Tag Archives: Drupalgeddon

Kitty Cryptocurrency Miner

An advanced cryptocurrency miner called Kitty has been observed exploiting the Drupal remote code execution vulnerability better known as Drupalgeddon 2.0 ( details here )

CVE-2018-7600 is exploited to deliver a Bash script to the target device. This script will then install a PHP file called ‘kdrupal’ containing a Base 64 encoded backdoor as well as register a cronjob to maintain persistence. Once this is done a variant of the XMrig Monero miner, referred to as kkworker, is installed.

Alongside mining cryptocurrency directly on the compromised server, Kitty will also attempt to distribute another mining script called me0w.js to any hosts that connect to the server.

The attacker initially tries to alter the commonly used index.php file and add to it the malicious JavaScript me0w.js,” a blog post explains. They then scan for all JavaScript files on the server and, once found, inject the same malicious me0w.js file.

It took us sometime to find any host’s to block for this one, but as a start it could be related to this :-

Hosts To Block


Affected Platforms

Drupal Core – Versions 8.5.0 / 8.4.5 / 8.3.8 / 7.57 and earlier

Drupalgeddon 3 – Remote Code Execution Vulnerability in Drupal

On 25 April 2018 Drupal, the web content management system providers, released a security patch. Within hours of releasing this patch Drupal detected successful exploitation attempts.

The vulnerability exists in a URL parameter, “destination”, which is not sanitized. Attackers can leverage this to execute arbitrary commands on the web server.

There are multiple exploitation examples published on the internet since Drupal released the patch. Attackers can also determine if the web site is vulnerable using Google.

Drupalgeddon checks for backdoors and other traces of known Drupal exploits of “Drupageddon” aka SA-CORE-2014-005 SQL injection. Drupalgeddon is not a module; it’s a Drush command.

This is a signature-based diagnostic tool, and can not guarantee a website has not been compromised.

The Drupalgeddon 2 vulnerability announcement came out in late March (2018-03-28 ) as SA-CORE-2018-002. The advisory was released with a patch and CVE (CVE-2018-7600) at the same time.

The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS.

Affected Platforms

Drupal – All versions

  • If you are using Drupal version 7.x upgrade to version 7.59
  • If you are using Drupal version 8.5.x upgrade to version 8.5.3
  • If you are using Drupal version 8.4.x upgrade to version 8.4.8.
  • Please also note version 8.4.x are no longer supported, it is recommended that Drupal be upgraded to version 8.5.3.