Parliament video site hacked by Iskorpitx

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
8thom's picture
Posted by 8thom on September 20, 2010 at 12:07am

Hey,

Can anyone confirm if this was due to a hosting or Drupal vulnerability?

http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10674760

Comments

Forensics

Posted by lightweight on September 20, 2010 at 12:18am
lightweight's picture

We're working with Tandem Studios to resolve this problem (we have had nothing to do with the development or maintenance of the site previously).

The site hosting has CPanel... the Drupal site wasn't fully up-to-date, but there's no obvious indication from the logs that the Drupal site itself was compromised. We suspect (but due to the limited logging on the hosting, it's not possible to verify) the compromise which provided the cracker with filesystem write access, was through another web application made available via CPanel, e.g. phpMyAdmin, which we have seen as a widely used vector for exploits previously. (We don't expose phpMyAdmin directly on any of Egressive's hosting for that reason).

Cheers,

Dave Lane, Egressive

From what I understand, is

Posted by Josh Waihi on September 20, 2010 at 12:20am
Josh Waihi's picture

From what I understand, is was a hosting vulnerability. Though it should be noted that the changelog suggests that the Drupal version is well out of date.

InTheHouse status

Posted by lightweight on September 20, 2010 at 12:57am
lightweight's picture

Hi Josh, yes, there are a number of modules with known vulnerabilities as well as an old core Drupal install. If they accept our proposal to adopt the site, it will a) be moved to NZ, and b) updated, and c) kept up-to-date as part of Egressive's Drupal Security Maintenance service.

Dave

Clarification

Posted by lightweight on September 21, 2010 at 2:33am
lightweight's picture

It turns out that the compromise of the InTheHouse site was not via a Drupal vulnerability (even though there were some vulnerable modules present), but rather via a crack that compromised a portion of the hosting provider's infrastructure. 40,000 additional sites (mostly not Drupal sites) were also affected.

http://community.a2hosting.com/a2hosting/topics/a2s48_turkish_hacker

We at Egressive were called in to fix the situation (and transfer the site to Egressive's hosting in NZ), which is being undertaken as I type. We began speaking to Tandem Studios about moving the site to NZ several weeks ago (before the Big Wobble down here in Chch)... so it's just bad luck it happened before the site could be moved.

Dave

New Zealand

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

Hot content this week

See all hot content.