Drupal is an open-source Content Management System, used by over 1 million websites in particular it is often used for Governments and Financial Companies. It’s round two for Drupal security as in 2014 it was hit with with Drupalgeddon, it’s just happened again.
Drupal, however did not disclose the issue which allowed hackers to take full control of a website.
They quietly patched the issue, without announcing what the patch was for.
The details of the vulnerability, which has been given the name DrupalGeddon2, were released by IT security researchers Checkpoint, along with a proof of concept exploit to demonstrate the flaw.
This means that hackers have everything they need to roll their own variation of the exploit.
According to Daniel Cid the VP of Engineering for GoDaddy, they were seeing 150 different IP addresses trying to use the exploit on their websites. He also said “If you didn’t patch already consider yourself hacked”
Attacks have already started and the hackers are installing crypto-miners to make use of your servers resources for their monetary gain.
At this point any unpatched website using Drupal will have been compromised. Applying the patch now will not remove any backdoors installed by hackers, and often the hackers install the patch themselves after adding the backdoor, to keep others out and to make the system appear secure. So if your installation of Drupal says it’s up to date and you didn’t install the patch, then you have been hacked.
The fastest solution to anyone affected by this is to roll back to a backup of their website from before 11th April 2018 and immediately install the update before putting it back online.