Drupal: If you weren’t quick to patch, assume your site was hacked

Users of Drupal, one of the most popular content management systems, should consider their sites compromised if they didn’t immediately apply a security patch released on Oct. 15.

The unusually alarming statement was part of a “public service announcement” issued by the Drupal project’s security team Wednesday.

“Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection,” the Drupal security team said. “You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.”

To read this article in full or to leave a comment, please click here