Up to 12 million websites may have been compromised by attackers who took advantage of a bug in the widely used Drupal software.
The sites use Drupal to manage web content and images, text and video.
Drupal has issued a security warning saying users who did not apply a patch for a recently discovered bug should “assume” they have been hacked.
It said automated attacks took advantage of the bug and can let attackers take control of a site.
‘Shocking’ statement
In its “highly critical” announcement, Drupal’s security team said anyone who did not take action within seven hours of the bug being discovered on 15 October should “should proceed under the assumption” that their site was compromised.
Anyone who had not yet updated should do so immediately, it warned.
However, the team added, simply applying this update might not remove any back doors that attackers have managed to insert after they got access. Sites should begin investigations to see if attackers had got away with data, said the warning.
“Attackers may have copied all data out of your site and could use it maliciously,” said the notice. “There may be no trace of the attack.” It also provided a link to advice that would help sites recover from being compromised.
Mark Stockley, an analyst at security firm Sophos, said the warning was “shocking”.
The bug in version 7 of the Drupal software put attackers in a privileged position, he wrote. Their access could be used to take control of a server or seed a site with malware to trap visitors, he said.
Paul Balo is the founder of TechBooky and a highly skilled wireless communications professional with a strong background in cloud computing, offering extensive experience in designing, implementing, and managing wireless communication systems.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
