Slashdot Mirror

← Back to Stories (view on slashdot.org)

Drupal Sites Fall Victims To Cryptojacking Campaigns (bleepingcomputer.com)

Posted by msmash on from the that-escalated-quickly dept.

An anonymous reader shares a report: After the publication of two severe security flaws in the Drupal CMS, cybercrime groups have turned their sights on this web technology in the hopes of finding new ground to plant malware on servers and make money through illegal cryptocurrency mining. [...] Now, as time passes by, more malware campaigns targeting Drupal sites are getting off the ground -- and two of them have been spotted the past week.

The most recent of these campaigns has been discovered by US security researcher Troy Mursch. The researcher discovered a group that gained access to Drupal sites and hid a version of the Coinhive in-browser cryptocurrency miner inside a file named "jquery [dot] once [dot] js?v=1.2," loaded on each of the compromised sites. Mursch initially tracked down the infected files to over 100,000 domains, then narrowed down the results to 80,000 domains, and finally confirmed the infection on at least 348 sites where the in-browsing mining operation was actually taking place.

15 of 27 comments (clear)

  1. You work for me now by Anonymous Coward · · Score: 1

    This is why I only use Wordpress on my important sites

    1. Re:You work for me now by pahles · · Score: 4, Informative

      https://www.cvedetails.com/vul...

      --
      Sig?
  2. If one goes open source PHP... by TheZeitgeist · · Score: 1

    They get what they deserve.

    1. Re: If one goes open source PHP... by Aethedor · · Score: 1

      Try this one.

      --
      It doesn't have to be like this. All we need to do is make sure we keep talking.
    2. Re: If one goes open source PHP... by Aethedor · · Score: 1

      If that's really all the criticism you can give. the Banshee developer did a good job.

      --
      It doesn't have to be like this. All we need to do is make sure we keep talking.
    3. Re: If one goes open source PHP... by Aethedor · · Score: 1

      Sorry, but this 'review' makes no sense at all. Your 'sum-total of the security features'... I have no idea what you looked at, but you clearly didn't look at Banshee. Or at least, not in a serious way.

      --
      It doesn't have to be like this. All we need to do is make sure we keep talking.
  3. Drupal needs one click updating for core. by cascadingstylesheet · · Score: 1

    Drupal needs one click updating for core.

    (Optional) autoupdating would be even better. But at least one click is a minimum these days. The manual screwing around that you have to do to update Drupal is absurd.

    (Not difficult, just absurd. It's because it isn't difficult that it's absurd that it isn't automated.)

    1. Re:Drupal needs one click updating for core. by thaylin · · Score: 1

      And then you get updates like confluence where you have to make backups of the conf files because it likes to blow them away.

      --
      When you cant win, ad hominem.
    2. Re:Drupal needs one click updating for core. by Anonymous Coward · · Score: 1

      I think it is immensely dangerous to have that feature. The last thing I want is for the executable and configs and everything to be writable to the process running them. That is just begging for escalation of attacks.

    3. Re:Drupal needs one click updating for core. by drinkypoo · · Score: 1

      I think it is immensely dangerous to have that feature. The last thing I want is for the executable and configs and everything to be writable to the process running them. That is just begging for escalation of attacks.

      You're totally correct, but they could have a simple script that you'd run, assuming you can do such things, that would do the job for you. Though, to be fair, it's not exactly complicated. Extract the archive and rsync it. Then you do have to run db updates, but that could be done by the update script easily enough.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  4. That's harsh by Hognoxious · · Score: 1

    On top of already being victims just by having Drupal.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  5. Turnkey again! by duke_cheetah2003 · · Score: 1

    And we're back here again, pointing out why Turnkey solutions for internet connected servers is BAD NEWS!

    1. Re:Turnkey again! by yelvington · · Score: 1

      Because it's much better to have bespoke security holes?

    2. Re:Turnkey again! by Anonymous Coward · · Score: 1

      Because it's much better to have bespoke security holes?

      Actually yes because nobody is going to waste their time cracking the bespoke site for your small business. The returns are too low for their investment of time and they get exactly one infection out of the deal. The thing that makes turnkey content management systems attractive is precisely the large base of installed users who don't patch their installs regularly after the consultants who set it all up for them leave or have a falling out with the business owner. It's not unusual to have thousands or even tens of thousands of potential targets running Drupal, WordPress or Joomla installations that haven't been patched in 5 years or more. Suddenly a breach in one of these shake-and-bake website tools is much more attractive because of the much larger pool of potential victims. Crypto currency mining sweetens the pot because you don't have to find a site that's taking payments to make money. All you need are unwitting visitors to the web site whose browsers can be hijacked to mine Monero or some other crypto coins.

  6. Static sites FTW by Tool+Man · · Score: 1

    If you don't leave some leaky, bug-ridden CMS on the front end of your web site, there is a lot less to exploit.
    You can probably do it with some plugin or other with Drupal, just like you can with WordPress, Django or whatever. For most people though, you could do well with a static site generator.

    If there's no exploitable hole in the base OS or web server, good luck having your way with HTML.