4. PantaRei Design
●
Everything Changes and Nothing Remains Still
●
Reinvent Enterprise with Open Source Software and Cloud Computing
●
Hong Kong based FOSS service provider
– Content Management System (CMS) with Drupal
– Cloud Hosting Solution with Amazon Web Services (AWS)
– Team collaborate solution with Atlassian
●
Business Partner with industry leaders
– 2012, AWS Consulting Partner
– 2013, Acquia Partner
– 2013, Atlassian Experts
– 2014, Rackspace Hosting Partner
●
http://pantarei-design.com
5.
6. Hong Kong Drupal User Group
●
The Hong Kong Drupal User Group are open to everyone with an
interest in Drupal and are a great opportunity to learn more
about what Drupal can do and what folks are building with it.
●
Drupal is a free software package that allows you to easily
organize, manage and publish your content, with an endless
variety of customization.
– Event organizing: http://www.meetup.com/drupalhk
– Technological discussion: https://groups.drupal.org/drupalhk
– Business connection: http://www.linkedin.com/groups/?gid=6644792
– General sharing: https://www.facebook.com/groups/drupalhk
7.
8.
9.
10.
11.
12.
13.
14. Outline
●
Why Your Drupal Being Hacked?
●
What Happen If Being Hacked?
●
How to Figure It Out?
●
What You Need for Fixing It?
●
Fix a Hacked Drupal with GIT
15. Why Your Drupal Being Hacked?
●
Main Reason: No Maintenance and Upgrade
– All software with potential bugs or security issues
– All software needs regular maintenance and upgrade
●
e.g. your private car also need annual mantenance
●
Drupal security team will announce if security issues figure
out to public, usually with patches
– BTW, both site owner and hacker could get this information
– So you will need to upgrade your site before hacker come
●
https://www.drupal.org/security
16. What Happen If Being Hacked?
●
Today, usually you could feel your site become very slow, or even unresponsible
– Because today hacker usually use your hacked machine for Bitcoin Mining
– This give hacker direct benefit
– This will use up your CPU, Memory, Disk I/O and Bandwidth
●
For sure, you may lose your data
– If your site with valueable assest
– This give hacker indirect benefit
– Hacker need to find a way to utilize the hacked data
●
Sometime, hacker may redirect your user to somewhere else
– e.g. A password reset page, or update payment method page, etc
– Again, this give hacker indirect benefit
17. How to Figure It Out?
●
Umm... If your site suddently become unresponsive
●
Check your machine loading
– e.g. `ps aux`, `htop`, `bmon`, etc
– Try to kill those unexpected processes, sometime they may
auto rerun again and again
●
Check your DocumentRoot structure
– Usually some unexpected files should appear
– Some hacker even write down “Hacked by xxx” inside those
files...
18. What You Need for Fixing It?
●
Linux
– Here I use Ubuntu 18.04
●
Apache, PHP-FPM, MySQL
– As like as your production server setup
– https://symfony.com/doc/current/setup/web_server_configur
ation.html#using-mod-proxy-fcgi-with-apache-2-4
●
PHP-CLI with Composer
●
Drush
●
GIT
19.
20. Fix a Hacked Drupal with GIT
●
Stop Public Access
●
Stop Illegal Process
●
Backup
●
Compare with GIT
●
Reduce Different
●
Migrate Usefule Files
●
Restore Database
●
Upgrade Legacy Core and Modules
21. Stop Public Access
●
Stop production server Apache
●
Setup firewall only allow your incoming SSH
access
●
Also try to stop outgoing traffic if possible
22. Stop Illegal Process
●
Check with `htop`, `top` or `ps aux`
●
Figure out high loading process
●
If process looks strange, try to find its location,
read and understand it (by Googling)
●
Try to kill it
– Sometime it may rerun, which means another
background cronjob/daemon is running for it, you will
also need to kill them, too
23. Backup
●
Backup both Drupal source code and
database
– Hopefully you may also have regular backup, too
●
DON’T DIRECTLY FIX YOUR LIVE COPY
WITHOUT BACKUP!!
24. Compare with GIT
●
Figure out which version of Drupal are using
●
Download a clean copy from drupal.org
●
Extract the clean source code
●
`git init && git add --all --force`
●
`git commit -am ‘initial healthy drupal-7.5.4’`
●
Symlink the healthy .git folder to hacked version
●
`git status`
– Now you could see which files being add/changed
●
`git diff -w -b -M HEAD`
– This show you the differences
25.
26.
27.
28.
29.
30.
31.
32.
33. Reduce Different
●
Some file may be missing out from either version, copy back-and-
forth to reduce the differencies, e.g.
– CHANGELOG.txt, README.txt, etc
– Your custom module and theme
●
Sometime you may need to recover from your healthy backup
version too
●
Other modules may also need to download from drupal.org for
compare
●
Again, go to the healthy version and commit changes, then diff
from hacked version again and again
34.
35.
36.
37.
38.
39.
40. Migrate Usefule Files
●
Some files may not related to code changes, e.g.
– sites/default/settings.php
– sites/default/files
●
Copy them from hacked version to healthy version
●
Remember to scan those folder if coming with
illegal *.php files, and remove it, e.g.
– `find sites/default -type f -name ‘*.php’`
41. Restore Database
●
If everything looks good your could now
restore your database
●
Try to access the website, it should basically
works now
42.
43.
44. Upgrade Legacy Core and
Modules
●
Final step, upgade all legacy core and
modules into latest stable
●
Its time to restore the healthy version to
production server
●
https://github.com/drustack/drustack-standa
rd/blob/7.x/composer.json
49. I Need More Help!
●
Read documents from Drupal Community
– https://drupal.org/documentation
●
Join Hong Kong Drupal User Group
– Event organizing: http://www.meetup.com/drupalhk
– Technological discussion: https://groups.drupal.org/drupalhk
– Business connection: http://www.linkedin.com/groups/?gid=6644792
– General sharing: https://www.facebook.com/groups/drupalhk
●
Contact us for one (1) month free-trial support service
– http://pantarei-design.com/services/support/#support-service-plans
50. Address: Unit 326, 3/F, Building 16W
No.16 Science Park West Avenue,
Hong Kong Science Park, Shatin, N.T.
– Phone: +852 3576 3812
– Fax: +852 3753 3663
– Email: sales@pantarei-design.com
– Web: http://pantarei-design.com
Contact us