Website administrators were scrambling on Thursday to patch their servers after a security hole in the Drupal content management system led to automated attacks, compromising website worldwide — but for many it may already be too late.

Drupal is an open-source content management framework used by more than 2% of websites globally, ranging from small personal blogs through to major websites like whitehouse.gov.

A “public service announcement” on Drupal.org stated: “You should proceed under the assumption that every Drupal 7 website was compromised unless updated and patched before 15 October.”

Drupal had issued a patch for the problem on 15 October, but many websites haven’t updated to the latest version of the software.

“Simply updating to Drupal 7.32 will not remove backdoors,” Drupal warned.

“If you have not updated or applied this patch, do so immediately, then continue reading this announcement; updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website,” it said.

“If you find that your site is already patched but you didn’t do it, this can be a symptom that the site was compromised — some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.”

Even more worryingly, the announcement said: “Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack.”

Attackers may have created backdoors (access points) in the database, code, files directory and other locations. Attackers could compromise other services on the server or escalate their access, the warning continued.

“Removing a compromised website’s backdoors is difficult because it is not possible to be certain all backdoors have been found.

“The Drupal security team recommends that you consult with your hosting provider. If they did not patch Drupal for you or otherwise block the ‘SQL injection’ attacks within hours of the announcement of 15 October at 4pm UTC [6pm South African time], restore your website to a backup from before 15 October 2014.

“Take the website offline by replacing it with a static HTML page. Notify the server’s administrator, emphasising that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack.

“Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. Restore the website (Drupal files, uploaded files and database) from backups from before 15 October 2014. Update or patch the restored Drupal core code. Put the restored and patched/updated website back online. Manually redo any desired changes made to the website since the date of the restored backup. Audit anything merged from the compromised website, such as custom code, configuration, files or other artefacts, to confirm they are correct and have not been tampered with.”

Recovery without restoring from backup may be possible, but is not advised because backdoors can be extremely difficult to find, the announcement warned. “The recommendation is to restore from backup or rebuild from scratch.” — © 2014 NewsCentral Media