A few weeks ago Drupal released an update to a critical SQL Injection vulnerability and urged all their users to update or patch their sites immediately. Initially the scope of the vulnerability wasn’t known however today the Drupal team released a public service announcement that really hit home how important that update was.
You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.
That’s not exactly a comforting statement. See due to how fast the attacks against Drupal 7 sites spread once the vulnerability was announced chances are that most webmasters did not update in-time; and sadly that means that those websites were most likely compromised.
The scariest part of this vulnerability is that since Drupal uses PDO, this vulnerability is not only limited to SELECT statements, an attacker is able to able to insert or modify arbitrary data in the database.
Severity, coupled with it’s simplicity is a recipe for disaster. It’s a matter of time before it’s integrated into the latest toolsets and attacks are actively detected.
The first attack started 8 hours after the disclosure. The attackers began hitting our honeypots with the following SQL Injection attempt…
Head on over the Sucuri blog to learn how to check if your website has been compromised.