Local University Website Hacking -- Drupal Security Matters
On Sunday afternoon I noticed that most of my alma mater, University of North Texas’ Wordpress and Drupal sites were down, including NTDaily. Coincidently, NTDaily reporter, Paul Wedding, contacted me to give insight on what might have caused the sites to go down. Bellow is the full interview I conducted with NTDaily.
Paul Wedding: Hey I'm a reporter for the NT Daily and I'm writing an article on the hacking incident that shut down some of UNT's sites today. Could I ask you a few questions about it?
Do you know how a hacking like this would even occur? Like what's the process? Is this something difficult or relatively easy for someone with hacking knowledge?
Kyle Taylor: So there’s a number of things that can be involved and layers that can be affected. More than likely this would happen at 1 of 2 levels: either the server the site is hosted on, or the application itself.
Paul Wedding: Any guess as to what level that may have been on?
Kyle Taylor: Given that no other sensitive data was accessed and all the sites were running one of two CMS (content management system), it was more than likely at the application level. Which in this case, most of the subdomain sites off of UNT are running Drupal while NTDaily is running Wordpress. Both are pretty similar CMS’s in terms of technology (PHP based), and in my experience Wordpress generally has a worse track record in terms of how often sites get hacked.
Paul Wedding: Is it pretty easy to fix?
Kyle Taylor: As far as the process, this probably wasn’t an intentional malicious act, meaning that not one person was attacking the UNT system trying to bring down their sites. The majority of the time, it’s a bot on the internet that is running a number of pre-written scripts that can take advantage of listed security issues. Generally, they are pretty easy to fix, but it can sometimes be hard to tell after the fact what was actually accessed.
Paul Wedding: Wait, so are you saying it was just targeting random sites?
Kyle Taylor: More than likely, yep. I’m not sure if you know, but I’m a Drupal developer as my day job. The last big security issue in Drupal was referred to as “Drupalgeddon” which was a very critical security flaw that allowed anonymous users to exploit any Drupal website. https://ohthehugemanatee.org/blog/2014/11/03/drupalgeddon-means-we-cant-trust-humans-with-updates/
Paul Wedding: Oh wow. And did that get fixed?
Kyle Taylor: One of the major Drupal hosting companies, Pantheon (http://pantheon.io), was pro-actively protecting their user’s sites but monitoring how the attacks were coming in. They showed that it was a bot attempting to exploit sites in an alphabetical order. These were sites previously identified as Drupal. It did get fixed. The general rule was, if you didn’t patch your site within 6-8 hours, you were pretty much screwed. Screwed in the sense that, it’s hard to tell if you got hacked after the fact.
Paul Wedding: So the UNT sites just weren't patched?
Kyle Taylor: This particular circumstance, I wouldn’t be able to tell you. The weird occurrence that ALL sites were affected in a similar way, WordPress and Drupal, is a bit of a surprise to me, because each CMS has it’s own way of being exploited. So the off-chance of it happening at the same time could either be a coincidence, or maybe just the fact that NTDaily runs on the same servers. That part I’m still a little fuzzy about and maybe someone else can shed more light. In the open source world, it’s great to have access to the code, and those communities will actually patch bugs faster than proprietary systems (generally) and get them out sooner. But in a university setting, it can take time to update a single codebase that is running dozens of sites - there’s a lot of risk involved to ensure all the sites continue to function after the patch.
Read the full article at NTDaily's website.
In a future post, we will feature how we maintain security patches here at LevelTen. Have questions or comments? Leave them below!