Drupal 7 is a back-end website management program that allows content providers to create their content then convert that into something more pleasing to the users eye (very much like WordPress). Drupal has just announced that websites running Drupal 7 may be compromised if they were not patched prior to their announcement of the vulnerability.
Here’s part of what Drupal pushed out in a blog post, you can read the rest at the source link.
This Public Service Announcement is a follow up to SA-CORE-2014-005 – Drupal core – SQL injection. This is not an announcement of a new vulnerability in Drupal.
Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.
Simply updating to Drupal 7.32 will not remove backdoors.
If you have not updated or applied this patch, do so immediately, then continue reading this announcement; updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website. If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.
Are you running a Drupal powered website? Let us know your experiences in the comments below or on Google+, Facebook and Twitter.