnerabilities in very well-known CMS systems like WordPress and Joomla, which are quite powerful and easy to use/install, and also full of vulnerabilities and requires frequent updates.
The third one in this list is Drupal. We mentioned last week, on our podcast about a critical vulnerability fixed by the developers, and today they released a "Public Announcement" in regards to that vulnerability. And it is scary (yes, Halloween pun intended...) .
The PSA mentions that within hours of the Patch announcement, there were already several automated attacks looking for the SQL injection vulnerability in the Drupal implementations.
As our reader Gebhard noted, there is a very interesting quote in the PSA:
"You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement"
This means, that by now, even if you updated your server, there is very high chance that your server is now part of a botnet...so, if you have a website with Drupal, I would highly recommend the Recovery section of the PSA document.
Pedro Bueno (pbueno /%%/ isc. sans. org)
Oct 29th 2014
2 years ago