Updated On November 4, 2014 - 10:26am

Critical Drupal Core Public Service Announcement

Important information if you did not patch or update Drupal 7 within 15 hours of the announcement on Oct. 15, 2014

The Drupal Security Team announced that automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the October 15th announcement of SA-CORE-2014-005 - Drupal core - SQL injection. Organizations should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before October 15th, 11pm UTC, that is 7 hours after the announcement.

If you find that your site is already patched, but you didn’t do it, that can be a symptom that the site was compromised since some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site. If you did not patch Drupal or otherwise block the SQL injection attacks within hours of the announcement of October 15th, 4pm UTC, the Drupal Security Team recommends that you restore your website to a backup from before 15 October 2014 and apply the SA-CORE-2014-005 - Drupal core - SQL injection patch.

Please see the official Drupal announcement at https://www.drupal.org/PSA-2014-003.

References:

http://www.theregister.co.uk/2014/10/30/drupal_sites_considered_hosed_if_sqli_hole_unclosed
http://www.theregister.co.uk/2014/11/03/drupal_drupalgeddon_analysis/?mt=1415077627848
http://thehackernews.com/2014/11/drupal-sql-injection-vulnerability_2.html?m=1

Ross Bollens

Chief Information Security Officer