* Advisory ID: PSA-2018-002
* Project: Drupal core
* Version: 7.x, 8.x
* Date: 2018-April-13
* Security risk: 25/25 (Highly Critical)
This Public Service Announcement is a follow-up to SA-CORE-2018-002 - Drupal core - RCE. This is *not* an announcement of a new vulnerability. If you have not updated your site as described in SA-CORE-2018-002 you should assume your site has been targeted and follow directions for remediation as described below.
The security team is now aware of automated attacks attempting to compromise
Drupal 7 and 8 websites using the vulnerability reported in SA-CORE-2018-002. Due to this, the security team is increasing the security risk score of that issue to 25/25
*Sites not patched by Wednesday, 2018-04-11 may be compromised.* This is the date when evidence emerged of automated attack attempts. It is possible targeted attacks occurred before that.
*Simply updating Drupal will not remove backdoors or fix compromised sites.*
If you find that your site is already patched, but you didn’t do it, that can be a symptom that the site was compromised. Some attacks in the past have applied the patch as a way to guarantee that only that attacker is in control of the site.
.... What to do if your site may be compromised
Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack.
Take a look at our help documentation, ”Your Drupal site got hacked, now what.”
Attackers may have created access points for themselves (sometimes called “backdoors”) in the database, code, files directory and other locations. Attackers could compromise other services on the server or escalate their access.
Removing a compromised website’s backdoors is difficult because it is very difficult to be certain all backdoors have been found.
If you did not patch, you should restore from a backup. While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch. For more information please refer to this guide on hacked sites.
CONTACT AND MORE INFORMATION
We prepared a FAQ that was released when SA-CORE-2018-002 was published. Read more at FAQ on SA-CORE-2018-002.