Drupalgeddon2: SA-CORE-2018-002 operation began
Drupalgeddon2 still came to us.
What happened? After the insane announcement of "one of the worst Drupal vulnerabilities", everyone froze in anticipation of a working exploit and after 4 days even began to be a little sad, considering that the whole panic was in vain, because no one could think of anything worthwhile. But it was enough for CheckPoint to publish today a working PoC on SA-CORE-2018-002, as the army of bots began to attack sites on Drupal, which is called “in the wild”.
')
According to the logs is as follows:
3 requests, the first GET checks the fact of the possibility of an attack, the second POST - an attack with the payload, and the third - checks the success of the loaded backdoor.
The hackers didn’t have enough time or fantasies for payloads, so they look very much the same:
In general, the ahtung is quite serious, the process has begun and the trouble is that everything happened before the weekend. However, hosters or services proxying traffic could protect clients by blocking requests with server-level snippets:
While the logs show that all attacks are based on the same Python script (hackers, fortunately, are lazy), and only the request to the account / mail object is used, but there is at least one more attack through the timezone object.
So far, the current attacks can be closed even at the level of the ModRewrite rules, but probably more complicated options will appear.
If anyone is interested, in the payload they load a .php backdoor via wget or curl. What hackers will do with them further depends on their imagination. Considering the popularity of miners, most likely backdoors will be used to place js miners on pages (or start mining processes on the server), download phishing pages or spam mailers.
In any case, if you are the Drupal site administrator, we highly recommend updating or at least closing the site with rules from attacks and just in case, scan it with the AI-BOLIT file scanner and the online ReScan.Pro scanner to be sure that you are not hacked
What happened? After the insane announcement of "one of the worst Drupal vulnerabilities", everyone froze in anticipation of a working exploit and after 4 days even began to be a little sad, considering that the whole panic was in vain, because no one could think of anything worthwhile. But it was enough for CheckPoint to publish today a working PoC on SA-CORE-2018-002, as the army of bots began to attack sites on Drupal, which is called “in the wild”.
')
According to the logs is as follows:
3 requests, the first GET checks the fact of the possibility of an attack, the second POST - an attack with the payload, and the third - checks the success of the loaded backdoor.
The hackers didn’t have enough time or fantasies for payloads, so they look very much the same:
In general, the ahtung is quite serious, the process has begun and the trouble is that everything happened before the weekend. However, hosters or services proxying traffic could protect clients by blocking requests with server-level snippets:
account/mail/%23value (account/mail/#value) timezone/timezone/%23value (timezone/timezonel/#value) While the logs show that all attacks are based on the same Python script (hackers, fortunately, are lazy), and only the request to the account / mail object is used, but there is at least one more attack through the timezone object.
So far, the current attacks can be closed even at the level of the ModRewrite rules, but probably more complicated options will appear.
RewriteEngine On RewriteCond %{QUERY_STRING} account/mail/%23value [NC,OR] RewriteCond %{QUERY_STRING} account/mail/#value [NC,OR] RewriteCond %{QUERY_STRING} timezone/timezone/%23value [NC,OR] RewriteCond %{QUERY_STRING} timezone/timezone/#value [NC] RewriteRule .* - [L] If anyone is interested, in the payload they load a .php backdoor via wget or curl. What hackers will do with them further depends on their imagination. Considering the popularity of miners, most likely backdoors will be used to place js miners on pages (or start mining processes on the server), download phishing pages or spam mailers.
In any case, if you are the Drupal site administrator, we highly recommend updating or at least closing the site with rules from attacks and just in case, scan it with the AI-BOLIT file scanner and the online ReScan.Pro scanner to be sure that you are not hacked
Source: https://habr.com/ru/post/353506/
All Articles