[Security-news] PSA-2011-001 - "Drupal security update" social engineering

security-news at drupal.org security-news at drupal.org
Thu Feb 17 22:26:21 UTC 2011 

  * Advisory ID: PSA-2011-001
  * Project: Drupal core and contrib
  * Versions: All versions
  * Date: 2011-February-17
  * Security risk: Not critical

-------- DESCRIPTION  
---------------------------------------------------------

This is a public service announcement regarding a recent social engineering
attack via the following mail purporting to come from the Drupal security
team.
 >Hello, I am a member of the Drupal security team. Our installation records
 >show that your site runs Drupal on PHP [version] and [server]. We have
 >recently found a security problem with that configuration which could allow
 >a hacker to get into the site and delete any posts they want. We have not
 >posted anything about this yet publicly as we want to get this patch out to
 >as many people as possible first. We have developed a patch for this bug -
 >all you need to do is upload this file to your site in the
 >sites/default/files/ folder (do not change the name of the file) and Drupal
 >will see it and install it for you. We recommend you do this as soon as
 >possible. Sincerely, James Drupal security team
The mail was sent with Drupal Security <drupal_s at yahoo.com> as the
(easily-forged) "From" address. It also contained an attachment that was said
to be a patch that had to be uploaded and installed. Needless to say that
this file contained code to make the system accessible from the outside. If
you received a message like the above, do not upload the attached file. How
the Drupal Security Team communicates:
  1) The Security Team does not supply patches to sites.
  2) The Security Team will never ask site administrators to upload random
     files to their site. We only recommend to update to latest core or
     contrib releases downloaded from drupal.org.
  3) The Security Team officially uses three forms of communication for Drupal
     Security Advisories; the update report in your Drupal installation, the
     posts and RSS feed on http://drupal.org/security, and the newsletter
     available from your Drupal.org user page. The Drupal Security Team does
     not publish to a Twitter feed or provide any other official communication
     channel.
  4) The Security Team will never ask for passwords for your host or your
     Drupal install.

If you receive communications from someone saying they are a member of the
Security Team and their request is questionable, please forward the email to
the team at security at drupal.org.
-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

More information about the Security-news mailing list