Hackers Used Drupalgeddon and Dirty COW Exploits

Drupal offers website content management software. Website owners using Drupal came under attack from hackers again. In these recent attacks, hackers are after:

• Gaining a foothold on servers
• Elevating their access to a root account
• Installing a legitimate SSH client so they can log into the hijacked servers at later dates

Hackers lean on two different exploits to do this: Drupalgeddon2 and Dirty COW

How these attacks happen with Drupalgeddon2

First, hackers perform a mass scan of the Internet for websites running on an outdated version of the Drupal content management system (CMS). If their version is unpatched from the previous bug, then it is vulnerable to the Drupalgeddon2 virus. If a site is detected, hackers can deploy this exploit and gain a limited foothold into the site. With this foothold, they can search through the Drupal-based site for local configuration files for database credentials.

Through this search, if they find an account with the name “root,” they will try to gain root access to the site’s underlying server through it.

How Dirty COW comes into play

If the Drupalgeddon attack fails, hackers deploy the second exploit called Dirty COW. This vulnerability allows hackers to elevate their access from a limited user account to root access. The whole purpose is to gain access to a root account to connect to the server and run other operations, such as installing crypto-mining malware.

How many of these attacks have happened?

According to Imperva, a cybersecurity company, dozens of websites are victims of these attacks. But, as a result, Imperva protected dozens of sites from these infections and exploitation attempts.

Website and server owners should promptly make sure patches are in place, especially against Drupalgeddon2, so that they’re immune to such attacks. Also, updating the Drupal CMS and their Linux servers can help your chances of evading an attack.