Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Drupalgeddon2' Touches Off Arms Race To Mass-Exploit Powerful Web Servers (arstechnica.com)

Posted by BeauHD on from the end-is-nigh dept.

Researchers with Netlab 360 warn that attackers are mass-exploiting "Drupalgeddon2," the name of an extremely critical vulnerability Drupal maintainers patched in late March. The exploit allows them to take control of powerful website servers. Ars Technica reports: Formally indexed as CVE- 2018-7600, Drupalgeddon2 makes it easy for anyone on the Internet to take complete control of vulnerable servers simply by accessing a URL and injecting publicly available exploit code. Exploits allow attackers to run code of their choice without having to have an account of any type on a vulnerable website. The remote-code vulnerability harkens back to a 2014 Drupal vulnerability that also made it easy to commandeer vulnerable servers.

Drupalgeddon2 "is under active attack, and every Drupal site behind our network is being probed constantly from multiple IP addresses," Daniel Cid, CTO and founder of security firm Sucuri, told Ars. "Anyone that has not patched is hacked already at this point. Since the first public exploit was released, we are seeing this arms race between the criminals as they all try to hack as many sites as they can." China-based Netlab 360, meanwhile, said at least three competing attack groups are exploiting the vulnerability. The most active group, Netlab 360 researchers said in a blog post published Friday, is using it to install multiple malicious payloads, including cryptocurrency miners and software for performing distributed denial-of-service attacks on other domains. The group, dubbed Muhstik after a keyword that pops up in its code, relies on 11 separate command-and-control domains and IP addresses, presumably for redundancy in the event one gets taken down.

10 of 60 comments (clear)

  1. Powerful servers by manu0601 · · Score: 5, Funny

    The exploit allows them to take control of powerful website servers

    Powerful indeed, since you need huge resources to run Drupal decently.

  2. Drupal Consultants by Anonymous Coward · · Score: 2, Interesting

    Big part of the reason there are so many un-patched Drupal sites is the cost of Drupal consultants. Hourly rates in the $200+ range are a big risk vector to consider for small to medium sized sites.

    1. Re: Drupal Consultants by Z00L00K · · Score: 3, Interesting

      I was running drupal and got hit by a monero miner so I scrapped Drupal and php.

      I see this problem as something rooted in php.

      I did a small analysis of what had happened and the exploit created a miner executable file in /tmp that was then moved to /dev/shm and executed there by some action. It had been active for just a few hours as a non-privileged process, so no big deal.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    2. Re:Drupal Consultants by Anonymous Coward · · Score: 2, Informative

      Developers don't get $200 an hour. The firms that employ them get $200+ an hour.

      The work gets farmed out to India, Eastern Europe or South America at a rate of around $25 an hour. Developers in Europe or North America get salaries that work out to between $50 and $75 an hour.

      The drupalgeddon patches are not hard to apply and push to production. I know because I patched the 16 Drupal sites my organization manages, which isn't even my job, I'm a sysadmin.

      The 3 agencies we work with were no help patching the sites. The lowest estimate we received was for 40 hours and it would take 2 weeks from the day the patch came out to complete the work. We could not get them to just apply the patch, we had to buy a sprint.

      Which meant the sites would have already been compromised and our servers probably would have been trashed. This was funny because our agency partners are the people who alerted us about the need to immediately patch our code.

      This isn't the first time we got a red alert about a vulnerability on short notice and were handed a huge bill to apply a patch. We got a budget last week to migrate the sites to other platforms and already know 10 of them are moving to Wordpress.

      The big difference between Wordpress and Drupal is my boss isn't putting her job at risk for choosing Wordpress.

  3. Greed is stupid by hyades1 · · Score: 5, Insightful

    Sensible people would briefly use the servers to install a lightweight, hard-to-find bitcoin miner that stayed out of the way until the victim's computer was doing nothing, but still had an internet connection. Don't get greedy. Don't thrash the hard drive or run the graphics card 'til it melts. Just take a little sip here and a little sip there, and rely on having a lot of places to go for that little sip.

    I bet something like that could stay under the radar for a long, long time.

    --
    I've calculated my velocity with such exquisite precision that I have no idea where I am.
    1. Re:Greed is stupid by DontBeAMoran · · Score: 2

      That's what I've been doing. I got scripts all over the planet mining Bitcoins since 1988.

      --
      #DeleteFacebook
  4. Probed constantly by ve3oat · · Score: 5, Interesting

    I don't run Drupal but in a six hour period Saturday morning even my little website was hit on from 147 different IP addresses, each using 4 or 5 requests in rapid succession. Made my logs hard to read.

  5. Great source article by scdeimos · · Score: 5, Informative

    Noice... TFA links back to the 2014 security advisory and completely misses a link to the current 2018 security advisory.

  6. Re:Windows or Linux servers? by Z00L00K · · Score: 3, Informative

    It's not really a Linux issue, it's a PHP / Drupal issue.

    PHP is as it's designed a potential security risk and any code written is "dirty" since it's hard to validate and is a mix of code, HTML and Javascript. So even a slight error in coding in PHP can lead to "interesting" side effects.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  7. Drupal is WP in worse and without the userbase. by Qbertino · · Score: 4, Interesting

    Disclaimer: I've used and developed for both Drupal and WP professionally, for a living. A good living.

    Like most PHP systems Drupal is built by monkeys on crack with zero clue about proper software architecture. Unlike WordPress though it doesn't have a 140 million+ installbase and an army of people messing around with it every day and patching holes as they pop up just about instantly. This is a problem. Add to that the fact that while both WP and Drupal are built by people who didn't know squat what they were doing when they started out, WP actually makes it somewhat easy to code around it's mess, just using a few utility functions from WP core to latch on to the DB and the user management and stearing clear of the rest of the mess, getting to doing real work roughly 10 minutes in to your first WP plugin.
    Drupal OTOH is a mess through and through *and* forces you to follow along, making development much more difficult. Which is why the installbase is 'only' a few million which AFAICT isn't enough to compensate for crappy webapps built by n00bs in PHP. I expect Drupal holes like this one to be much more of a problem vis-a-vis WPs holes, simply because the userbase is orders of magnitude smaller than of WP.

    My 2 cents.

    --
    We suffer more in our imagination than in reality. - Seneca