On 25 April 2018 Drupal, the web content management system providers, released a security patch. Within hours of releasing this patch Drupal detected successful exploitation attempts.
The vulnerability exists in a URL parameter, “destination”, which is not sanitized. Attackers can leverage this to execute arbitrary commands on the web server.
There are multiple exploitation examples published on the internet since Drupal released the patch. Attackers can also determine if the web site is vulnerable using Google.
This is a signature-based diagnostic tool, and can not guarantee a website has not been compromised.
The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS.
Drupal – All versions
- If you are using Drupal version 7.x upgrade to version 7.59
- If you are using Drupal version 8.5.x upgrade to version 8.5.3
- If you are using Drupal version 8.4.x upgrade to version 8.4.8.
- Please also note version 8.4.x are no longer supported, it is recommended that Drupal be upgraded to version 8.5.3.