[Gruppo-web] Fwd: Ubuntu Drupal sites down due to security incident

Dario Cavedon dcavedon a gmail.com
Sab 1 Nov 2014 08:29:35 GMT 

Altro aggiornamento....qualcuno sa in cosa consiste il test "drush
drupalgeddon-test"?

Dario


---------- Forwarded message ----------
From: Tom Haddon <tom.haddon a canonical.com>
Date: 2014-10-31 18:14 GMT+01:00
Subject: Re: Ubuntu Drupal sites down due to security incident
To: Dario Cavedon <dcavedon a gmail.com>, david.planella a ubuntu.com
Cc: edubuntu-council a lists.ubuntu.com, Consiglio Comunità Ubuntu-it
<consiglio a ubuntu-it.org>, Mailing list del Consiglio della comunità
<consiglio a liste.ubuntu-it.org>


On 31/10/14 09:06, Tom Haddon wrote:
> On 31/10/14 08:55, Dario Cavedon wrote:
>> 2014-10-30 12:32 GMT+01:00 David Planella <david.planella a ubuntu.com>:
>>> I wanted to give you a heads up that due to Drupal 7.x vulnerability
>>> SA-CORE-2014-005, affecting www.ubuntu-it.org, www.kubuntu.it,
>>> www.edubuntu.org, these sites are presently down.
>>>
>>> The Canonical IS team is working on the fix and they are trying to get the
>>> sites back up as soon as they're able to.
>>>
>>> I'm CC'ing Tom Haddon, IS Operations Manager, who can provide more details
>>> if needed.
>>
>> Hi David, hi Tom,
>> this is Dario from ubuntu-it LoCo.
>>
>> Thanks for the email. We would like to provide our users with some
>> updates about the progress with the fix. Is there any news?
>
> Hi Dario,
>
> First of all, we're sorry that the service was taken down without
> notice. The advisory [1] was issued initially on October 15th, but a
> later advisory was issued on October 29th [2]. It's also become clear
> from looking at the "Why is it important to update now?" section of
> https://www.drupal.org/node/2357241 that systematic attacks began on
> drupal sites within 7 hours of the initial advisory being issued on
> October 15th. The patch prepared by the Italian loco team was applied on
> October 22nd at approximately 23:20, by which time systematic attacks
> had been running for almost 7 days.
>
> We therefore took the decision to take all drupal sites offline while we
> investigated this. Doing the analysis and getting the site back to a
> good state is a non-trivial exercise, but it's our current highest
> priority issue. We are doing everything we can to get this and other
> sites back up that we unfortunately had to take down as quickly as possible.
>
> We agree the communication could be better, and we apologise for this.
> We would also like to continue the discussions around migrating off this
> server once we have the service restored as we think that will be
> beneficial for both sides, but for the moment we're focusing all our
> attention on getting the site back up.
>
> We're currently running "drush drupalgeddon-test" to see if we can
> confirm if the site was compromised and what kind of action is necessary
> as a result of this. It's come up with what we believe to be some false
> positives which seem to be perfectly legitimate files that haven't been
> modified since before October 15th (http://css3pie.com/). We're
> continuing to look into it and will get the site back up as soon as
> we're confident we've understood the scope of the incident.

Just as a follow up to this, wanted to make you aware of the progress
we're making. Our plan involves the following steps on each site:
- confirming apparmor profiles for each site
- ensuring the code is updated to 7.32 (which obviously it is on
www.ubuntu-it.org/www.kubuntu.it thanks to your update on the 22nd, but
also on the other affected sites
- confirming file permissions to restrict the writable files/directories
by the www-data user to the absolute minimum
- changing any secrets, such as DB passwords, in files that are visible
to the www-data user
- running "drush drupalgeddon-test" against the backups we took on
October 29th for each site, and comparing changes to any backups we have
from prior to October 15th to look for suspicious users or confirmation
of an exploit
- reviewing other sites on the servers in question to ensure we reduce
the possibility of further issues

We're making progress through each of these steps, and have been looking
particularly at the file permissions and ownership issues so far today.

I'll keep you updated with progress and we hope to have things back up
and running as soon as is feasible.

Thanks, Tom


-- 
Blog: http://dariocavedon.blogspot.com
Twitter: https://twitter.com/dcavedon
Linux user #280955 Ubuntu User # 3228

Maggiori informazioni sulla lista Gruppo-web