University of Wisconsin–Madison

UPDATE: New vulnerability–Drupal Project PSA

UPDATE
IT Security is now aware of successful attacks on campus Drupal sites.

If you have a Drupal 7.x site, you must patch to version 7.32.  Remember that automated attacks started showing up “within hours” according to the Drupal Project.  If you have yet to update, assume that your site has been compromised.

IT Security has some limited ability to identify sites running Drupal.  If they determine a site has been compromised, they will contact the site administrator.

We’ve already been asked about when it is necessary to open an investigation on a compromised site, so here’s how to determine that:  If you have found an indicator of compromise, and (this bit is key) are storing or processing restricted data (e.g. SSN, credit card or bank account numbers, PHI, full list on our website, then please fill out our Report an Incident form to let us know about it.  If you do not store or process any restricted data, you can rebuild and should do so right away if you see indicators of compromise.

Some indicators of compromise and ways you can look for them if you weren’t patched Oct. 15th:

Some common indicators of compromise to check:

–  New user accounts created over the 15 days especially focusing on suspicious account names: mysql> select uid, name, mail from users where created date_sub(now(), interval 15 day);

– Look for files modified in the last 15 days in the web root

– Look for suspicious access callbacks from the menu_router table: mysql> select distinct(access_callback) from menu_router;

– Look for files owned by Apache outside of the web root

– Look for suspicious running processes owned by Apache

– Review recent Apache logs for signs of attack:  Often this will include a POST with “?q=node&destination=node” in the url

– If Drupal is patched to version 7.32, are you sure you patched it? Attackers are patching post-compromise to keep other hackers out.

IT Security can provide some additional indicators on request.  Contact security@wisc.edu for the list or with any questions.

=================================

Background

On October 15 (the same day as we announced the POODLE vulnerability), Drupal announced an SQL injection vulnerability in version 7.x of Drupal core.  On October 29, the Drupal project released this Public Service Announcement.

In summary, within hours of the SQL injection announcement, automated attacks started showing up in the wild, compromising Drupal sites that had not been patched. Some of the attackers have been patching sites they compromise to help them keep control in their own hands. The Drupal project is recommending that any site not patched “within hours” of the October 15 announcement be considered compromised. They recommend a number of steps, including restoring the site from backups made prior to the 15th, and keeping the site offline until it has been patched.

IT Security recommends: Drupal site admins should review the information from the Drupal project.  If you are running version 7.x and did not patch to version 7.32 on October 15, you should review the PSA and take their advice seriously–rebuilding from backups and patching are the only ways to be sure of your security. We are not currently aware of any compromised Drupal sites at UW-Madison, but IT Security will increase our monitoring activities and begin scanning for Drupal sites on campus that are visible from the internet.  We will post updates as we learn more.

References:

Drupal Security Advisory
Drupal PSA
Drupal FAQ

Some tools to possibly determine if your site has been compromised (Note: IT Security has not tested these tools):

Drupalgeddon
Drupal Project Hacked