AFFECTED APPLICATION |
Drupal versions <= 7.31 |
FIX |
Restore your site and then upgrade |
FIRST REPORT OF COMPROMISE |
Oct. 15, 2014 at 11pm UTC |
If you're here, we're assuming you've been notified of a critical security issue with Drupal, which has been called Drupalgeddon (or Drupageddon). Drupal's issued an announcement about it here, but this article contains the information you need to protect your Drupal site.
In short, this security risk could let attackers install backdoors on your website using a SQL injection. Essentially, this would let attackers target your website's visitors with various maladies, such as malware.
To warn you, this situation is bad and can get complicated. We have protection measures in place to minimize the risk of your site actually being affected, but it's important to proceed as if your site is compromised.
Analyzing Your Situation
The first thing to investigate is the situation you and your site are in.
Did you upgrade your site before the first reports of compromise?
YES: Your site is unaffected.
NO: You must restore your site from backup, and then upgrade it.
Do you have a backup of your website and website?
YES: Follow this procedure (individual steps outlined in Procedures section):
- Restore your website (if you do not have a backup, complete the remaining procedure outlined here and then see Removing Backdoors Manually)
- Restore your database (if you do not have a backup, complete the remaining procedure outlined here and then see Removing Backdoors Manually)
- Upgrade Drupal
Unsure? If you don't have a backup you maintained yourself, we might be able to help.
If you do have a backup, see the YES section; otherwise, see the NO section.
NO: Follow this procedure (individual steps outlined in Procedures section)
- Upgrade Drupal
- Remove backdoors manually
Procedures
Before beginning the procedures outlined below, make sure you complete them in the correct order by cross-referencing your situation with the Analyzing Your Situation section.
Warning: Before beginning, you must have a backup of your website created before Oct. 15, 2015 at 11pm UTC. Restoring from this backup will revert your site to the state it was at when the backup was taken. It's not ideal, but it's your best bet against passing malware onto your visitors.
If you have only one domain on your hosting account:
- Create a backup of your compromised site (more info). We urge you to do this so you do not lose all of your content in case something goes awry.
- Using an FTP client (more info), remove all of the content in your website's root directory. (What is my website's root directory?)
- Restore your website from its backup (more info).
If you have multiple domain names on your website:
- With backups for each site: You can use the above process, but remove the content from each domain name's root directory, and then restore it using its backups.
- Without backups for each site: You should complete the above procedure for your Drupal domain name, but you will still need to use the information in Manually Removing Backdoors for your account's other files.
Warning: Before beginning, you must have a database backup created before Oct. 15, 2015 at 11pm UTC. Restoring from this backup will revert your site to the state it was at when the backup was taken. It's not ideal, but it's your best bet against passing malware onto your visitors.
- Create a backup of your compromised database (more info). We urge you to do this so you do not lose all of your content in case something goes awry.
- Note your database's name. You will need to recreate a database using the exact same name.
- Remove the database from your account (more info).
- Create a new MySQL database that uses the same name (more info).
- Restore your database from its backup (more info).
We also recommend changing your Drupal's MySQL database password. To do that you'll need to change the database's password (more info), and then update it in Drupal (more info).
You need to upgrade your Drupal version to 7.32. Drupal has those instructions here.
If you do not have a backup of either your website or database (or both), you must manually remove any backdoors from your Drupal installation.
To manually remove any backdoors yourself, use the Drupal-recommended procedure. This procedure is very complicated and requires an advanced understanding of PHP and MySQL. Not all steps listed in the procedure are applicable to shared hosting environments, but completing what you can from this list will provide you the greatest likelihood of removing backdoors from your site.