Drupageddon attack

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
ckosloff's picture
Posted by ckosloff on November 10, 2014 at 6:30pm

Yesterday and today I received ominous automated emails from BOA:
Subject:
URGENT: The xxx.com site on webxx.xxx.com has been HACKED!
Body:
Our system detected that the site xxx.com has been hacked!
Common signatures of an attack which triggered this alert:
The drush command 'drupalgeddon-test' could not be found. [error]

So I installed drupalgeddon (letter 'l' missing in title is purposeful),
drush dl drupalgeddon, and since the project recommends installing site_audit as well, I did that too.
You then have access to command 'drush asec', which did not report any problem, no action necessary.
'drupalgeddon-test' also ran without problems.
So my question is: does BOA install drupalgeddon automatically?
Because if it does not, then it is normal that command is missing and the email is a false positive.
Anyway, the drupageddon attack (no 'l') is only recent and does not affect D7.32.
But there is a more recent version D7.33 which is quite improved as it fixes drupal error reporting in PHP 5.6.
I will rebuild site on top of that version, just waiting for BOA to release new octopus version, tried make file, but I'd rather wait for platform release.
Did any of you guys get any of this?

Categories:

Comments

As said before I ran drush

Posted by ckosloff on November 11, 2014 at 1:57pm
ckosloff's picture

As said before I ran drush drupalgeddon-test on supposedly compromised website, it reported: No evidence of known Drupalgeddon exploits found.
This does not mean of course that site is all clear, it just is evidence that command is there.
But...today I got same email about command missing, ran it again with same results.
So, something does not match, if command is present, why is email saying that it is not?

I've just received the same

Posted by jamiet on November 12, 2014 at 9:31am
jamiet's picture

I've just received the same email for two sites using a custom platform in the static directory of my self-hosted BOA install. I have logged into the server and su'd to the o1 user and ran:
drush drupalgeddon-test
within the sites directory of both sites and it ran successfully and declared no evidence of exploits?

It looks like the daily check is unable to find the command even though I am able to run it manually?

Anybody else seeing this?

BOA

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: