Hackers use Drupalgeddon 2 and Dirty COW exploits to take over web servers

Hacks could be easily avoided if people would patch their Drupal CMSs and Linux web servers.
Written by Catalin Cimpanu, Contributor

Hackers have launched a new type of attack against Drupal site owners in the past several days, Imperva researchers have told ZDNet.

Through these recent attacks, hackers aim to gain a foothold on servers, elevate their access to a root account, and then install a legitimate SSH client so they can log into the hijacked servers at later dates.

To achieve their goals, hackers have been using two well-known exploits, one of them discovered way back in 2016.

ZDNet: Black Friday 2018 deals: Business Bargain Hunter's top picks | Cyber Monday 2018 deals: Business Bargain Hunter's top picks

How the attack takes place

According to Imperva, the first steps in this attack begin with hackers mass-scanning the Internet for websites running an outdated version of the Drupal website manager (CMS) that was not patched against the Drupalgeddon 2 vulnerability that came to light this year, in March.

When they identify one of these vulnerable sites, hackers deploy a Drupalgeddon 2 exploit to get a limited foothold on infected sites.

They later use this foothold to search through the Drupal site's local configuration files for database credentials.

If the database connection settings include an account with the name "root," they try that account's credentials for the server itself, in the hope of gaining root access to the site's underlying server.

However, if this fails, hackers move to deploy a second exploit named Dirty COW, which is for an eponymous vulnerability discovered in 2016 that lets hackers elevate their access from a limited user account to root access.

Hackers go through all these steps because they need access to a root account in order to install a legitimate SSH daemon on the server, which Imperva believes they need to connect to the server and run other operations.

Dozens of attacks already detected

Nadav Avital, Threat Analytics Manager at Imperva, told ZDNet earlier today in an interview that the company's web firewall has already "protected dozens of sites from infection."

"Since all of the attacks were detected and blocked by Imperva we cannot fully determine the attackers end goal," Avital told us. "Having said that, in one of our latest reports we found that almost 90% of such attacks are attempting to install a crypto-mining malware."

But these attacks could be much bigger in scope besides the "dozens" of sites where Imperva has blocked exploitation attempts. This is because most web servers already have an SSH daemon running, and hackers wouldn't need to go through the full exploitation scenario.

Taking into account that this attack relies on exploiting two very well-known vulnerabilities for which patches have been made available a long time ago, website and server owners can easily make sure they're immune to such attacks by updating Drupal and their Linux servers.

Avital, in particular, warns about updating the Drupal CMS, the point of entry of these hacks. The researcher says Drupal sites have remained under a constant assault, even if the Drupalgeddon 2 vulnerability came to light over six months ago, and attacks should have abated as site owners updated their CMSs. Unfortunately, this wasn't so.

"Considering [...], the lethargic pace of patching, the severity of the vulnerability and the fact that many of the hacking tools incorporated this attack, results in huge amount of attacks," Avital told ZDNet. "Even today Drupalgeddon is one of the most popular attack vectors hackers are trying to use."

More security news:

Best Black Friday 2018 deals:

Editorial standards