A couple of days ago I discovered that hackers had gained access to the Gwulo server and website. Since then I've been checking through the site and this is what I've found:
- The hackers exploited a problem in the Drupal software I use to run Gwulo.com. This problem, and a fix to prevent hackers from using it, was announced on 15th October (https://www.drupal.org/drupal-7.32-release-notes).
- Hackers quickly found ways to use this problem to gain access to web servers running a version of Drupal older than 15th October. That includes us. I believe we were attacked on 20th October by an automated script searching for, and then attacking, servers running Drupal.
- The hackers had several options for what they could do once they had access to the server. They had full access to the server, so could download, change, or delete any files on the server.
- The evidence I've found makes it very likely we've been lucky. The hacker created some new users within Gwulo that were supposed to have administrative rights. However, due to some quirks in the setup of this server the users were just given the ordinary rights that any other user would have. I don't see any sign of other damage done, or 'backdoors' created to allow future attacks.
- The attacker also fixed the problem, so that noone else could use that method to attack this server. (This isn't done out of any sense of public spirit - they want to keep the compromised server for their own use, and not let any other hackers take control of it.)
- After the attack on 20th October, I can see that one of the new user accounts was logged in to in November. I don't see signs of any other suspicious activity.
Here are answers to the questions you might have. If you think of any others, please let me know if the comments below.
Regards, David
What did the hackers take from Gwulo?
The signs are that we've been lucky, and the hackers just created the users mentioned above. But, it is possible that between 15th and 20th October they (or other hackers) copied any or all of the information from the website.
Did they take any of my personal information?
I don't think it is likely, but here is the information stored on the website that may have been copied:
If you have an account on Gwulo, the database records your username and your email address, so there is a small chance that information has been copied. Your password is not stored here, only something called its "hash". So the hackers were not able to see your password, but could have changed it if they'd wanted to. I don't see any evidence that they changed any passwords.
If you have previously ordered a photograph from Gwulo, your mailing address is also stored in the Gwulo database, and there is a small chance that was copied. Payment is handled via the third-party Paypal service, so Gwulo never knows your credit-card information. Your credit card information could not have been copied.
Why did it take you so long to notice the problem?
There are two reasons. First I was not subscribed to the email list that announces security problems and fixes for Drupal, so I did not receive the announcement on 15th October. I have now subscribed to that list to receive any future announcements.
Second, the type of attack that the hacker performed did not make any obvious changes to the website, so there was no easily-spotted sign of the problem.
What will you do next?
There are a couple of options, either to restore the site from a backup taken before October 15th, or to clean up the changes made and continue with the current site.
We do have a backup from early October. Restoring would make it sure that the hacker hasn't left any 'backdoors' to cause future problems, but it woud also lose us any text & photos added since that date.
I've decided that the risk of any future problems from this attack is low, so I have cleaned up the changes made and we'll continue with the current site.
Can you promise this won't happen again in future?
I can't promise we won't be attacked again,or that those attacks won't be successful. Making a website that is available to the public means there is always a risk of it being attacked.
I can say that having subscribed to the list for security announcements, I'll be able to respond to any future problems in days rather than months.
PS A touch of irony - you'll know that I've spent a lot of time upgrading the server to a new version of the Drupal software. If it hadn't been upgraded, it wouldn't have been affected by this problem!