Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Bitcoin Crime Open Source The Internet

Hundreds of Drupal Sites Targeted With Fake Ransomware (softpedia.com) 51

An anonymous reader writes: A group of hackers have created a ransomware strain that specifically targets Drupal sites. Infection occurs thanks to an automated bot which scans Drupal sites and then uses an SQL injection (CVE-2014-3704) to change the site admin's password. The bot also dumps any emails it finds on the server, and then overwrites the site's main page to show a typical ransomware note. Over 400 sites have been infected until now, but nobody has paid the ransom yet.

This case yet again proves why "Web ransomware" will never work because even the worst Web hosting service provides automatic backups from where they could retrieve a clean version of their site.

This discussion has been archived. No new comments can be posted.

Hundreds of Drupal Sites Targeted With Fake Ransomware

Comments Filter:
  • Even the worst hosts provide backups? I see you are new to this whole hosting thing. Oh, and to how "normal" users behave.

    • Further, of the perhaps 12 hosting companies we've contacted about restoring backups, most of the time the backups didn't actually work. A common scenario was that the backups stopped working several months earlier but nobody noticed until they were needed.

      That type of experience, and web hosting companies that go out of business, eventually forced us to create Clonebox.

    • by mlts ( 1038732 )

      In my experience, a lot of places say they provide backups.

      Usable restores, on the other hand... different story.

      My recommendation is to dump the MySQL/MariaDB database (I use mysqldump and do a logical backup, as well as popping a snapshot), as well as snapshotting the core and other files needed for the Drupal site, shove all of that into a deduplicating backup program like Borg Backup, as well as every so often, take a tar archive and save that off in a separate location, just in case the backup program

  • Back when I used to develop sites in Drupal (which was a few years ago), all SQL queries were parameterized, as opposed to passing variable data as part of the query string. I thought this was supposed to protect you from SQL injection attacks. Am I missing something, or are they attacking very, very old Drupal installations?
    • Re:SQL injection? (Score:4, Informative)

      by Anonymous Coward on Sunday May 22, 2016 @05:42PM (#52161537)

      You are missing something, more precisely you are missing the fact that Drupal was written in PHP. If you want to iterate over an array in PHP you will probably write something like this:
        foreach($array as $key => $data) { ... }

      A construct like that was used in Drupal to construct an SQL query with a list of named parameters, the values for which were then supplied later. You'd get an SQL clause like this:
      ... IN (:idlist_1, :idlist_2, :idlist_3) ...

      And the values would be filled in and escaped by the SQL backend later. Array indices are numbers, so it's all perfectly safe, right? The thing is, PHP contains a critical security bug in that it doesn't enforce declaring the distinction between arrays and maps. So if an attacker can somehow trick the code into executing on a map, $key might be a string containing arbitrary SQL commands which will be executed as is.

      Note that in many languages this cannot happen because an array is not a map, but PHP is unsafe by default here. Yes, if you know about this issue you can work around it, for example by inserting a call to array_values, but the language should really be changed to make it distinguish arrays and maps, and to make impossible to use maps as arrays. It is especially unforgivable since PHP was designed for the web and to be easy to use by novice programmers.

      Link to CVE page. [cvedetails.com]

      Link to earlier /. discussion. [slashdot.org]

  • The backups may not even be necessary. Just as the attacker changes the password, unless something has changed with Drupal you can also quite easily change the password simply by hashing a new one. Fixing what damage they've done to the site itself is a little work, but it's not like this would make it unrecoverable.
  • Drupal and WordPress are horrible! Why can't someone make one that is easy to modify, doesn't take a year to learn, made in a real language like Erlang, and can be updated without being root automatically?

    Is that really so hard. Shit we should make another one? It can't be all that hard?

  • by v1 ( 525388 )

    not trying to be too petty here, but really, does a problem affecting "hundreds" of web sites in the world really matter that much? That's like a percent of a percent isn't it?

    And how does anyone (other than the malware author author) know that nobody has paid them yet?

    Final note... "will never work".... they wouldn't be doing it if it wasn't making them any money. (not for long anyway, and not more than once) We wouldn't see 99% of the hackery on the internet that we do today (spam, ransomware, phishin

    • Re:hudreds? (Score:5, Informative)

      by _Sharp'r_ ( 649297 ) <sharper@booksund ... .com minus punct> on Sunday May 22, 2016 @06:19PM (#52161685) Homepage Journal

      From the article, it's about 400 sites. Pretty easy to find infected sites with Google, since it changes the home page of the site.

      And how does anyone (other than the malware author author) know that nobody has paid them yet?

      The ransom is to be paid to a specific bitcoin address, so anyone can look at the blockchain and see how much bitcoin has ever been transferred to that address [blockchain.info]. The answer being 0 makes the folks in the article pretty confident nothing has been paid so far.

      The infected sites appear to be mostly abandoned by their creators, which explains why they're 2 years behind in Drupal 7.x security updates.

    • not trying to be too petty here, but really, does a problem affecting "hundreds" of web sites in the world really matter that much? That's like a percent of a percent isn't it?

      It's actually only a small percentage of a small percentage of Drupal sites, let alone of all sites. Drupal has become massively popular because it sucks less than WP.

      Final note... "will never work".... they wouldn't be doing it if it wasn't making them any money.

      Eh, maybe. Before I knew anything about security the geek house I was living in got hacked through an apache vuln by someone calling themselves "Kunt". They replaced all the index.html files with their own message about proper security. There's all kinds of motivations. Luckily my personal pages were RCS'd so I could just check them out again.

  • "even the worst Web hosting service provides automatic backups from where they could retrieve a clean version of their site.", sorry, but there are so many newbie developers building sites and cheap business owners that they don't enable backups or aren't willing to pay for it. There are plenty of sites with no backup!
  • by bloodhawk ( 813939 ) on Sunday May 22, 2016 @05:10PM (#52161415)
    "This case yet again proves why "Web ransomware" will never work because even the worst Web hosting service provides automatic backups from where they could retrieve a clean version of their site."

    WTF, the writer of this post lives in a delusional bubble. Most sites don't have backup's, backups cost money. Ransomware exists because it is extremely successful, it only has to work on 1 in a hundred or 1 in a thousand to make it profitable.
    • Most sites don't have backup's, backups cost money.

      I pay $1/mo for my hosting and I have backups. Not a lot of them, but still.

  • Didn't you leave out the most important bit?
  • by John Smith ( 4340437 ) on Sunday May 22, 2016 @05:19PM (#52161443)
    You know, you could actually use the exploit to change the sites password back, right? And if it's just the main page, even if it isn't backed up it isn't much work to rebuild (well, relatively anyway). Unless they patched it after your site got infected.
  • by twdorris ( 29395 ) on Sunday May 22, 2016 @06:04PM (#52161607)

    Sounds real to me.

    Lame, perhaps, but certainly real to the extent that someone is (at least temporarily) locked out of their system and has to take steps to restore it or pay the ransom.

    From the fine article, it didn't bother encrypting anything so that certainly bumps it way up on the lame scale. But it's not like people received notices in their inbox demanding ransom for something that never got installed.

  • "even the worst Web hosting service provides automatic backups from where they could retrieve a clean version of their site."

    This is so wrong it gave me brain cancer.

    NESFLASH: Lots of hosts don't provide backups, automatic or otherwise. Ask me how I know.

  • per the TFA "affects Drupal 7.x installations prior to version 7.32." My Drupal site is at 7.43. 7.33 was released in November 7, 2014. This exploit is actually discussed On Drupal's Security advisories page [drupal.org], and they admit "Multiple exploits have been reported in the wild following the release of this security advisory" lol. Then there is a PSA [drupal.org] about it too. Not surprised no one has paid on this yet; if you haven't updated your Drupal site in two years you probably don't really care that much about it haha
  • I'm not a Drupal Fan - WordPress and sometimes Joomla are my goto PHP CMSes - but this isn't really that big a newspiece, considering the install base Drupal has.

    It's like saying WordPress is the Bane of the Web because 8000 Websites were hacked. 8000 out of 105 000 000 (105 Million) Installations isn't really that much. I doubt any other platforms can claim measureably better security.

  • Hundreds of Drupal Sites Targeted With Fake Ransomware

    What's fake about it?

"To take a significant step forward, you must make a series of finite improvements." -- Donald J. Atwood, General Motors

Working...