In March, Drupal released version 8.5.1 addressing several critical security vulnerabilities. At that time, there was no evidence of the vulnerability being exploited to attack Drupal sites However, on April 12, 2018, a security research firm released a detailed analysis of the vulnerability and steps to exploit it.  In the days since this release, multiple exploits of the Drupalgeddon2 vulnerability have been reported.

The Exploits

Within hours of the proof of concept publication release, attackers began scanning websites in search of unpatched Drupal installations and installing a variety of malware, including cryptocurrency miners and backdoor scripts. This prompted Drupal to release a Public Service Announcement on their website on April 13 alerting users that if they have not yet patched their Drupal applications, their sites could be compromised.

The Drupal security team became aware of automated attacks attempting to compromise websites using Drupal 7 and Drupal 8. It is important to note that upgrading Drupal and patching the security flaws does not remove or correct backdoor files that may have infected your site.  If your Drupal site was not patched prior to April 11, 2018, it is possible that it may be infected with malware.  Drupal is also cautioning that if your website has been updated without your knowledge, this can be a symptom of compromise, as some attacks are applying the patches as part of the attack.

Researchers at SiteLock recently discovered one variation of malware infecting vulnerable Drupal sites in the form of a malicious eval request.

These files, named libasset.php,  appear in the /sites directory on vulnerable Drupal applications, and are being used to execute malicious commands on infected websites.

Drupal is urging all users whose websites were not updated prior to April 11 to review all website files and scan their sites for malware. Drupal has also provided documentation on first steps to take if you believe your website has been compromised.

What Next?

If you have not updated your Drupal application to 7.58 or 8.5.1, it is important that your website be patched as soon as possible. It is also highly recommended that you scan your website using a malware scanner that can detect and automatically remove malicious content related to the Drupalgeddon2 vulnerability as soon as possible.

SiteLock INFINITY users are protected from these infections thanks to INFINITY’s continuous vulnerability and malware scanning that includes automated malware removal and core CMS security patching. Users who have patching enabled for their Drupal sites had their sites patched prior to the publication of the proof of concept exploit and are protected from these infections.

If you’re interested in around-the-clock malware scanning and vulnerability patching, contact us today and ask about SiteLock INFINITY. We are available 24/7 at 855.378.6200.