CMS Drupal has issued a chilling public service announcement to website admins and internet users who might visit the hundreds of thousands of sites running its software.
The unusually alarming statement was part of a “public service announcement” issued by the Drupal project’s security team Wednesday.
“Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection,” the Drupal security team said. “You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.”
This is a big problem. Because if you *now* update your website to Drupal 7.32 (which doesn’t suffer from the vulnerability) that won’t get rid of any backdoor that the hackers may have already implanted into your system.