LISTSERV mailing list manager LISTSERV 16.5

Help for CODE4LIB Archives


CODE4LIB Archives

CODE4LIB Archives


CODE4LIB@LISTS.CLIR.ORG


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

CODE4LIB Home

CODE4LIB Home

CODE4LIB  November 2014

CODE4LIB November 2014

Subject:

Re: Terrible Drupal vulnerability

From:

Heidi P Frank <[log in to unmask]>

Reply-To:

Code for Libraries <[log in to unmask]>

Date:

Wed, 12 Nov 2014 07:49:28 -0500

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (334 lines)

Hi Cary,
Thank you for responding!  I've had some direct contacts, so hopefully will
get it resolved.

thanks for everyone's willingness to help!
best,
Heidi

Heidi Frank
Electronic Resources & Special Formats Cataloger
New York University Libraries
Knowledge Access & Resources Management Services
20 Cooper Square, 3rd Floor
New York, NY  10003
212-998-2499 (office)
212-995-4366 (fax)
[log in to unmask]
Skype: hfrank71

On Wed, Nov 12, 2014 at 12:26 AM, Cary Gordon <[log in to unmask]> wrote:

> If the site was not patched within a few hours of the announcement, the
> odds are that you will need to rebuild it from a backup made before October
> 15th. It is very difficult to detect a successful exploit, or predict if a
> back-door will be used.
>
> I suggest that your first move should be to contact Bluehost, as they may
> have done the patch for you. If not, please read the rest of this thread.
> If you have more questions or need help, let us know here. I will attempt
> to address any issue that is explored in this forum.
>
> Cary
>
>
> > On Nov 11, 2014, at 8:40 PM, Heidi P Frank <[log in to unmask]> wrote:
> >
> > Hi,
> > A colleague and I volunteer for an organization to maintain their
> website,
> > which is a Drupal site hosted on Bluehost, however, neither of us are
> very
> > experienced with Drupal.  So we've been trying to figure out what we need
> > to do to prevent the site from being affected by this vulnerability
> issue,
> > and have read a lot of the documentation and tried following the
> > instructions to upgrade, etc. but are still having trouble.
> >
> > If there is anyone on this list who would be willing to speak with us and
> > answer some questions about how we need to proceed, please contact me off
> > list.  Any guidance will be much appreciated with numerous Thank You's!
> > (i.e., we need some pro bono assistance :)
> >
> > cheers,
> > Heidi
> >
> > Heidi Frank
> > Electronic Resources & Special Formats Cataloger
> > New York University Libraries
> > Knowledge Access & Resources Management Services
> > 20 Cooper Square, 3rd Floor
> > New York, NY  10003
> > 212-998-2499 (office)
> > 212-995-4366 (fax)
> > [log in to unmask]
> > Skype: hfrank71
> >
> > On Sun, Nov 2, 2014 at 1:29 PM, Cary Gordon <[log in to unmask]>
> wrote:
> >
> >> If you can migrate to a maintained service, you could use feeds or
> migrate
> >> to move your content. You could also take that approach on your own
> >> new site. Obviously, none of your entities — nodes, menus, users,
> blocks,
> >> taxonomies, etc. — should contain executable code.
> >>
> >> I suggest that you do not migrate users or menus, unless you have the
> >> ability to validate your data.
> >>
> >> I love the internets, but I have learned that nobody should be
> >> running public facing services — open-source or other — unless they are
> >> prepared to maintain them, including managing a disaster recovery plan
> and
> >> vigilantly monitoring and acting on security notices. If this is not
> >> doable, use a service provider to manage it. The days of running
> services
> >> from a computer under a desk are gone.
> >>
> >> Cary
> >>
> >> On Sunday, November 2, 2014, Hickner, Andrew <[log in to unmask]>
> >> wrote:
> >>
> >>> I'd be curious to hear how others are proceeding.  We had already
> planned
> >>> to migrate our D7 sites to a centralized Drupal instance offered here
> at
> >>> Yale and this has just accelerated the timetable.  I imagine there are
> a
> >>> lot of libraries running Drupal though who don't have this kind of
> option
> >>> and might not have pre-October 15 backups to revert to (we don't!)
> >>>
> >>>
> >>>
> >>> Andy Hickner
> >>> Web Services Librarian
> >>> Yale University
> >>> Cushing/Whitney Medical Library
> >>> http://library.medicine.yale.edu/
> >>>
> >>> ________________________________________
> >>> From: Code for Libraries [[log in to unmask] <javascript:;>] on
> >>> behalf of Lin, Kun [[log in to unmask] <javascript:;>]
> >>> Sent: Friday, October 31, 2014 2:10 PM
> >>> To: [log in to unmask] <javascript:;>
> >>> Subject: Re: [CODE4LIB] Terrible Drupal vulnerability
> >>>
> >>> I think so. However, Cloudflare in their blog post claim they have
> >> develop
> >>> a way to block the attack immediately when the vulnerability was
> >> announced.
> >>> Whether or not they know the exploit ahead of time or not, it would be
> >> good
> >>> to know someone is watching out for you for $20 a month. And you will
> be
> >>> mad if you took Oct 15th off without it. I just check, I patched my
> >>> instance on Oct 16th. Not sure what's going to happened.
> >>>
> >>> Kun
> >>>
> >>> -----Original Message-----
> >>> From: Code for Libraries [mailto:[log in to unmask]
> >> <javascript:;>]
> >>> On Behalf Of Cary Gordon
> >>> Sent: Friday, October 31, 2014 1:44 PM
> >>> To: [log in to unmask] <javascript:;>
> >>> Subject: Re: [CODE4LIB] Terrible Drupal vulnerability
> >>>
> >>> The vulnerability was discovered in the course of an audit by
> >> SektionEins,
> >>> a German security firm, and immediately reported to the Drupal Security
> >>> Team. Because this was a pretty obscure vulnerability with no reported
> >>> exploits, the team decided to wait until the first scheduled release
> date
> >>> after DrupalCon Amsterdam to put out the notice and patch. Obviously,
> >> they
> >>> knew that once word of the vulnerability was announced, there would
> >>> immediately be a wave of exploits, so they imposed a blackout on any
> >>> mention of it before October 15th. I think that they stuck to their
> word.
> >>>
> >>> Of course, attacks started a few hours after the announcement.
> >>>
> >>> Cary
> >>>
> >>>> On Oct 31, 2014, at 9:38 AM, Joe Hourcle <
> >> [log in to unmask]
> >>> <javascript:;>> wrote:
> >>>>
> >>>> On Oct 31, 2014, at 11:46 AM, Lin, Kun wrote:
> >>>>
> >>>>> Hi Cary,
> >>>>>
> >>>>> I don't know from whom. But for the heartbeat vulnerability earlier
> >>> this year, they as well as some other big providers like Google and
> >> Amazon
> >>> were notified and patched before it was announced.
> >>>>
> >>>> If they have an employee who contributes to the project, it's possible
> >>>> that this was discussed on development lists before it was sent down
> >>>> to user level mailing lists.
> >>>>
> >>>> Odds are, there's also  some network of people who are willing to give
> >>>> things a cursory review / beta test in a more controlled manner before
> >>>> they're officially released (and might break thousands of websites).
> >>>> It would make sense that companies who derive a good deal of their
> >>>> profits in supporting software would participate in those programs, as
> >>> well.
> >>>>
> >>>> I could see categorizing either of those as 'ahead of the *general*
> >>>> public', which was Kun's assertion.
> >>>>
> >>>> -Joe
> >>>>
> >>>>
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: Code for Libraries [mailto:[log in to unmask]
> >>> <javascript:;>] On Behalf
> >>>>> Of Cary Gordon
> >>>>> Sent: Friday, October 31, 2014 11:10 AM
> >>>>> To: [log in to unmask] <javascript:;>
> >>>>> Subject: Re: [CODE4LIB] Terrible Drupal vulnerability
> >>>>>
> >>>>> How do they receive vulnerability report ahead of general public?
> From
> >>> whom?
> >>>>>
> >>>>> Cary
> >>>>>
> >>>>> On Friday, October 31, 2014, Lin, Kun <[log in to unmask] <javascript:;>>
> >>> wrote:
> >>>>>
> >>>>>> If you are using drupal as main website, consider using Cloudflare
> >> Pro.
> >>>>>> It's just $20 a month and worth it. They'll help block most attacks.
> >>>>>> And they usually receive vulnerability report ahead of general
> >> public.
> >>>>>>
> >>>>>> Kun
> >>>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Code for Libraries [mailto:[log in to unmask]
> >>> <javascript:;>
> >>>>>> <javascript:;>] On Behalf Of Cary Gordon
> >>>>>> Sent: Friday, October 31, 2014 9:59 AM
> >>>>>> To: [log in to unmask] <javascript:;> <javascript:;>
> >>>>>> Subject: Re: [CODE4LIB] Terrible Drupal vulnerability
> >>>>>>
> >>>>>> This is what I posted to the Drupal4Lib list:
> >>>>>>
> >>>>>> --------------------
> >>>>>>
> >>>>>> By now, you should have seen https://www.drupal.org/PSA-2014-003
> and
> >>>>>> heard about the "Drupageddon" exploits. and you may be wondering if
> >>>>>> you were vulnerable or iff you were hit by this, how you can tell
> >>>>>> and what you should do. Drupageddon affects Drupal 7, Drupal 8 and,
> >>>>>> if you use the DBTNG module, Drupal 6.
> >>>>>>
> >>>>>> The general recommendation is that if you do not know or are unsure
> >>>>>> of your server's security and you did not either update to Drupal
> >>>>>> 7.32 or apply the patch within a few hours of the notice, you should
> >>>>>> assume that your site (and server) was hacked and you should restore
> >>>>>> everything to a backup from before October 15th or earlier. If your
> >>>>>> manage your server and you have any doubts about your file security,
> >>>>>> you should restore that to a pre 10/15 image, as well or do a
> >>> reinstall of your server software.
> >>>>>>
> >>>>>> I know this sounds drastic, and I know that not everyone will do
> >> that.
> >>>>>> There are some tests you can run on your server, but they can only
> >>>>>> verify the hacks that have been identified.
> >>>>>>
> >>>>>> At MPOW, we enforce file security on our production servers. Our
> >>>>>> deployments are scripted in our continuous integration system, and
> >>>>>> only that system can write files outside of the temporal file
> >>> directory (e.g.
> >>>>>> /sites/site-name/files). We also forbid executables in the temporal
> >>>>>> file system. This prevents many exploits related to this issue.
> >>>>>>
> >>>>>> Of course, the attack itself is on the database, so even if the file
> >>>>>> system is not compromised, the attacker could, for example, get
> >>>>>> admin access to the site by creating an account, making it an admin,
> >>>>>> and sending themselves a password. While they need a valid email
> >>>>>> address to set the password, they would likely change that as soon
> as
> >>> they were in.
> >>>>>>
> >>>>>> Some resources:
> >>>>>> https://www.drupal.org/PSA-2014-003
> >>>>>>
> >>>>>>
> https://www.acquia.com/blog/learning-hackers-week-after-drupal-sql-i
> >>>>>> nj
> >>>>>> ection-announcement
> >>>>>>
> >>>>>>
> http://drupal.stackexchange.com/questions/133996/drupal-sa-core-2014
> >>>>>> -0 05-how-to-tell-if-my-server-sites-were-compromised
> >>>>>>
> >>>>>> I won't attempt to outline every audit technique here, but if you
> >>>>>> have any questions, please ask them.
> >>>>>>
> >>>>>> The takeaway from this incident, is that while Drupal has a great
> >>>>>> security team and community, it is incumbent upon site owners and
> >>>>>> admins to pay attention. Most Drupal security issues are only
> >>>>>> exploitable by privileged users, and admins need to be careful and
> >>>>>> read every security notice. If a vulnerability is publicly
> >>> exploitable, you must take action immediately.
> >>>>>>
> >>>>>> Thanks,
> >>>>>>
> >>>>>> Cary
> >>>>>>
> >>>>>> On Thu, Oct 30, 2014 at 5:24 PM, Dan Scott <[log in to unmask]
> >>> <javascript:;>
> >>>>>> <javascript:;>> wrote:
> >>>>>>
> >>>>>>> Via lwn.net, I came across https://www.drupal.org/PSA-2014-003 and
> >>>>>>> my heart
> >>>>>>> sank:
> >>>>>>>
> >>>>>>> """
> >>>>>>> Automated attacks began compromising Drupal 7 websites that were
> >>>>>>> not patched or updated to Drupal 7.32 within hours of the
> >>>>>>> announcement of
> >>>>>>> SA-CORE-2014-005
> >>>>>>> - <https://www.drupal.org/SA-CORE-2014-005>Drupal
> >>>>>>> <https://www.drupal.org/SA-CORE-2014-005> core - SQL injection
> >>>>>>> <https://www.drupal.org/SA-CORE-2014-005>. You should proceed
> under
> >>>>>>> the assumption that every Drupal 7 website was compromised unless
> >>>>>>> updated or patched before Oct 15th, 11pm UTC, that is 7 hours after
> >>>>>>> the
> >>>>>> announcement.
> >>>>>>> """
> >>>>>>>
> >>>>>>> That's about as bad as it gets, folks.
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Cary Gordon
> >>>>>> The Cherry Hill Company
> >>>>>> http://chillco.com
> >>>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Cary Gordon
> >>>>> The Cherry Hill Company
> >>>>> http://chillco.com
> >>>
> >>
> >>
> >> --
> >> Cary Gordon
> >> The Cherry Hill Company
> >> http://chillco.com
> >>
>

Top of Message | Previous Page | Permalink

Advanced Options


Options

Log In

Log In

Get Password

Get Password


Search Archives

Search Archives


Subscribe or Unsubscribe

Subscribe or Unsubscribe


Archives

March 2024
February 2024
January 2024
December 2023
November 2023
October 2023
September 2023
August 2023
July 2023
June 2023
May 2023
April 2023
March 2023
February 2023
January 2023
December 2022
November 2022
October 2022
September 2022
August 2022
July 2022
June 2022
May 2022
April 2022
March 2022
February 2022
January 2022
December 2021
November 2021
October 2021
September 2021
August 2021
July 2021
June 2021
May 2021
April 2021
March 2021
February 2021
January 2021
December 2020
November 2020
October 2020
September 2020
August 2020
July 2020
June 2020
May 2020
April 2020
March 2020
February 2020
January 2020
December 2019
November 2019
October 2019
September 2019
August 2019
July 2019
June 2019
May 2019
April 2019
March 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016
December 2015
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003

ATOM RSS1 RSS2



LISTS.CLIR.ORG

CataList Email List Search Powered by the LISTSERV Email List Manager