This is what I posted to the Drupal4Lib list:
--------------------
By now, you should have seen https://www.drupal.org/PSA-2014-003 and heard
about the "Drupageddon" exploits. and you may be wondering if you were
vulnerable or iff you were hit by this, how you can tell and what you
should do. Drupageddon affects Drupal 7, Drupal 8 and, if you use the DBTNG
module, Drupal 6.
The general recommendation is that if you do not know or are unsure of your
server's security and you did not either update to Drupal 7.32 or apply the
patch within a few hours of the notice, you should assume that your site
(and server) was hacked and you should restore everything to a backup from
before October 15th or earlier. If your manage your server and you have any
doubts about your file security, you should restore that to a pre 10/15
image, as well or do a reinstall of your server software.
I know this sounds drastic, and I know that not everyone will do that.
There are some tests you can run on your server, but they can only verify
the hacks that have been identified.
At MPOW, we enforce file security on our production servers. Our
deployments are scripted in our continuous integration system, and only
that system can write files outside of the temporal file directory (e.g.
/sites/site-name/files). We also forbid executables in the temporal file
system. This prevents many exploits related to this issue.
Of course, the attack itself is on the database, so even if the file system
is not compromised, the attacker could, for example, get admin access to
the site by creating an account, making it an admin, and sending themselves
a password. While they need a valid email address to set the password, they
would likely change that as soon as they were in.
Some resources:
https://www.drupal.org/PSA-2014-003
https://www.acquia.com/blog/learning-hackers-week-after-drupal-sql-injection-announcement
http://drupal.stackexchange.com/questions/133996/drupal-sa-core-2014-005-how-to-tell-if-my-server-sites-were-compromised
I won't attempt to outline every audit technique here, but if you have any
questions, please ask them.
The takeaway from this incident, is that while Drupal has a great security
team and community, it is incumbent upon site owners and admins to pay
attention. Most Drupal security issues are only exploitable by privileged
users, and admins need to be careful and read every security notice. If a
vulnerability is publicly exploitable, you must take action immediately.
Thanks,
Cary
On Thu, Oct 30, 2014 at 5:24 PM, Dan Scott <[log in to unmask]> wrote:
> Via lwn.net, I came across https://www.drupal.org/PSA-2014-003 and my
> heart
> sank:
>
> """
> Automated attacks began compromising Drupal 7 websites that were not
> patched or updated to Drupal 7.32 within hours of the announcement of
> SA-CORE-2014-005
> - <https://www.drupal.org/SA-CORE-2014-005>Drupal
> <https://www.drupal.org/SA-CORE-2014-005> core - SQL injection
> <https://www.drupal.org/SA-CORE-2014-005>. You should proceed under the
> assumption that every Drupal 7 website was compromised unless updated or
> patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.
> """
>
> That's about as bad as it gets, folks.
>
--
Cary Gordon
The Cherry Hill Company
http://chillco.com
|