This probably hasn’t received as much attention as it should have in web development circles, but for the past couple of weeks, there have been a huge influx of Drupal websites being hacked.
The culprit? A nasty SQL injection vulnerability that exists in Drupal 7.x (and was later fixed using Drupal 7.32).
This vulnerability, which goes by the name of SA-CORE-2014-005, can allow attackers to easily inject new users, backdoors / trojans, etc.
Two common attack patterns are:
1) A “drupaldev” account being injected with a role of “megauser” and a history of being created 44 years ago
2) A menu_router injection utilizing file_put_contents() and malicious code in BLOB fields
Lists of known Drupal websites are being used, as well as ones picked up from general scanning.
If you have DRUSH installed, then scan using Drupalgeddon and Site Audit.
Incoming search terms: