Roj Bash Kurdistan

BBC News Technology

Millions of websites hit by Drupal hack attack

Up to 12 million websites may have been compromised by attackers who took advantage of a bug in the widely used Drupal software.

The sites use Drupal to manage web content and images, text and video.

Drupal has issued a security warning saying users who did not apply a patch for a recently discovered bug should "assume" they have been hacked.

It said automated attacks took advantage of the bug and can let attackers take control of a site.

'Shocking' statement

In its "highly critical" announcement, Drupal's security team said anyone who did not take action within seven hours of the bug being discovered on 15 October should "should proceed under the assumption" that their site was compromised.

Anyone who had not yet updated should do so immediately, it warned.

However, the team added, simply applying this update might not remove any back doors that attackers have managed to insert after they got access. Sites should begin investigations to see if attackers had got away with data, said the warning.

"Attackers may have copied all data out of your site and could use it maliciously," said the notice. "There may be no trace of the attack." It also provided a link to advice that would help sites recover from being compromised.

Mark Stockley, an analyst at security firm Sophos, said the warning was "shocking".

The bug in version 7 of the Drupal software put attackers in a privileged position, he wrote. Their access could be used to take control of a server or seed a site with malware to trap visitors, he said.

He estimated that up to 5.1% of the billion or so sites on the web use Drupal 7 to manage their content, meaning the number of sites needing patching could be as high as 12 million.

Drupal should no longer rely on users to apply patches, said Mr Stockley.

"Many site owners will never have received the announcement and many that did will have been asleep," he said. "What Drupal badly needs but doesn't have is an automatic updater that rolls out security updates by default."

http://www.bbc.co.uk/news/technology-29846539

Drupal

https://www.drupal.org/

See some of the many websites that use drupal

https://www.drupal.org/case-studies

Drupal warns unless you patched within seven hours, you're hacked

Summary: Drupal has issued a highly critical announcement that unless Drupal installs were patched against the latest SQL injection attack within seven hours of its unveiling, the site should be considered compromised.

Drupal's security team has released a "public service announcement" calling upon all users of the Drupal content management framework to consider their sites as compromised, and to start afresh, unless their sites were patched against the SQL injection attack revealed two weeks ago within seven hours of the announcement of the vulnerability.

"You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before October 15, 11pm UTC, that is seven hours after the announcement," the Drupal security announcement said.

The Drupal security team said that it saw automated attacks compromising unpatched sites within hours of the SQL injection's announcement, and that simply updating to the latest Drupal release will not secure any vulnerable sites, as attackers may have already accessed data without leaving any trace of their presence.

"Updating to version 7.32 or applying the patch fixes the vulnerability, but does not fix an already compromised website. If you find that your site is already patched but you didn't do it, that can be a symptom that the site was compromised — some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site."

In order to remove any backdoors that attackers may have added to a system upon which a vulnerable Drupal install resided, the Drupal security team recommends that websites be restored from a backup made before October 15.

The following eight-point plan to restore a vulnerable site is recommended:

Take the website offline by replacing it with a static HTML page

Notify the server's administrator emphasizing that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack

Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.)

Restore the website (Drupal files, uploaded files and database) from backups from before 15 October 2014

Update or patch the restored Drupal core code

Put the restored and patched/updated website back online

Manually redo any desired changes made to the website since the date of the restored backup

Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with.

The popular open-source Drupal framework powers many websites, large and small, across the internet.

Last month, the Australian government signed a four-year deal with Acquia to implement its Drupal-based web Government Content Management System (GovCMS).

A spokesperson for Acquia said at the time that the government's conservative forecasts for the number of websites to utilise the new system would be around 180, and possibly up to 400, sites. Could be many more.

http://www.zdnet.com/