Drupal vulnerability

The recent influx of attacks on Drupal servers is based on a vulnerability that dates back to a few years ago, but has more recently been leveraged into some pretty nasty attacks. Essentially the vulnerability allows attackers to execute code on your server remotely by accessing a particular URL and injecting a SQL query. Many of the attacks have involved injecting cryptocurrency miners, backdoors, and various other malware, as well as leveraging brute force attacks against other servers.

To secure your server you will need to sanitize or rebuild, then update Drupal using the latest official patches for your version.

To sanitize/clean your Linode, you can start off by installing and running ClamAV to identify and remove any malware it detects:

First Install ClamAV -> then run then following commands to update the malware database, run a scan, and remove the detected files:

# freshclam
# sudo clamscan -r -i /
# clamscan -r -i --remove / 

For additional info, check out the Linode ClamAV Guide

Installing and running RKHunter is also recommended:

# cd /tmp
# wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz
# tar -xvf rkhunter-1.4.6.tar.gz 
# cd rkhunter-1.4.6
# sudo ./installer.sh --layout default --install
# sudo /usr/local/bin/rkhunter --update
# /usr/local/bin/rkhunter --propupd
# sudo rkhunter --check

Review the log files generated by RKHunter in /var/log/rkhunter.log

The following section details which Drupal updates you should take for your version

For Drupal 6.x:

You'll want to install the SA-CORE-2018-002.patch from the following link:
Drupal 6.x Patch

For Drupal 7.x:

Upgrade to Drupal 7.59

For Drupal 8.4.x:

Upgrade to Drupal 8.4.8

For Drupal 8.5.x:

Upgrade to Drupal 8.5.3

Additional details on these patches can be found on Drupal's Security Advisories Page

For more information on the vulnerabilities themselves, Drupalgeddon2 and Drupalgeddon3