Welcome to our FAQ page regarding the recent Drupal core vulnerabilities, which will help provide some context to our Drupal customers (or any Drupal site owner, even if you are not using Cocoon themes).

Introduction

Recently, on March 28, 2018, a security update was released by Drupal, for all websites running Drupal 7 and 8.

The security update was marked as “highly critical”, and fixes a vulnerability that would allow remote code execution on your Drupal site.

All websites running Drupal 6, 7, or 8 have been urged to update to the latest version of their Drupal branch immediately.

Many contributed modules are also affected by this security vulnerability, so all modules used on your website should also be updated to the latest stable release version.

Who is to blame for the vulnerability?

Unfortunately, these things happen. Whilst the Drupal community do their best, this vulnerability was recently discovered by a member of the official Drupal Security Team.

If you are using one of our Drupal themes on your website, please be assured that this vulnerability has nothing to do with any Cocoon themes. In other words, the vulnerability is part of Drupal core, and is not influenced in any way by themes purchased from us.

To make it even simpler, even if you were using the default Drupal theme, your Drupal site would have been at the same level of vulnerability. Websites running themes from other vendors are at an equal level of risk, as are those who have developed their own theme, or are using one of the contributed themes available from Drupal.org.

All Cocoon themes are developed strictly with security in mind, and adhere to Drupal’s recommended theming security guidelines.

How dangerous is this vulnerability?

In short, the vulnerability is extremely dangerous. In the worst case scenario, all websites on your server could be compromised, as well as the server itself. In other words, the worst thing that could happen is that you lose all your data stored on the server, and your sites could be deleted, copied, or malware installed.

Is there anything I can do to stop the vulnerability?

The only thing you can do to prevent your site or server from being compromised is to update to the latest version of Drupal 7 or 8. Drupal 6 is also affected, but is no longer covered by the official Drupal Security Team.

What about maintenance mode?

Turning on maintenance mode will not prevent a potential attack. Your site is still vulnerable even with maintenance mode turned on.

How widespread is this issue?

There are potentially (many) thousands of Drupal websites that have been compromised. If you did not apply the security update before April 11, 2016, there is a high risk that your site or server has been compromised in some way.

How can I tell if my Drupal site has been compromised?

There are several signs to look for. Your website may be completely non-functional, which is the first obvious sign that it may have been compromised. Other signs to look for include:

• Strange files that may have appeared in your Drupal root directory, or other directories in your Drupal installation
• An inability to login to your website
• Your website re-directing to another website
• Additional administrator accounts that you have not created
• Other websites on your server are non-functional, even if they are not running Drupal

Please be aware that even if your Drupal site does not exhibit any of the signs above, there is still a risk that it has been compromised. The attacker may not have left any traces of a exploit.

What should I do NOW?

Already updated:

If you have updated your Drupal site to the security release before April 11th, 2018, and have also subsequently updated to the more recent security release on April 25th, then you can rest assured that your site is probably OK. Ensure that all modules on your Drupal site have also been updated to the latest stable release, even if they are unused or disabled.

Not yet updated:

If you have not yet updated Drupal core using the latest two security releases, now is the time to apply them - immediately. First though, you should check that your site has not already been compromised, by looking out for the signs listed above, and checking your server logs for strange activity.

If everything looks good, update your Drupal 7 or 8 site using the latest two security releases, immediately.

Already compromised:

If you have good reason to believe that your website or server has already been compromised by the vulnerability, the best course of action would be to restore your most recent server backup from before April 11th 2018. Restoring a backup of the Drupal site or database is probably not enough, because the attacker could have already gained access to your server’s files, and modified, copied, or deleted them.

Please note that applying the latest security updates to a compromised Drupal site will NOT fix the issue. Updating should have occurred before April 11th 2018.

What if I don’t have a backup?

If you don’t have a recent backup of your server or Drupal installation from before April 11th, you have two options to rectify the problem yourself:

• Attempt to manually fix the compromised site(s), which may be difficult, as the attacker could have left hidden ‘backdoors’ to re-exploit the website at a later time. You would also have to check that any other files on the server itself have not been modified.
• Install the latest version of Drupal and re-build your website from scratch.

HELP!

If you do not have a recent backup, and are unable to rebuild the site from scratch (if you have multiple users, or many pages, for example), there is still hope! Cocoon is now offering a Drupal Cleanup Service for a limited time, which will serve to restore your site to its working order, with everything still intact.

You do not need a backup for us to provide this service to you, and we’ll take care of everything, identify any hidden ‘backdoors’, and remove malicious code from your files, server, or database. Finally, we’ll update your Drupal installation and modules to the latest stable versions, and also apply some additional security measures to further protect your Drupal site (and server) from any potential exploits related to this issue.

If you believe your Drupal site has been compromised and would like to take advantage of this service, please contact us here: https://createdbycocoon.com/services/drupal-site-restore

I don’t know whether my Drupal site has been compromised?!

If you are unable to figure out whether your Drupal site has been compromised, don’t stress -  Cocoon is also offering a Drupal Exploit Check service for a limited time, under Cocoon Drupal Site Restore.

We will investigate the possibility of an exploit on your Drupal site or overall server, and let you know whether your site has been compromised or not. This process involves an extensive investigation of your Drupal files and database, access logs, as well as general server files. We will also run several automated checks to determine the status of your website.

If the website has been compromised, we will inform you and recommend the best course of action, and support you through this.

If your website appears to be clean and there is no sign of exploitation, we will provide recommendations to further secure your Drupal site from a potential exploit in the future, as a result of the recent security vulnerability.

I have further questions!

If you have further questions regarding this issue, please feel free to contact us. Existing Cocoon customers can raise a ticket via our support portal, and expect a response within 24-48 hours, including weekends. If you are not yet a customer of Cocoon, you can still get in touch using our contact page. As always, we’ll aim to get back to you as quickly as possible.

Happy site building, and thank you for choosing Cocoon.

- Your Cocoon Team