Highly Critical Security Update for Drupal

Drupal sites all over the world are being hacked and compromised by an automated attack. Over the past week, Acquia has observed over 500,000 attacks from more than 3,000 different IP addresses across its fleet of servers and customer base.

The Drupal Security Team is aware of these automated attacks, attempting to compromise Drupal 7 and 8 websites, and on March 28th, the Drupal Security Team released a bug fix for a critical security vulnerability, named SA-CORE-2018-002. This update is extremely important and should be applied immediately.

The security risk score of this issue is 24/25.

Simply updating Drupal will not remove backdoors or fix compromised sites.

If you find that your site is already patched, but you didn’t do it, that can be a symptom that the site was compromised. Some attacks in the past have applied the patch as a way to guarantee that only that attacker is in control of the site.

Attackers may have created “backdoors” in the database, code, files directory, and other locations. Attackers could compromise other services and potentially gain access to the entire server.

Drupal suggests that if you did not patch, you should restore from a backup. While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch.

If you are unsure of the next steps, need help in resolving an issue, or apply this critical update, contact us immediately!