Your Drupal website has a backdoor

I estimate hundreds of thousands of Drupal websites now have backdoors; between ten and ninety percent of all Drupal websites. Automated Drupageddon exploits were in the wild within hours of the announcement. Updating or patching Drupal does not fix backdoors that attackers installed before updating or patching Drupal. Backdoors give attackers admin access and allow arbitrary PHP execution.

If your Drupal 7 (and 8) website is not updated or patched it is most likely compromised. If your website was not updated within a day of the announcement, it is probably compromised. Even if your website was updated within a day, it may be compromised.

If you did not know, Drupageddon is the highly critical SQL injection vulnerability in Drupal core announced 15 October. It is also known as Drupalgeddon (with an "L"), CVE-2014-3704, Drupal SA core 2014 005 and #DrupalSA05. Drupageddon (no "L") is the original name selected by Stefan Horst, who initially reported to the Drupal security team. See

I have drafted this flowchart to help Drupal website administrators understand their options for recovering from Drupageddon. Review, feedback and collaboration is welcome.

The flowchart is a living document. Currently version is number 7.


How to fix a Drupal site compromised by Drupageddon

Creative Commons License

How to fix a Drupal site from Drupageddon, second draft.png399.63 KB
How to fix a Drupal site from Drupageddon, draft 3.png470.95 KB
How to recover from Drupageddon, draft 4.png581.75 KB
How to recover from Drupageddon, transparent draft 5.png542.35 KB
How to recover from Drupageddon, draft 6.png643.95 KB
How to recover from Drupageddon, draft 7.png651.82 KB
How to recover from Drupageddon, version 8.png634.21 KB
How to recover from Drupageddon, version 9.png639.57 KB

This is not a drill: Update Drupal 7 NOW

Half of a client's Drupal 7 sites were compromised over the weekend.

If you did not update your Drupal 7 website by about Friday, your site was probably hacked too: Update to Drupal 7.32 or apply the patch manually updating is not trivial.

After that, you will need to review your site's administrator users, permissions, logs and content for unexpected users, roles, permissions, content and and scripts.

Follow or join the conversation in #drupalsa05 for more detail about known exploits and how to repair your hacked site.

Nuclear energy policies of NZ political parties

Most kiwis are, unfortunately, too proud of New Zealand's traditional anti-nuclear political stance to keep an open mind on the topic. Media and politics promote the idea that the rest of the world is "impressed" by our political stance. (My impression is that the rest of the world actually thinks our policy is stupid.)

Kiwis are so proud of our nuclear stance, that it would probably be political suicide for a politician or political party to say "lets build nuclear power stations" or even just "lets revisit bans on nuclear ships".

None of the three highest polling parties have published a policy on nuclear energy. None of their energy policies even mention "nuclear".

(All policies focus on renewable energy. National and Labour both have policies for 90% renewable energy by 2025. Greens' policy is 100% by 2030.)

Whether the lack of "nuclear" is because they are afraid of loss of support if they announced anything concieved as pro-nuclear, because they truly believe a ban on nuclear energy is best, or they simply failed to form or document a policy on it, is up for conjecture.

But the fact that nuclear is not even mentioned in any of those policy documents suggests to me that it is probably the fear of backlash. Although I have heard from multiple sources that New Zealand's energy consumption is too low to justify the cost of nuclear energy.

Of course, nuclear policies are of minor significance in the face of climate change as a whole.

How to be a climate voter in the NZ general elections

In the face of climate change, nothing else is of much significance. NZ 2014 general elections are an opportune time to start reversing humanity's destruction of this planet we call home.

But understanding how to be a "climate voter" can be a challenge. Is it really as simple as voting for the Green party? Lets take a look.

To evaluate which party is most aligned with your own beliefs and priorities, nothing beats reading party policies. Each party provides summaries and highlights of their policies on their websites in easy to read formats.

The three highest polling political parties also publish PDF documents with more detail:

On climate change, National dedicates a single page to "Climate change" in their "Environment" policy. Labour has an 8-page "Climate Change" policy that looks like it was slapped together in a hurry.

Meanwhile the Green party has a 20-page "Climate protection plan" of academic quality and references to data sources. They also have a video of the summary in New Zealand Sign Language.

Enjoy reading!

"Unfortunately, contacts has stopped" on Samsung Galaxy S3

I have not been able to use the dialer/keypad or log/history in the Phone app on my Samsang Galaxy S3 since an Android upgrade about four months ago. Whenever I opened them I would get the message "Unfortunately, contacts has stopped". And in order to dial numbers I would have to save them as a contact first.

It is a bug in Android that causes certain configurations to have no valid date format, which in turn causes Contacts app to crash this bug. The workaround solution is so trivial, it is embarrassing for Samsung and Google that they have not fixed this bug yet;

  1. Open settings
  2. "More"
  3. "Date and time"
  4. "Select date format"
  5. Select any option, other than the existing option (if there is one)

I hope this blog post helps more people find the solution more quickly than I did. (I found the solution on Android Central.)

Seeking junior PHP developer

Graduate software engineer at

Work for an innovative internet startup company, breaking new ground in the areas of social networking and self-understanding.

Salary range: $50,000 to $70,000 NZD
Location: Devonport, Auckland
Start: early May

About you

You are finishing your studies in software engineering or computer science and are seeking experience. Internet technology excites you. You are thorough. And passionate about finding simple solutions for complicated problems.

You are a great programmer.

You are looking forward to gaining experience and working with excellent mentors.

What we can offer

Your ability to understand and evaluate, then abstract and re-use code will be essential to your success in this position. We will test your code and problem solving skills in the interview process.

Other useful experience and skills, in order of importance, are:

  • PHP or other another object oriented language
  • Behavior-driven or test-driven development
  • Behat, Mink, Selenium2, Gherkin, Cucumber
  • Document object model (DOM)
  • Javascript, jQuery or other event-driven programming
  • Git and GitHub
  • Contributing to open source
  • Drupal
  • Linux systems and Puppet
  • Testing frameworks, continuous integration, Jenkins

About Archetypes is a social site that allows a user to identify their archetypes by taking a short quiz. Archetypes are a universal pattern of behavior that motivates everything we do. They represent the blueprint of one's soul. Once discovered, archetypes enable users to better understand themselves and others. The online platform allows users to search original and curated content, products and people, and easily find what is relevant, meaningful and entertaining to them. Visit, take the quiz and begin a journey of self-understanding and become a more authentic you.

We are ready to grow our Auckland team and want a junior developer to grow with us. Are you ready to join us?

You will get to work closely with a dedicated mentor, learn about software development processes for large distributed teams, learn new technologies, new skills and gain valuable industry experience.

How to apply

By Tuesday 29 April, tell us why you would be a good fit for this role, ask any questions and let us know your salary expections.

If you want to send us your CV too, include a link to it. (If sending a link to your CV is a problem, then this might not be the right job for you.)

Syndicate content