A hacked neglected site, Pantheon migration, and why you need a Drupal Site Assessment

By Don Dill on April 14, 2015
sustainable business icon
Sustainable/Open Business

We recently had a new client contact us and ask if we could move their sites over to Pantheon so they could do some in-house development work. Of course we can do that for you! We recommended doing a Site Assessment for them, just to make sure we know what we're dealing with. Our Site Assessment gives us a good understanding of the state of a client's current site.

It is not only in Freelock's best interest, but the client's as well, to know what we're getting into before we can even set reasonable expectations of what it will take to change. So, we typically start out with the assessment and review before doing any work on a new site.

But, our client was hesitant to purchase the Site Assessment, which would not only be helpful for their IT staff, but also extremely beneficial to their upper management. So, we began the process of flying blind with the site migration. Then, all of a sudden, we ended up running into so many critical problems, that we were surprised their website had been so neglected in the first place!

It turns out that our client's site had been hacked. While it had been patched for the "Drupalgeddon" Drupal core security patch of October 2014, we found malicious code embedded in the Drupal core. This underscores the importance of regular site maintenance, which Freelock offers to over 30 of our clients.

It also turns out that we were not dealing with one "domain access" site as we had been told, but really 3 "multi-sites" under a single shared code base, a configuration Pantheon explicitly does not support. So, in addition to finding malicious code on all of their sites, we found that the project involved not setting up 2 sites in Pantheon, but 4!

We ended up cleaning the core hacks we found... but at this point we still don't know if the hacker left any back doors on our client's sites that might allow them future access. We stressed the importance to analyze all of their sites, to be able to give them an answer, with any confidence, on whether they are still vulnerable or not. Unfortunately, we still have not heard back....

With a site assessment we dig deep into the site to detect whether or not it has been hacked, including scanning the database for executable code, comparing all module code against known good copies, and evaluating whether the environment is set up to properly withstand attacks.

We see this time and time again. A client comes to us either in an emergency, or wanting some specific one-off job done (which we love taking care of!!), but they don't want to put the time in to investigate the root cause of the problems with their site, or use the budget to apply permanent fixes for those problems. Having a good understanding of the current state of your site, and mitigating for those risks ahead of time, will save a lot of time and energy in the long run for clients whose lifeblood are their websites.

We've found that some of our most successful clients know exactly what is under the hood of their websites, engage development personnel often, keep their websites up-to-date, and constantly reinvest a percentage of their website revenue (generally 1-10%) to keep their site fresh and responsive. Sometimes this takes in-house personnel who are exceptional at development, or in our case, creating a longterm partnership with us to help you achieve your business goals through building and refining your website presence. We encourage you to contact us and build a longterm partnership to help you realize your website's potential!

Topic

Tags

sustainable business icon
Sustainable/Open Business

Comments

Hi Ivan,

Thanks for your comment! So many times it is hard to discern which clients are willing to take those steps to build a partnership. We have several clients who started out with only a 3-5 hour one-off job, and now we are providing full monthly site maintenance, have a retainer budget in place, and doing 30 - 50 hour projects for website enhancements. We never know and sometimes that is the most frustrating part!!

Add new comment

The content of this field is kept private and will not be shown publicly.
About text formats

Filtered HTML

  • Web page addresses and email addresses turn into links automatically.
  • Allowed HTML tags: <a href hreflang> <em> <strong> <blockquote cite> <cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h1> <h2 id> <h3 id> <h4 id> <h5 id> <p> <br> <img src alt height width>
  • Lines and paragraphs break automatically.

Drupal Canvas — Block HTML (locked)

  • Allowed HTML tags: <strong> <em> <u> <a href> <p> <br> <ul> <ol> <li>

Drupal Canvas — Inline HTML (locked)

  • Allowed HTML tags: <strong> <em> <u> <a href>

More Like This

Grafana line showing load dropping to normal
🕑Aug 22, 2023 🖋John Locke 💬2

Rate Limiting an aggressive bot in Nginx

High load isn't necessarily an emergency, but it may be a heads-up before a site noticeably slows down. Sometimes there are weird spikes that just go away, but sometimes this is an indication of a Denial of Service.

dev corner icon
Dev Corner
Code monster
🕑Mar 29, 2018 🖋John Locke 💬3

Drupalgeddon2: Should I worry about critical security updates?

No, you should not. You should let us worry about them, and go back to your business.

Seriously, we're getting questions from all kinds of people about whether this matters. I'm a bit surprised that there is any question about that. Would you be concerned if your top salesperson was selling for somebody else? If your cashiers were jotting down credit card numbers when they charged a card? If your office became a well-known spot for illicit drug or gun dealers? If your office had a bunch of scammers squatting and running a pyramid scheme? If your confidential client information could be revealed as easily as using a bic pen on an old Kryptonite lock?

Bic Pen vs Kryptonite Lock

We've seen some variation of every single one of those scenarios. And all of them are possible with a remote code execution flaw in a web application, like yesterday's Drupal security vulnerability.

And yet people still

ask freelock icon
Ask Freelock
Meltdown
🕑Jan 15, 2018 🖋John Locke 💬0

Meltdown notes

The Meltdown vulnerability leaked out into public news a full week before patches were available for many distributions. When patches did become available, sometimes the patch caused further trouble.

dev corner icon
Dev Corner
Meltdown in action
🕑Jan 11, 2018 🖋John Locke 💬1

The Spectre of a Meltdown

The news was supposed to come out Tuesday, but it leaked early. Last week we learned about three variations of a new class of attacks on modern computing, before many vendors could release a patch -- and we come to find out that the root cause may be entirely unpatchable, and can only be fixed by buying new computers.

Today Microsoft released a patch -- which they had to quickly pull when they discovered that it crashed computers with AMD chips.

Essentially Spectre and Meltdown demonstrate a new way of attacking your smartphone, your laptop, your company's web server, your desktop, maybe even your tv and refrigerator.

Meltdown - Animated
Meltdown in Action

This all sounds dreadfully scary. And it is... but don't panic! Instead, read on to learn how this might affect you, your website, and what you can do to prevent bad things from getting worse.

sustainable business icon
Sustainable/Open Business