Drupal Site Hacked? The Top Signs & Solutions

Drupalgeddon has certainly caused a lot of widespread panic, confusion and chaos... but luckily, this is a problem with numerous solutions. Read on to find out about how to tell whether your Drupal site has been hacked, and what you can do about it.

It's being nicknamed 'Drupalgeddon', could have potentially affected up to 1.6 million websites, and is described as 'being exploited in the wild'.

Drupal is known as one of the most secure open-source CMSs (content management systems) available today. However, even the most water-tight of software comes with potential security holes and under-tested code at varying levels of the platform.

Unfortunately, Drupal is the latest CMS to fall victim to a huge attack, which has spread across the web like wildfire. Vicious botnets and cryptocurrency miners have been relentlessly attacking websites running Drupal 6, 7, and even the latest release in Drupal's product line-up: Drupal 8.

According to Volexity, there is 'big money' in Drupal compromisations, demonstrating the mining of over $105,000 USD by criminal attackers.

Yes, you read that right. Over 100,000 (one-hundred-thousand) DOLLARS in a single cryptocurrency mining attempt.

As a well-known vendor of premium themes for Drupal 7 and 8, Cocoon are eager to reassure and assist website owners and agencies in security of their Drupal sites.

We've put together a handy FAQ regarding the recent Drupal core vulnerabilities, which will help provide some context to our Drupal customers (or any Drupal site owner, even if you are not using Cocoon themes).

All Drupal administrators are welcome to make use of this information, and we encourage sharing of this article to Drupal site owners who may be unaware of the severity of this vulnerability.

Introduction

Recently, on March 28, 2018, a security update was released by Drupal, for all websites running Drupal 7 and 8.

The security update was marked as “highly critical”, and fixes a vulnerability that would allow "remote code execution" on your Drupal site.

For reference, remote code execution can be one of the most dangerous types of vulnerabilities — and are particularly prominent amongst insecure websites which are not regularly kept updated to the latest version of their platform or CMS.

In short form, remote code execution allows an attacker to access or modify (possibly even delete) files on another server, regardless of location or permission privileges.

All websites running Drupal 6, 7, or 8 have been urged to update to the latest version of their Drupal branch immediately.

Drupal 6 is no longer officially supported by the Drupal project, but if you are still running version 6, please refer to this page on Drupal.org for more information on what to do.

Many contributed modules (also known as contrib modules) are also affected by this security vulnerability, so all modules used on your website should also be updated to the latest stable release version.

If you are using a large number of contrib Drupal modules, you're going to have to pay extra attention to potential holes and backdoors left by attackers.

Who is to blame for the vulnerability?

Unfortunately, these things happen. Whilst the Drupal community do their best, this vulnerability was recently discovered by a member of the official Drupal Security Team.

If you are using one of our Drupal themes on your website, please be assured that this vulnerability has nothing to do with any Cocoon themes. In other words, the vulnerability is part of Drupal core, and is not influenced in any way by themes purchased from us.

To make it even simpler, even if you were using the default Drupal theme, your Drupal site would have been at the same level of vulnerability. Websites running themes from other vendors are at an equal level of risk, as are those who have developed their own theme, or are using one of the contributed themes available from Drupal.org.

All Cocoon themes are developed strictly with security in mind, and adhere to Drupal’s recommended theming security guidelines.

How dangerous is this vulnerability?

In short, the vulnerability is extremely dangerous. In the worst case scenario, all websites on your server could be compromised, as well as the server itself. In other words, the worst thing that could happen is that you lose all your data stored on the server, and your sites could be deleted, copied, or malware installed.

Is there anything I can do to stop the vulnerability?

The only thing you can do to prevent your site or server from being compromised is to update to the latest version of Drupal 7 or 8. Drupal 6 is also affected, but is no longer covered by the official Drupal Security Team.

What about maintenance mode?

Turning on maintenance mode will not prevent a potential attack. Your site is still vulnerable even with maintenance mode turned on.

How widespread is this issue?

There are potentially (many) thousands of Drupal websites that have been compromised. If you did not apply the security update before April 11, 2016, there is a high risk that your site or server has been compromised in some way. There are currently over 1.5 million websites reported to be running Drupal, which accounts for roughly 6% of all websites which run a CMS of some kind.

How can I tell if my Drupal site has been compromised?

There are several signs to look for. Your website may be completely non-functional, which is the first obvious sign that it may have been compromised. Other signs to look for include:

  • Strange files that may have appeared in your Drupal root directory, or other directories in your Drupal installation
  • An inability to login to your website
  • Your website re-directing to another website
  • Additional administrator accounts that you have not created
  • Other websites on your server are non-functional, even if they are not running Drupal

Please be aware that even if your Drupal site does not exhibit any of the signs above, there is still a risk that it has been compromised. The attacker may not have left any traces of a exploit.

What should I do NOW?

Already updated:

If you have updated your Drupal site to the this security release before April 11th, 2018, and have also subsequently updated to the more recent security release on April 25th, then you can rest assured that your site is probably OK. Ensure that all modules on your Drupal site have also been updated to the latest stable release, even if they are unused or disabled.

Not yet updated:

If you have not yet updated Drupal core using the latest two security releases, now is the time to apply them - immediately. First though, you should check that your site has not already been compromised, by looking out for the signs listed above, and checking your server logs for strange activity.

If everything looks good, update your Drupal 7 or 8 site using the latest two security releases, immediately.

Already compromised:

If you have good reason to believe that your website or server has already been compromised by the vulnerability, the best course of action would be to restore your most recent server backup from before April 11th 2018. Restoring a backup of the Drupal site or database is probably not enough, because the attacker could have already gained access to your server’s files, and modified, copied, or deleted them.

Please note that applying the latest security updates to a compromised Drupal site will NOT fix the issue. Updating should have occurred before April 11th 2018.

What if I don’t have a backup?

If you don’t have a recent backup of your server or Drupal installation from before April 11th, you have two options to rectify the problem yourself:

  • Attempt to manually fix the compromised site(s), which may be difficult, as the attacker will usually have left hidden ‘backdoors’ to re-exploit the website at a later time. You would also have to check that any other files on the server itself (outside of your Drupal installation) have not been modified.
  • Install the latest version of Drupal and re-build your website from scratch.

HELP!

If you do not have a recent backup, and are unable to rebuild the site from scratch (if you have multiple users, or many pages, for example), there is still hope! Cocoon is now offering a new service, Drupal Site Restore, for a limited time, which will serve to restore your site to its working order, with everything still intact.

You do not need a backup for us to provide this service to you, and we’ll take care of everything, identify any hidden ‘backdoors’, and remove malicious code from your files, server, or database. Finally, we’ll update your Drupal installation and modules to the latest stable versions, and also apply some additional security measures to further protect your Drupal site (and server) from any potential exploits related to this issue.

If you believe your Drupal site has been compromised, and would like to take advantage of this service, please contact us here: https://createdbycocoon.com/services/drupal-site-restore

I don’t know whether my Drupal site has been compromised?!

If you are unable to figure out whether your Drupal site has been compromised, don’t stress - Cocoon is also offering an affordable Drupal Security Check service for a limited time (similar to a site audit), as part of Drupal Site Restore.

We will investigate the possibility of an exploit on your Drupal site or overall server, and let you know whether your site has been compromised or not. This process involves extensive investigation of your Drupal files and database, access logs, as well as general server files. We will also run several automated checks to determine the status of your website.

If the website has been compromised, we will inform you and recommend the best course of action, and support you through this.

If your website appears to be clean and there is no sign of exploitation, we will provide recommendations to further secure your Drupal site from a potential exploit in the future, as a result of the recent security vulnerability.

If you really want to ensure security and stability of your Drupal site and webserver in the long-term, you may wish to opt for our new Drupal Padlock service, which essentially aims to lock-down both your server and Drupal installation, to provide you the best opportunity of resisting and mitigating potential impending attacks; now or in the future.

I have further questions!

If you have further questions regarding this issue, please feel free to contact us. Existing Cocoon customers can raise a ticket via our support portal, and expect a response within 24-48 hours, including weekends. If you are not yet a customer of Cocoon, you can still get in touch using our contact page. As always, we’ll aim to get back to you as quickly as possible.

You can also read more information on Drupal Site Restore, Drupal Padlock, and all our other web development and server administration services.

Happy site building, and thank you for choosing Cocoon.

- Your Cocoon Team