Hundreds of Drupal Sites Targeted With Fake Ransomware (softpedia.com) 51
An anonymous reader writes: A group of hackers have created a ransomware strain that specifically targets Drupal sites. Infection occurs thanks to an automated bot which scans Drupal sites and then uses an SQL injection (CVE-2014-3704) to change the site admin's password. The bot also dumps any emails it finds on the server, and then overwrites the site's main page to show a typical ransomware note.
Over 400 sites have been infected until now, but nobody has paid the ransom yet.
This case yet again proves why "Web ransomware" will never work because even the worst Web hosting service provides automatic backups from where they could retrieve a clean version of their site.
This case yet again proves why "Web ransomware" will never work because even the worst Web hosting service provides automatic backups from where they could retrieve a clean version of their site.
Haha (Score:2)
Even the worst hosts provide backups? I see you are new to this whole hosting thing. Oh, and to how "normal" users behave.
Most host-provided backups don't actually work (Score:3)
Further, of the perhaps 12 hosting companies we've contacted about restoring backups, most of the time the backups didn't actually work. A common scenario was that the backups stopped working several months earlier but nobody noticed until they were needed.
That type of experience, and web hosting companies that go out of business, eventually forced us to create Clonebox.
Also if they've lost big before and learned (Score:2)
> The chance that a site will have a good backup policy is usually related to their potential for loss.
I would say that more than half of companies who sign up for our backup/warm spare service do so right AFTER a loss incident. Their web hosting company has a fire, or vanishes in the night, or they get rooterd or whatever and they realize they should have had a solid backup. They get Clonebox to make sure that kind of thing doesn't happen again.
My stats are a bit skewed because they often call us for
Re: (Score:2)
In my experience, a lot of places say they provide backups.
Usable restores, on the other hand... different story.
My recommendation is to dump the MySQL/MariaDB database (I use mysqldump and do a logical backup, as well as popping a snapshot), as well as snapshotting the core and other files needed for the Drupal site, shove all of that into a deduplicating backup program like Borg Backup, as well as every so often, take a tar archive and save that off in a separate location, just in case the backup program
SQL injection? (Score:2)
Re: (Score:2)
The power of open source!!!!!!111111111eleven - many mediocre eyes looking at mediocre scribblings.
As opposed to proprietary closed source, which is very often a handful of weak eyes looking at lunatic ravings.
Re:SQL injection? (Score:4, Informative)
You are missing something, more precisely you are missing the fact that Drupal was written in PHP. If you want to iterate over an array in PHP you will probably write something like this: ... }
foreach($array as $key => $data) {
A construct like that was used in Drupal to construct an SQL query with a list of named parameters, the values for which were then supplied later. You'd get an SQL clause like this:
... IN (:idlist_1, :idlist_2, :idlist_3) ...
And the values would be filled in and escaped by the SQL backend later. Array indices are numbers, so it's all perfectly safe, right? The thing is, PHP contains a critical security bug in that it doesn't enforce declaring the distinction between arrays and maps. So if an attacker can somehow trick the code into executing on a map, $key might be a string containing arbitrary SQL commands which will be executed as is.
Note that in many languages this cannot happen because an array is not a map, but PHP is unsafe by default here. Yes, if you know about this issue you can work around it, for example by inserting a call to array_values, but the language should really be changed to make it distinguish arrays and maps, and to make impossible to use maps as arrays. It is especially unforgivable since PHP was designed for the web and to be easy to use by novice programmers.
Link to CVE page. [cvedetails.com]
Link to earlier /. discussion. [slashdot.org]
Easy fix (Score:1)
Re: (Score:2)
You need to check all the files to make sure they haven't been modified from the standard installation or whatever custom changes you're running,
If you've backed up your themes, then you can just reinstall the files, which takes but moments. There's no reason save curiosity to check over files. Just get them all from the clean source and reinstall them. Unless you're a total glutton for punishment, you've only got a few modules installed anyway.
Re: (Score:2)
Maybe the next version of the ransomware could do an automatic backup of the site before infecting it and then restore this backup as a "service" for an extra fee.
Sounds like you would find this useful.
Make another CMS (Score:1)
Drupal and WordPress are horrible! Why can't someone make one that is easy to modify, doesn't take a year to learn, made in a real language like Erlang, and can be updated without being root automatically?
Is that really so hard. Shit we should make another one? It can't be all that hard?
hudreds? (Score:2)
not trying to be too petty here, but really, does a problem affecting "hundreds" of web sites in the world really matter that much? That's like a percent of a percent isn't it?
And how does anyone (other than the malware author author) know that nobody has paid them yet?
Final note... "will never work".... they wouldn't be doing it if it wasn't making them any money. (not for long anyway, and not more than once) We wouldn't see 99% of the hackery on the internet that we do today (spam, ransomware, phishin
Re:hudreds? (Score:5, Informative)
From the article, it's about 400 sites. Pretty easy to find infected sites with Google, since it changes the home page of the site.
The ransom is to be paid to a specific bitcoin address, so anyone can look at the blockchain and see how much bitcoin has ever been transferred to that address [blockchain.info]. The answer being 0 makes the folks in the article pretty confident nothing has been paid so far.
The infected sites appear to be mostly abandoned by their creators, which explains why they're 2 years behind in Drupal 7.x security updates.
Re: (Score:2)
not trying to be too petty here, but really, does a problem affecting "hundreds" of web sites in the world really matter that much? That's like a percent of a percent isn't it?
It's actually only a small percentage of a small percentage of Drupal sites, let alone of all sites. Drupal has become massively popular because it sucks less than WP.
Final note... "will never work".... they wouldn't be doing it if it wasn't making them any money.
Eh, maybe. Before I knew anything about security the geek house I was living in got hacked through an apache vuln by someone calling themselves "Kunt". They replaced all the index.html files with their own message about proper security. There's all kinds of motivations. Luckily my personal pages were RCS'd so I could just check them out again.
Not every site is backed up (Score:2)
delusion submitter? (Score:5, Insightful)
WTF, the writer of this post lives in a delusional bubble. Most sites don't have backup's, backups cost money. Ransomware exists because it is extremely successful, it only has to work on 1 in a hundred or 1 in a thousand to make it profitable.
Re: (Score:2)
Most sites don't have backup's, backups cost money.
I pay $1/mo for my hosting and I have backups. Not a lot of them, but still.
Ransomware DDOS botnets run on Windows .. (Score:1)
Re: (Score:1)
In the future they will run on whatever is the most used desktop operating system that ordinary people use to connect to the Internet.
Re: (Score:1)
Self-defeating (Score:3)
What's fake about it? (Score:3)
Sounds real to me.
Lame, perhaps, but certainly real to the extent that someone is (at least temporarily) locked out of their system and has to take steps to restore it or pay the ransom.
From the fine article, it didn't bother encrypting anything so that certainly bumps it way up on the lame scale. But it's not like people received notices in their inbox demanding ransom for something that never got installed.
WTF? So so wrong (Score:2)
"even the worst Web hosting service provides automatic backups from where they could retrieve a clean version of their site."
This is so wrong it gave me brain cancer.
NESFLASH: Lots of hosts don't provide backups, automatic or otherwise. Ask me how I know.
Version (Score:2)
Not really a big piece of news ... (Score:2)
I'm not a Drupal Fan - WordPress and sometimes Joomla are my goto PHP CMSes - but this isn't really that big a newspiece, considering the install base Drupal has.
It's like saying WordPress is the Bane of the Web because 8000 Websites were hacked. 8000 out of 105 000 000 (105 Million) Installations isn't really that much. I doubt any other platforms can claim measureably better security.
Re: (Score:2)
It is the pay for plugin market that really is killing wordpress, but it is also what keeps it going. You have a million marketers saying that wordpress is the greatest thing since sliced bread, because that is how they get their bread. Last I looked at joomla, it was in the same sorry state. Drupal is still the only truly free cms.
How is it fake? (Score:2)
Hundreds of Drupal Sites Targeted With Fake Ransomware
What's fake about it?