This module was useful in the few days after the release, when attacks were just building up.
Since then, the likelihood that Drupalgeddon command will do anything helpful has decreased; some may take the lack of compromise identification to signify that their site is OK, which is less and less likely to be the case.
Research by monkeys with ascii flowcharts supports this.
+ | |+ + | + u | s | + e | f | + u | l | + | | + | | + +------------------------------------------------+ then + now +
How do we get the message through to people that if they haven't patched by now, they are hacked and need to rebuild from known good backups or from scratch?
Is there any use in keeping this project online? It was intended to quickly assess sites when the compromise was just starting to spread, but I think the value is now reduced - less so for certain cases (sites not available on the public internet etc). I'm concerned the tool may be confusing people, especially since those late to the party are also less likely to understand the severity and mechanics of site compromise.
Does it have some use still, eg where an admin needs to convince the site owner or other PHB that they actually did get popped?
Comments
Comment #1
xurizaemonComment #2
Bevan CreditAttribution: Bevan commentedThank you for starting this discussion.
While Drupalgeddon should certainly not be recommended as a solution for compromised websites, I think it is still useful as long as its shortcomings are clear.
I think there are some key improvements we can do to reduce the false sense of security or optimism that users may be fooled into:
--force
is specified, but only document that indrush help drupalgeddon-test
. We can just tell the user to update initially. A later version can attempt a self-update.drush drugtest
was negative (no known-signs of compromise), issue a warning "Nevertheless, the website may have been compromised".On a slightly related note; According to the project page's download statistics, the tool was downloaded 1000 times per day for the 7 days after the PSA, but has not been downloaded since. (I have been checking manually each day). I think it must be broken. I created #2373479: Download count broken?.
Comment #3
xurizaemonComment #4
FluxSauce CreditAttribution: FluxSauce commentedI feel the project should be kept online, there's valuable work in there that can be used within other projects and/or as reference.
I also feel that there should be some version checks, IE if it's a Drupal version of 7.32 or higher, don't run file checks. That way the project can avoid the whack-a-mole approach and endless support.
There should probably be a 1.0 release and the project status set to minimally maintained at some point. That will help set expectations.
Comment #5
omega8cc CreditAttribution: omega8cc commentedWe have added drupalgeddon extension in all BOA servers by default in all accounts, but since BOA uses its own download mirrors, these downloads are/were not visible in stats on d.o here. As far as we know, there are over 500 BOA systems not associated with our own hosting, plus a big list of BOA instances we host or maintain. All of them can have multiple accounts, with multiple sites managed per account, and drupalgeddon is still very useful there, even if BOA already patched all vulnerable codebases hosted on it, and still monitors newly added codebases to make sure they are all patched if still used.
We are using drupalgeddon in the pro-active mode - users don't need to run it manually, it is run on all hosted D7 sites, daily, and if it it detects anything, it keeps sending alerts to the system admin and sites owners.
Furthermore, since there was already enough time to fix hacked sites, BOA has started to automatically shutdown all clearly hacked sites (like when there are most popular roles and users with escalated privileges detected). BOA still uses drupalgeddon to runs these checks.
We have also made it clear in our messages to BOA users that no alert doesn't mean that your site is clean, only that available tools couldn't find *known* attack symptoms.
In my opinion the project should stay online, since it is still very useful to not only detect hacked sites, but also some otherwise hard to notice issues with codebase integrity or structure. It helps a lot, so please don't shut it down!
Thank you for this great work!
Comment #6
Bevan CreditAttribution: Bevan commentedTo clarify; I think the Drupalgeddon drush command should attempt to update itself, not Drupal core. I think that is beyond the scope of this project.
Comment #7
greggmarshallI agree with keeping the project, we are using it for on-going monitoring. Our script automatically downloads the latest copy, then applies the patches that haven't been committed yet.
I would also suggest putting the disclaimer notice at the beginning of all output as a reminder.
Comment #8
MKorostoff CreditAttribution: MKorostoff commentedI just want to note, I ran the Drupalgeddon test earlier today against a compromised site. Drupalgeddon reported 7 suspicious files (which, upon closer inspection, were definitely attack files. I then diffed by entire code base against the last-known-good version I had in version control (this version was local to my desktop) and found that those were the only files that had been changed.
So, good job to Drupalgeddon, for accurately identifying attack files a month after the attack started. I guess I could see why this project might stop being useful in theory, but in my case Drupalgeddon absolutely nailed it.
Comment #9
xurizaemonThanks all. Really good suggestions here. I've split #2375579: Avoid suggestion of absolute security / improve recommendations and #2375577: Attempt self-update off as sub-tickets.
Comment #10
xurizaemonComment #11
xurizaemon@omega8cc, if you want to post the warning output you're using to #2375579: Avoid suggestion of absolute security / improve recommendations that'd be welcome. Sounds like you've already put a bit of thought into not giving the wrong idea.
Comment #12
FluxSauce CreditAttribution: FluxSauce commentedI strongly do not recommend that. Including a version? That's fine. I do that in site_audit.
site_audit_version=1.12
Of course, there should be a version number as well, so I'd recommend making 7.x-1.0 as a starting point.
Comment #13
xurizaemonI guess we can spit out point releases freely, but if we use Drush's ability to display the 7.x-1.x-dev "version string" and say, "hey there's an update for Nov 18th available", are we going to improve things much by giving the maintainers the task of making new "official" releases?
For most projects I think there are advantages to separating dev from stable, but I don't want to increase maintainer load here. (It does feel like we're approaching a stable point though.)
Comment #14
Bevan CreditAttribution: Bevan commented@mkorostoff; Remember that Drupalgeddon can not guarantee it has found all the backdoors. Did you also investigate the files directories and database or restore from backups?
Comment #15
Bevan CreditAttribution: Bevan commentedGiven we have moved the tasks into new issue nodes, I think this is resolved?
Comment #16
SpenserJ CreditAttribution: SpenserJ commentedEven if the value for the Drupalgeddon exploit has diminished potential at this time, I think we should continue maintaining this module with more of a focus on scanning for potentially exploited sites. A new attack may come out at some point, but the style of backdoors will remain quite similar to the ones we're already scanning for.