City website hacked

City website hacked

Michele Ellson

Updated at 8:27 a.m. Wednesday, November 12

A computer hacker apparently shut down the city’s website this weekend.

Visitors seeking information from the city’s website Saturday may have instead seen a message that said, “Hacked by D@rk sHad0W.” The hacker confirmed taking the site down in response to a Facebook message from a reporter.

The city site was also down for part of Sunday. The hack also took the library’s Internet out of commission.

Assistant City Manager Alex Nguyen didn’t respond to requests for more information on the outage Monday. But The Alamedan’s webmaster, Jack Boeger, said hackers likely exploited a recently reported security vulnerability in the city’s content management system, Drupal. (The Alamedan also runs on Drupal.)

Drupal released a new version that corrected the breach and also, a patch for older versions of the system. But the system’s security team warned that hackers were swiftly taking advantage of the vulnerability, saying that as a result, failure to correct it within hours of its October 15 discovery could lead to site breaches.

“You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement,” Drupal’s security team wrote in a public service announcement on the service’s site. “Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack.”

Drupal’s security team recommended taking compromised websites offline and replacing them with a static page while restoring the website using pre-October 15 backups. The city’s website was totally offline Sunday morning.

The problem could be particularly widespread because Drupal is more widely used by large organizations than other open source content management systems like Joomla! or WordPress, according to Daniel Cid, chief technology officer for Sucuri, a website security firm . He said those organizations could be too slow to respond to such a fast-evolving threat.

“This is a recipe for disaster, if it’s true and those websites are in fact compromised, they could be leveraged and daisy chained for a massive malware distribution campaign,” Cid said.