I'm running Drupal and heard about the recent vulnerabilities. How can I secure my system and protect myself against these attacks? What signs should I look for when determining if my Linode has been affected?
The recent influx of attacks on Drupal servers is based on a vulnerability that dates back to a few years ago, but has more recently been leveraged into some pretty nasty attacks. Essentially the vulnerability allows attackers to execute code on your server remotely by accessing a particular URL and injecting a SQL query. Many of the attacks have involved injecting cryptocurrency miners, backdoors, and various other malware, as well as leveraging brute force attacks against other servers.
To secure your server you will need to sanitize or rebuild, then update Drupal using the latest official patches for your version.
To sanitize/clean your Linode, you can start off by installing and running ClamAV to identify and remove any malware it detects:
First Install ClamAV -> then run then following commands to update the malware database, run a scan, and remove the detected files:
# freshclam # sudo clamscan -r -i / # clamscan -r -i --remove /
For additional info, check out the Linode ClamAV Guide
Installing and running RKHunter is also recommended:
# cd /tmp # wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz # tar -xvf rkhunter-1.4.6.tar.gz # cd rkhunter-1.4.6 # sudo ./installer.sh --layout default --install # sudo /usr/local/bin/rkhunter --update # /usr/local/bin/rkhunter --propupd # sudo rkhunter --check
Review the log files generated by RKHunter in /var/log/rkhunter.log
The following section details which Drupal updates you should take for your version
For Drupal 6.x:
You'll want to install the SA-CORE-2018-002.patch from the following link:
Drupal 6.x Patch
For Drupal 7.x:
Upgrade to Drupal 7.59
For Drupal 8.4.x:
Upgrade to Drupal 8.4.8
For Drupal 8.5.x:
Upgrade to Drupal 8.5.3
Additional details on these patches can be found on Drupal's Security Advisories Page
For more information on the vulnerabilities themselves, Drupalgeddon2 and Drupalgeddon3