Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Security The Internet IT

'Drupalgeddon2' Touches Off Arms Race To Mass-Exploit Powerful Web Servers ( 60

Researchers with Netlab 360 warn that attackers are mass-exploiting "Drupalgeddon2," the name of an extremely critical vulnerability Drupal maintainers patched in late March. The exploit allows them to take control of powerful website servers. Ars Technica reports: Formally indexed as CVE- 2018-7600, Drupalgeddon2 makes it easy for anyone on the Internet to take complete control of vulnerable servers simply by accessing a URL and injecting publicly available exploit code. Exploits allow attackers to run code of their choice without having to have an account of any type on a vulnerable website. The remote-code vulnerability harkens back to a 2014 Drupal vulnerability that also made it easy to commandeer vulnerable servers.

Drupalgeddon2 "is under active attack, and every Drupal site behind our network is being probed constantly from multiple IP addresses," Daniel Cid, CTO and founder of security firm Sucuri, told Ars. "Anyone that has not patched is hacked already at this point. Since the first public exploit was released, we are seeing this arms race between the criminals as they all try to hack as many sites as they can." China-based Netlab 360, meanwhile, said at least three competing attack groups are exploiting the vulnerability. The most active group, Netlab 360 researchers said in a blog post published Friday, is using it to install multiple malicious payloads, including cryptocurrency miners and software for performing distributed denial-of-service attacks on other domains. The group, dubbed Muhstik after a keyword that pops up in its code, relies on 11 separate command-and-control domains and IP addresses, presumably for redundancy in the event one gets taken down.

This discussion has been archived. No new comments can be posted.

'Drupalgeddon2' Touches Off Arms Race To Mass-Exploit Powerful Web Servers

Comments Filter:
  • by manu0601 ( 2221348 ) on Sunday April 22, 2018 @09:33PM (#56486225)

    The exploit allows them to take control of powerful website servers

    Powerful indeed, since you need huge resources to run Drupal decently.

  • Drupal Consultants (Score:2, Interesting)

    by Anonymous Coward

    Big part of the reason there are so many un-patched Drupal sites is the cost of Drupal consultants. Hourly rates in the $200+ range are a big risk vector to consider for small to medium sized sites.

    • by Z00L00K ( 682162 ) on Sunday April 22, 2018 @11:14PM (#56486503) Homepage

      I was running drupal and got hit by a monero miner so I scrapped Drupal and php.

      I see this problem as something rooted in php.

      I did a small analysis of what had happened and the exploit created a miner executable file in /tmp that was then moved to /dev/shm and executed there by some action. It had been active for just a few hours as a non-privileged process, so no big deal.

      • by Anonymous Coward

        The blame is shared between PHP and the Drupal team. Here's an explanation of the vulnerability:
        If you do a POST request to, the PHP function uploadAjaxCallback gets called with its $request parameter containing the request including all the URL and POST parameters. The following line splits the element_parents URL parameter:
        $form_parents = explode('/', $request->query->get('element_

  • Greed is stupid (Score:5, Insightful)

    by hyades1 ( 1149581 ) <> on Sunday April 22, 2018 @10:11PM (#56486343)

    Sensible people would briefly use the servers to install a lightweight, hard-to-find bitcoin miner that stayed out of the way until the victim's computer was doing nothing, but still had an internet connection. Don't get greedy. Don't thrash the hard drive or run the graphics card 'til it melts. Just take a little sip here and a little sip there, and rely on having a lot of places to go for that little sip.

    I bet something like that could stay under the radar for a long, long time.

    • That's what I've been doing. I got scripts all over the planet mining Bitcoins since 1988.

    • by Z00L00K ( 682162 )

      It's not possible to hide if the server admin runs tools like 'rkhunter'. That's how I saw that my server was impacted.

      And in my case it was a monero miner. I did dig through the stuff in the server and found out the hashed ID of the culprit as well and mailed the monero support with that ID. Haven't heard anything about it but if they cancel the mined stuff without notifying anyone then I'm good with that too.

      • It's not possible to hide if the server admin runs tools like 'rkhunter'.

        I've not heard of rkhunter before, but from how it works I can think of a few ways to hide. It doesn't appear to scan the contents of kernel memory, so if you're able to inject running code into the kernel and masquerade as a low-priority kernel thread then it won't be noticed. It also isn't able to scan into SGX enclaves, or into any of the (now compromised) trusted firmware on AMD systems, the latter of which gives you a good way of persisting your malware across reboots.

        If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.

        On the plus side, it would be re

        • by Bongo ( 13261 )

          I believe rkhunter made an appearance in Mr. Robot.

        • by mikael ( 484 )

          I've noticed on some Linux PC's that using lsmod will provide a list of modules and how many modules plus their names are depending on it. But in some cases the "Intel" module has about 5 other modules using, but they aren't listed.

      • Thanks for that. If possible, I'd give you points for "Informative".

    • If it's running on AWS your get a month at most before the server is shut down and replaced with a freshly running instance.
    • They do a shory con. So better to do 100% fir 1 hour. No idea how long they can do it. Could be that they need to close after 24 hours. Or sooner.

      If they wanted to do the long con, they would have started a bank.

  • Probed constantly (Score:5, Interesting)

    by ve3oat ( 884827 ) on Sunday April 22, 2018 @10:40PM (#56486427)
    I don't run Drupal but in a six hour period Saturday morning even my little website was hit on from 147 different IP addresses, each using 4 or 5 requests in rapid succession. Made my logs hard to read.
    • I don't run Drupal but in a six hour period Saturday morning even my little website was hit on from 147 different IP addresses, each using 4 or 5 requests in rapid succession. Made my logs hard to read.

      If they're hitting the same URL, just make sure the URL refers to a 2TB random file.

      Or you could start whitelisting/blacklisting or banning IP's trying to access resources that shouldn't be accessed.

      • by ve3oat ( 884827 )
        I didn't have a 2 TB file to give away but after all the activity the previous day (Friday), I made sure the URLs they were after would give them only a "403" response instead of the usual "404", just to make a point. There were only a few isolated probes after about 1230 UTC Saturday. I wonder if the attacks continued on other sites after they ended on mine.
      • by Xenna ( 37238 )

        What do these probes look like in the logs?

        • by ve3oat ( 884827 )
          Looked like this :
          "GET / HTTP/1.1" 301 226 "-"
          "POST /wls-wsat/CoordinatorPortType HTTP/1.1" 400 17 "-"
          "POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1" 403 15 "-"
          "GET / HTTP/1.1" 301 226 "-"
          "GET / HTTP/1.1" 301 226 "-"
          "GET /rss.php?mode=recent HTTP/1.1" 403 15 "-"
          "GET /wp-login.php HTTP/1.1" 403 15 "-"
          Mostly in rapid succession but sometimes spaced out over several minutes. Requests for wp-login.php were sometimes omitted. UA
  • by Anonymous Coward

    That's ok, Drupal's code of conduct specifically bans malicious hacking because it isn't nice. That, and any form of kink that doesn't have a parade and could be inconvenient for Dries's IPO.

    God bless the Drupal CoC.

  • by Anonymous Coward

    It's worse than Wordpress. That's saying something.
    These garbage cms's that have an established base of "developers" with a lot of sunk costs becoming "experts" need to die. Maybe a good, easy to use cms will come along but it won't be Drupal or Wordpress.

    • by Anonymous Coward

      Concrete5, Statamic, and Pagekit. ExpressionEngine and maybe Joomla except for the ease of use condition...

  • Great source article (Score:5, Informative)

    by scdeimos ( 632778 ) on Sunday April 22, 2018 @11:39PM (#56486591)
    Noice... TFA links back to the 2014 security advisory [] and completely misses a link to the current 2018 security advisory [].
  • Why the fuck does anyone still use Drupal, it has proven time and time again to be a total clusterfuck when it comes to security and doesn't seem to be improving. It is like the turds MS churned out in the late 90's.
  • by Qbertino ( 265505 ) <> on Monday April 23, 2018 @07:48AM (#56487387)

    Disclaimer: I've used and developed for both Drupal and WP professionally, for a living. A good living.

    Like most PHP systems Drupal is built by monkeys on crack with zero clue about proper software architecture. Unlike WordPress though it doesn't have a 140 million+ installbase and an army of people messing around with it every day and patching holes as they pop up just about instantly. This is a problem. Add to that the fact that while both WP and Drupal are built by people who didn't know squat what they were doing when they started out, WP actually makes it somewhat easy to code around it's mess, just using a few utility functions from WP core to latch on to the DB and the user management and stearing clear of the rest of the mess, getting to doing real work roughly 10 minutes in to your first WP plugin.
    Drupal OTOH is a mess through and through *and* forces you to follow along, making development much more difficult. Which is why the installbase is 'only' a few million which AFAICT isn't enough to compensate for crappy webapps built by n00bs in PHP. I expect Drupal holes like this one to be much more of a problem vis-a-vis WPs holes, simply because the userbase is orders of magnitude smaller than of WP.

    My 2 cents.

A bug in the code is worth two in the documentation.