Information

Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection.

You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

Simply updating to Drupal 7.32 will not remove backdoors.

Resolution

NOTE: It is strongly advised to change all the passwords for the application instance.

If you have backup created before Oct 15th, 11pm UTC:

  1. Go to Websites & Domains > Backup Manager and restore virtual host content and database.

  2. Update Drupal installation to version 7.32:

    a. If Drupal is installed as an Plesk application, go to Subscriptions > Applications > Manage My Applications and click on "Update avaliable" button, see screenshot:

    b. If Drupal is installed not through Plesk application vault, but manually, follow Drupal upgrade guide.

    Note: If you are unable to update to Drupal 7.32 you can apply this patch to Drupal's database.inc file to fix the vulnerability until such time as you are able to completely upgrade to Drupal 7.32.

If you have no backup:

Follow the steps that are described in the "Recovery" section of the following Drupal site.

Internal content