Drupal sites had “hours” to patch before attacks started

Nearly a million websites running the popular Drupal content management system had only hours to update their software before attacks likely compromised the systems, thanks to a widespread vulnerability, the Drupal security team warned this week.

On October 15, the security team for the Drupal content management system announced the discovery of a critical security flaw that could allow attackers to steal data or compromise vulnerable sites. Within seven hours of the announcement, attackers had begun broadly scanning for and attacking Drupal sites, according to the project’s security team, which provided the details in an October 29 public service announcement.

“Systematic attacks were launched against a wide variety of Drupal websites in an attempt to exploit this vulnerability,” the group stated in its update. “If you did not update your site within < 7 hours of the bug being announced, we consider it likely your site was already compromised.”

Read 5 remaining paragraphs | Comments