undefined | Better HN

0 pointsmike-cardwell12y ago0 comments

He was running an old version of Drupal. If you run old versions of Drupal, Wordpress, Joomla etc, you will get hacked.

0 comments

10 comments · 2 top-level

dspillett12y ago· 5 in thread

Running old versions of anything (unless you backport security updates of course, as the Debian project do to keep Stable and OldStable secure without potentially introducing breaking changes with a full package upgrade), particularly popular apps/libs, has this risk. As soon as a project releases a security update there is a good chance that someone out there starts looking for a way to exploit what has been fixed so that they can try use it to abuse sites that have not updated yet.

mseebach12y ago

There's a difference in severity between "will get hacked" and "has this risk". The popular web apps are targeted, and very shortly after any exploits are found, automated drive-by attacks are live across the web. The Googles are great for quickly compiling target lists as these web apps are typically pretty easy to identify - exact phrasing on the login screens etc.

walshemj12y ago

Yep I last year had a locked down aws instance running just a single purpose node.js sever and I saw loads of attempts to access common web based admin pages eg phpmyadmin WordPress.

Naturally these where from Chinese or Russian ip address ranges

VLM12y ago

"unless you backport security updates of course, as the Debian project do to keep Stable and OldStable secure without potentially introducing breaking changes with a full package upgrade"

And that is why you need to run production systems on large well supported stable distributions, like Debian, and not DudeOS or FunkyNameOS created 18 months ago by two dudes and never updated since.

dspillett12y ago

Definitely. And why if you roll your own packages for any reason (i.e. you need something in a more more up-to-date form than your chosen stable well-supported distribution includes) you simply must keep a close eye on the relevant projects to make sure that you don't miss an important hole filling fix.

FYI: I run Debian/Stable where I have a choice and stick with the provided versions of everything as a general rule, though I currently have nodejs, npm, and some related modules compiled from other sources.

jfoster12y ago

I agree, although it is worth noting that running something obscure will make you less susceptible to automated, untargeted attacks. Potentially quite a lot more vulnerable to anything targeted, though.

danepowell12y ago· 3 in thread

I've been building Drupal sites for 6 years, and I've never had a single one get hacked, even after I stopped updating them. It's far more likely that FTP with a weak password was the attack vector.

spoiler12y ago

Not sure about Drupal, but Joomla gets targeted all the time. I don't think FTP is the attack vector. Yes, it's possible the password leaked, but it's more likely a bug in Drupal was exploited.

Disclaimer: I work at a hosting company, and this is my personal experience with hacked websites.

jauer12y ago

On Joomla I've seen exploits via the site search feature and the admin login (I too work at a company that does hosting). I haven't seen Drupal sites get taken out.

cholmon12y ago

It's also likely that the vector was a vulnerable module he had installed.

j / k navigate · click thread line to collapse