CMS provider Drupal has warned admins that if they didn’t patch an SQLi flaw announced earlier this month within seven hours of it being made available, they should assume systems have been compromised.
In an update on Wednesday, Drupal even went so far as to urge administrators to pause reading the announcement and apply the patch, before continuing.
However, the firm warned that although patching will fix the original flaw, it will not help an already compromised website.
“If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site,” it added.
The vulnerability in question was announced on October 15 and could allow full SQL injection leading to “total control and code execution of website.”
Drupal’s latest Public Service Announcement explained:
“Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.”
The firm has released more information on what admins should do if their site has been hacked.
Ilia Kolochenko, CEO of security firm High-Tech Bridge, argued that Drupal had acted responsibly in making customers aware of the problem as quickly as possible.
"As soon as a vulnerability in popular CMS platforms like Drupal is discovered, millions of crawlers operated by hackers start searching for vulnerable websites. Once a victim is identified, their website gets hacked, patched to prevent 'competition' to overtake the same site, and backdoored," he added.
"Within several days, access to the compromised website will be sold on the black market, more than likely to several different customers at the same time who each may well resell it several more times. Like this,your personal blog may be easily involved in a dozen different criminal offenses such as hosting illicit content, sending spam and infecting visitors, to name just a few."
Sophos global head of technology research, James Lyne, told Infosecurity that such vulnerabilities are becoming far more commonplace and that the patch for this one can be reverse engineered and used “en masse across the web.”
“System administrators need to be constantly vigilant and monitor for new patches and of course their security strategy should not entirely depend on prevention - a solid incident response and recovery strategy is critical in the event that attackers are able to exploit prior to patches being available or implemented,” he argued.
“We’ve seen from exceptionally high profile flaws like Heartbleed that it can be difficult for businesses to mobilize to deal with the issue, particularly if the system is hosted by a third party or the original administrator has left leaving the system running under a desk somewhere.”
Lyne added that system administrators need to be constantly on the lookout for new incidents and patches.
“And of course their security strategy should not entirely depend on prevention – a solid incident response and recovery strategy is critical in the event that attackers are able to exploit prior to patches being available or implemented,” he said.