Unscheduled security maintenance left directory exposed
Attempt by outsider to download data not successful
IF you came to our website between 5:30pm and 6:11pm last Friday (Oct 31), you would have been greeted by a horrifying sight … or a tempting one, depending on your disposition.
For those interminably long minutes, in the midst of a security update, it looked as if our entire site had been exposed – down to its root servers, as it were.
During this time, one attempt was made to download the contents of our site via FTP, but it was not wholly successful. Some email addresses were harvested, but not user information or passwords, which are encrypted in any case.
Still, if you received any spam email on Friday night, we apologise wholeheartedly. If you feel you’d get better peace of mind by changing your DNA user passwords, we urge you to do so, and again, apologise for the inconvenience.
We will continue investigating the incident with the cooperation of our web developer and our webhosting provider.
Sequence of events
On the morning of Oct 31, we received an email from our developers – they are not on retainer, so we appreciate their pro-activeness – saying that they would be conducting unscheduled maintenance on our site, which runs on the Drupal platform.
This was based on a security alert that Drupal had first issued on Oct 15, saying that a vulnerability in one of its APIs (applications programming interfaces) allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests, this can lead to privilege escalation, arbitrary PHP execution, or other attacks.
It later said that multiple exploits were been reported in the wild following the release of the above security advisory, and that Drupal 7 sites which had not patched the vulnerability within seven hours of that advisory must consider themselves compromised.
On Oct 29 (US time), it issued a list of instructions on what must be done to plug this vulnerability. It was in the middle of this task that our site suddenly became exposed for a short while, apparently because of the way our database backup and root servers had been configured – although we’re still in the process of verifying this.
Warned by a few readers (thank you!), we immediately contacted our developers who had been conducting the security update, and also put our webhosting provider on standby. They’ve been analysing their log files.
Initial findings based on the log files show no indication of a breach or of our database being compromised during the maintenance time frame. As for why the ‘under maintenance’ page during this time had been replaced by the directory listing, it was because the Drupal patch included the replacement of htaccess files which control access to the directory.
“We believe that during the automated patching process, it could have caused the htaccess controls to display the directory listing. Once the patch was completed, the ‘under maintenance’ page came back up,” our developers have said.
Our webhost also discovered that there was some download activity, but upon checking the IP address, determined that it was indeed our developers.
Rest assured, however, that we will continue to investigate the incident to determine if there is the slightest possibility of any breach, and also if there is any other remedial action that needs to be taken.
For now, it looks as if we had a good enough scare for the Halloween weekend, but also managed to dodge a bullet – although we will not take this for granted until we can get triple verification and confirmation. Until then, again we apologise to you, our readers, for any inconvenience.
PDPA: Need for mandatory data breach notification; SMBs vulnerable
NSA spying revelations, POS breaches affect corporate security strategies
Don’t let complacency and bureaucracy jeopardise IT security
For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.