Drupageddon?

The Public Service Anouncement - PSA-2014-003 released yesterday... talks about the patch/Drupal upgrade from two weeks ago. It suggests if you haven't yet updated your Drupal 7 sites, there's a likelihood your site is hacked and you have problems beyond just needing to patch/upgrade -- which you still need to do.

If you patched your site the first day or two

Quit reading. Nothing left to see here. :-P

If you haven't yet upgraded or patched you site - do it now

If you still need to upgrade ... maybe you're a bunch of versions behind and you've been "meaning to upgrade" ... well, just apply the patch now. It's safe... easy... and will protect your site.

How to patch?

You'll need to use the command line. ssh to your server (or use a control panel "to open a terminal" -- or whatever your host calls it that allows access to the CLI), navigate to the Drupal root and cut-paste this:

That's it. no other actions needed. You don't need to run update.php, etc.

Is it safe?

Let me break it down and you decide.

• [ -f <em>includes/database/database.inc</em> ] <-- "Test" for the existance of the file tht needs to be patched; doesn't exist on drupal 6 sites.
• && <-- special; means if the last command was successful, then run the next
• wget --no-check-certificate -O - https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch <-- go get the patch... you can first try without --no-check-certificate, but it won't work on some servers. with the flag as listed, there is a small risk of spoofing
• | <-- Character is called a "pipe" and allows the shell to redirect the output of the previous command to use as input for the next
• patch -p1 -b <-- Uses the download and applies the patch. if there's an error, it won't apply and it'll tell you a bit about the problem -- so therefore, no danger doing this twice.
• git diff includes/database/database.inc includes/database/database.inc.orig <-- Show us what happened, if anything. if git isn;t installed on the server, simply remove that portion of the command.

Nice post.

I though the patch was incorporated in latest release of core (7.32). Is this not true? Thanks again.

Those of us that just recently upgraded still may have been hacked though and back doors may have been left. The recommended approach is a restore from backup before 10/15.

https://www.drupal.org/project/drupalgeddon

This drush script can help you in determining if your site has been hacked... but at this point, you might need to assume that it has, even if it doesn't catch anything for you.

Keep up with your security updates people :) especially when they're so explicitly critical.

A few other things to be looking for: modified files, new users or roles, strange entries in the menu router table.

Any other suggestions?

There's and excellent follow up discussion posted by @bevan. Have a look at some additional helpful suggestions there, and in the comments: https://groups.drupal.org/node/447468

If anyone in this thread is interested, I'm presenting on Better Sleep Through Web Security and sharing our company's security process. We're still getting calls and emails from companies and organizations who didn't get patched and updated in time and aren't able to keep up with the demand.

All the meetup info is at https://groups.drupal.org/node/448913 and here's just the essential location and call-in information.

   Date and time: November 20, 2014 at 6pm Pacific Time
   Location: Fuller Theological Seminary, at 135 N Oakland Ave
Pasadena, CA 91101 (Building "Glasser 110")
   Video conference: https://glad.zoom.us/j/129319220
   Phone: +1 415-762-9988 or +1 646-568-7788
   Meeting ID: 129 319 220

In short, it's now more cost-effective for site owners to skip a security audit and just rollback and redeploy content and code changes since the Drupalgeddon security advisory an October 15th and check / rehaul their server infrastructure. The presentation has a lot more.