| Drupal

autoupdate or dieBy now you've probably heard about the extremely serious Drupal security issue from mid-October.

The Drupal security team issued a new warning two weeks later that, if possible, escalated the severity of the issue.

Here's an overview of the issue and its impact.

1) How serious was this?

As bad as it gets.

The Drupal team rated this security issue as 25/25. Most Drupal security issues have a rating of around 12 or 13 and only impact a limited number of sites and pose limited danger. This issue impacted every Drupal 7 site and could lead to sites being completely taken over.

It also proved to be a relatively easy bug to attack. Sometimes it takes days or weeks for hackers to find out how to exploit a new vulnerability. This time exploits were being used in less than 7 hours. According to the Drupal team, you needed to update between 4 pm and 11 pm UTC (London time) on October 15th.

My guess is anyone on a big name Drupal host (Acquia, Pantheon, BlackMesh etc) is safe because those companies rolled out fixes quickly. But if your site is on an average hosting service and you didn't respond inside 7 hours, you may be in trouble.

2) When did all this happen?

  • November 2013: the issue was reported as a feature request, but not escalated to the Drupal security team.
  • September, 2014: the security team get a report of the bug from SektionEins, a German company who discovered it while auditing a client site.
  • October 15, 2014: the issue was officially announced.
  • October 29, 2014: there was a follow-up advisory. This didn't reveal any new issues, but it did emphasize how dangerous the original issue was. This is the point where the internet had a collective freak-out.

3) Where was the security issue?

The problem was in this file: /includes/database/database.inc. Here's the old, vulnerable code, starting at line 735:


Here's the new, safer code, again starting about line 735:


So, fixing the issue was as simple as replacing this line in database.inc:

foreach ($data as $i => $value) { 

with this line:

foreach (array_values($data) as $i => $value) { 

4) Why was that one line of code so dangerous?

Anthony Ferrara has a detailed technical explanation.

The short version is that hackers were able to exploit that one line to access to the databases of vulnerable sites.

Once inside the database, the hackers had several techniques. One popular option involved creating administrator accounts. They then enabled the PHP module which allowed them to write code directly to the site's files. The PHP module has been removed from Drupal 8 to prevent exactly this kind of attack.

5) Who is doing the hacking?

Acquia, Pantheon and RiskIQ all point the finger at Russian hackers. RiskIQ describes the origin as:

"a large Russian datacenter operator, and a common source of Eastern European cybercrime activity".

A Reddit user also pinpoints Chinese and Tor sources.

These are your common, run-of-the-mill hackers who are infecting Drupal, WordPress, Joomla, phpBB3 and other software on a daily basis. This Drupal issue was just an unusually good opportunity for them.

6) What are the hackers doing with infected sites?

RiskIQ say that many of the infected sites are driving people to download malware and in particular an "RIG Exploit Kit". This is a common attack that isn't Drupal-specific:

"The same RIG infrastructure is also receiving traffic from sites running WordPress, with similar compromise patterns."

What is an RIG Exploit Kit? According to Kahu Security, it contains a variety of malware that attacks old versions of Internet Explorer, Java, Flash and Silverlight.

However, Acquia say that some infected sites won't be used by the hackers until later:

"We could not find any query intended to change the content or destroy sites: attackers were only interested in installing backdoors to take over the site or server at a later point in time, and make the intrusion unnoticeable."

7) How many websites were hacked?

The BBC said, "Up to 12 million websites may have been compromised". That number has now spread like wildfire around the web. Unfortunately, it's an absurd statistic and never should have been published.

The BBC report relied on some really bad analysis from Sophos.com. Here's how Sophos seems to have arrived at their estimate:

  • First, they said there are 1 billion websites in total, using Netcraft as a reference.
  • Next, they looked at W3Techs which shows Drupal powering between 1.9% of all websites. So they calculated 1.9% of 1 billion, which gives 19 million.
  • Finally, they used the W3Techs estimate that 65% of Drupal sites are using Drupal 7. Calculating 65% of 19 million produces the final estimate of 12 million.

Every stage in that calculation uses bad statistics that are contradicted by other sources. So, if we can't trust the widely reported figure of 12 million, what can we know for sure about this size of this security issue?

Drupal.org reports that there are less than a million Drupal 7 websites in total. Yes, it's true that those statistics come from Drupal sites using the Update module and some of the larger, more professionally sites disable Update when they go live. But despite that, it's hard to imagine there are enough sites that disable the Update module to push the Drupal 7 total far beyond 1 million. BuiltWith.com puts the entire Drupal ecosystem at only 780,000 sites.

So, if there are around 1 million sites on Drupal 7, how many were hacked?

Bevan Rudge estimated "between ten and ninety percent of all Drupal websites" were hacked. That's such a broad range that Beven is essentially saying, "we don't know", which is honest.

My conclusion: it's hard to say anything more accurate than this problem extends to "10,000's or possibly 100,000's of sites".

8) Were any famous sites hit?

RiskIQ has a rundown of some of the larger sites that were impacted:

  • Popsci.com
  • Homestead.com
  • Typepad.com
  • Spin.com
  • Advertise.com

I've seen a few people wondering if this incident was related to the WhiteHouse computers being hacked a few weeks ago. WhiteHouse.gov and related sites do run Drupal 7. Yes, some government sites including one from the state of Indiana. However, security experts in the Drupal community knew about this issue before it was released, and it's hard to believe the White House team weren't able to protect their sites in time.

About the author

Steve is the founder of OSTraining. Originally from the UK, he now lives in Sarasota in the USA. Steve's work straddles the line between teaching and web development.