Fri, 2014-11-21 15:35

Oh, mother taught me not to lie. She said liars pay for it later on in life. I'll tell the truth... Drupalgeddon has been a pretty rough experience for the Drupal Community as a whole. Our luck wasn't very different, within hours, several websites started displaying extraneous roles, some really shady admin users, and all manners of intrusion attempts. It was insanity. The biggest challenge was the speed and automation of these attacks, since the vulnerability was so straight forward, this was (and is) happening en masse. Thousands of sites compromised, all within a small time frame. Thankfully we were lucky enough to not have any sensitive data compromised, although it's likely that data could have been extracted without leaving a trace. Here is harrowing security announcement, essentially, an attacker gains the ability to execute queries of their choosing against the database, that means creating administrative users, changing data, pulling data, etc.

Has your site been exploited? Let's do a cursory investigation

There are a few things I noticed that were extremely obvious signs of intrusion. The biggest one was the role "megauser" being created, and respectively, a user or two had that role assigned to them. Other attackers were more subtle and just assigned themselves the factory "administrator" role, so check for that. Another thing I noticed was the inclusion of web shells, so look through your server, you might see stuff like this. That is the c99 web shell, I put it on a pastebin because I don't want that stuff near me, but you can look at it and it's obviously for educational purposes only. So any extraneous files with corny super hacker names are probably reason enough to panic and set the entire drupal core on fire, and move to a clean and hardened server. Consider all data compromised at that point. Take the site offline and get to work, if you don't see any of this, it doesn't mean your site wasn't compromised.

What can I do?

First of all, the single most useful thing you can do is find a back up from before the PSA, because unfortunately with the announcement comes a double edged sword, getting the word out to all our good drupal guys out there, also gets the word out to all the guys creeping around exploit forums, waiting for these types of exploits to come out so they can load up their web shells into your site. If you have a back up from before, take the back up, upgrade it to 7.32 or later (7.34 at the time of writing), and set your patched site live. You might have to migrate content to the patched site, but that is life, better safe than sorry.

If you don't have back ups (never do that), you're going to have to painstakingly secure your site as much as possible, definitely update drupal core, invalidate passwords, scan for web shells, etc. For more information, check out this follow up thread and it's comments.

Written by
Antonio Torres
Senior Developer

Hailing from southern Spain, Antonio built his first website when he was 11 years old, proceeded to building Miami Beach Senior High's website as a Junior which remained online for over 5 years. A programmer by passion first, Antonio is a geek at heart and is always ready to try something cutting edge. Having developed websites that process several million dollars yearly, mapping centric applications, and mobile apps, Antonio brings a well rounded set of technical skills to the team.