Posted by Max_Headroom on April 17, 2015 at 12:24pm
It is not nice if a client points this out to you:
Page title of drupal.co.za: "Hacked By K4iZen Of BloodSecurity | Hacked By K4iZen Of BloodSecurity"
drupal.co.za hacked
It is not nice if a client points this out to you:
Page title of drupal.co.za: "Hacked By K4iZen Of BloodSecurity | Hacked By K4iZen Of BloodSecurity"
Comments
Hi Max, Thanks for the alert.
Hi Max,
Thanks for the alert. This is very troubling. We are trying to contact someone to get the site turned off, but this does not change the fact that certain users information is probably exposed now and that can't be undone.
Unfortunately, DASA (Drupal Association South Africa) do not maintain this website and have no control over it's development and where it is hosted. We have tried in the past, unsuccessfully, to bring the drupal.co.za domain under the curatorship of DASA. The owner of the domain has not been swayed by various points of discussion of why it would be better managed by DASA, a community representative body, instead of a corporate entity.
I think this hack will force the drupal.co.za back onto the agenda of DASA at our next meeting, where we will discuss potential avenues to attempt to prevent future embarrassments such as this. As DASA, we are committed to creating an open and transparent community that works to promote Drupal, and hacked sites work away from the goal.
To anyone who has an account on drupal.co.za, please change your passwords on that site, and if any other website uses the same username, email and password, it's advised to change those too. There's no way to tell, whether the account information has been stolen from the database.
In addition, please note that this website has not been updated since Drupal-7.19 (see screenshot attached). It is highly advised that you always keep your Drupal Core updated, which means you should be using 7.36. Breaches such as this can be prevented if the correct updates are performed timeously.
We will do our best to resolve this issue, but our control is limited. Only with the voices of the community in agreement with us, can we effect real change. We need you to help us.
Kind Regards,
Greg
Secretary of DASA
Apologies, there doesn't seem
Apologies, there doesn't seem to be a way to attach images to these posts.
I see it is offline now. I
I see it is offline now. I guess this is not good for eConsultant's reputation either.
Quentin
drupal.co.za Status
Hi Max,
Thanks for keeping a watchful eye and bringing this to the communities attention, its much appreciated. The site was taken offline for review and to let the powers that be decide what to do next.
This here is what happened, given the information I have available.
There was a syncing issue with the co.za site that left it in an un-upgradeable state as a result patches were used ti fix critical security issues. At the time the Aegir platform was been restructured and upgraded. As the site was in a secure state it was hopped that the upgrade would help resolve the sync issue.
Unfortunately the process took longer than expected and in the week on the 17th we attempted a full upgrade of the site to the new platform however a technical issue resulted in the site been rolled back, in inadvertently uploading an older set of files which allowed the site to be hacked. I do know that the site was hacked within 24 hours of it been reported however given the nature of the hack (SA-CORE-2014-005) it was largely invisible so it is hard to say what was compromised.
Yes we agree more attention should have been paid to the site and better processes have been put in place to avoid this in future.
TL;DR
So what does this mean?
Firstly The site in its current form will not be put back online. The existing site will be deleted.
However it is possible that hashed passwords were leaked to the attacker. While it is improbable that they can break the code it is not impossible. Therefor if you have reused your drupal.co.za password on other sites it is advised that you change your password if you have not already done so in the last 12 months.
Regards,
Richard