Protecting our members from Drupageddon

On October 15, 2014 Drupal released a security patch that fixes a major vulnerability in Drupal.

All May First/People Link members who use our central/shared Drupal installation received an upgraded version of Drupal within 2 hours of the announcement and therefore should have been protected from any exploits.

However, members that manage their own Drupal 7 installations may still be at risk.

This page documents instructions for MF/PL support team members on how to check server for vulnerable sites.

Find potentially vulnerable sites

Ross has made a list of all potentially vulnerable sites on hay (in /root/drupal-7-insecure-databases.txt). They are listed by mosh. In addition, there is a script (that was used to generate this list) in /tmp/find-drupal-7-pre-3.2 on each MOSH. You can re-run this script as often as you need to.

This script finds databases that it thinks are Drupal 7 sites that are not running version 7.32. There are a lot of false positives (drupal databases that are no longer in use, etc).

If you are an MF/PL admin, please check for sites on your MOSHes.

What to do

When you find a site, become the user that owns the site, cd into the web directory, and then search for all settings.php file:

find . -name settings.php

Check each settings.php file that returns to ensure that the database named as compromised is not in use.

If it is in use, use drush to upgrade the core software:

drush up drupal