Fixing Your Drupal Site (Drupalgeddon)
|AFFECTED APPLICATION||Drupal versions <= 7.31|
|FIX||Restore your site and then upgrade|
|FIRST REPORT OF COMPROMISE||Oct. 15, 2014 at 11pm UTC|
If you're here, we're assuming you've been notified of a critical security issue with Drupal, which has been called Drupalgeddon (or Drupageddon). Drupal's issued an announcement about it here, but this article contains the information you need to protect your Drupal site.
In short, this security risk could let attackers install backdoors on your website using a SQL injection. Essentially, this would let attackers target your website's visitors with various maladies, such as malware.
To warn you, this situation is bad and can get complicated. We have protection measures in place to minimize the risk of your site actually being affected, but it's important to proceed as if your site is compromised.
Analyzing Your Situation
The first thing to investigate is the situation you and your site are in.
Did you upgrade your site before the first reports of compromise?
YES: Your site is unaffected.
NO: You must restore your site from backup, and then upgrade it.
Do you have a backup of your website and website?
YES: Follow this procedure (individual steps outlined in Procedures section):
- Restore your website (if you do not have a backup, complete the remaining procedure outlined here and then see Removing Backdoors Manually)
- Restore your database (if you do not have a backup, complete the remaining procedure outlined here and then see Removing Backdoors Manually)
- Upgrade Drupal
Unsure? If you don't have a backup you maintained yourself, we might be able to help.
|Hosting Type||Backup info|
|Web & Classic Linux||Website: Restoring a Linux Hosting Account
Database: Check Restoring section of Backing up and Restoring MySQL or MSSQL Databases
Disaster Recovery Backups available — contact customer support
|Web & Classic Windows||Website & Database: Disaster Recovery Backups available — contact customer support|
|Plesk||Website & Database: View the Plesk section in Where can I download my shared hosting backups?
Disaster Recovery Backups also available to some customers — contact customer support
|cPanel||Website & Database: Backups available to some customers who installed the application through Installatron via Restoring Installatron Websites from Backups
Users could have created backups using Back up your website
If you do have a backup, see the YES section; otherwise, see the NO section.
NO: Follow this procedure (individual steps outlined in Procedures section)
- Upgrade Drupal
- Remove backdoors manually
Before beginning the procedures outlined below, make sure you complete them in the correct order by cross-referencing your situation with the Analyzing Your Situation section.
Before beginning, you must have a backup of your website created before Oct. 15, 2015 at 11pm UTC. Restoring from this backup will revert your site to the state it was at when the backup was taken. It's not ideal, but it's your best bet against passing malware onto your visitors.
If you have only one domain on your hosting account:
- Create a backup of your compromised site (more info). We urge you to do this so you do not lose all of your content in case something goes awry.
- Using an FTP client (more info), remove all of the content in your website's root directory. (What is my website's root directory?)
- Restore your website from its backup (more info).
If you have multiple domain names on your website:
- With backups for each site: You can use the above process, but remove the content from each domain name's root directory, and then restore it using its backups.
- Without backups for each site: You should complete the above procedure for your Drupal domain name, but you will still need to use the information in Manually Removing Backdoors for your account's other files.
Before beginning, you must have a database backup created before Oct. 15, 2015 at 11pm UTC. Restoring from this backup will revert your site to the state it was at when the backup was taken. It's not ideal, but it's your best bet against passing malware onto your visitors.
- Create a backup of your compromised database (more info). We urge you to do this so you do not lose all of your content in case something goes awry.
- Note your database's name. You will need to recreate a database using the exact same name.
- Remove the database from your account (more info).
- Create a new MySQL database that uses the same name (more info).
- Restore your database from its backup (more info).
You need to upgrade your Drupal version to 7.32. Drupal has those instructions here.
If you do not have a backup of either your website or database (or both), you must manually remove any backdoors from your Drupal installation.
To do this for you, we offer an Expert Service for $79. With this service, we will perform all of the work for you to make our best effort to remove all backdoors using the procedures identified by Drupal. This service does not guarantee your website is free from compromise, but it is as close to compromise-free as anything can come if your Drupal installation wasn't upgraded before the first reported compromises or restored from a backup created before Oct. 15, 2015 at 11pm UTC.
To purchase the Expert Service, contact customer support.
You can also manually remove any backdoors yourself using the Drupal-recommended procedure outlined here. This procedure is very complicated and requires an advanced understanding of the technologies Drupal uses (PHP, MySQL) to use effectively. Not all steps listed in the procedure are applicable to shared hosting environments, but completing what you can from this list will provide you the greatest likelihood of removing backdoors from your site.