Drupalgeddon 3 in retrospect
Nikolett Hegedüs

Drupalgeddon 3 in retrospect

As you know, recently we’ve released multiple security patches for the Drupalgeddon vulnerabilities. The last one was Drupal Remote Code Execution - SA-CORE-2018-004, CVE-2018-7602, patched only 2 days after it was first discovered. We’re very proud of our quick reaction time and would like to share some statistics with you about the attacks that were prevented since then - with the help of BitNinja.

The data from the first incident that we’ve caught looks like this (the URL is masked for privacy purposes):

Url: [###.hu//]
Headers: [array (
'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31',
'Host' => '###.hu',
'Connection' => 'TE, close',
'TE' => 'deflate,gzip;q=0.3',
0 => 'application/json',
'Content-Length' => '88',
'Content-Type' => 'application/x-www-form-urlencoded',
Get: ['?q=node/99/delete&destination=node?q[%2523][]=passthru%26q[%2523type]=markup%26q[%2523markup]=id;uname+-a']
Post: ['form_id=node_delete_confirm&_triggering_element_name=form_id&form_token=%5BCSRF-TOKEN%5D']
Matched: [
ModSecurity id: [402003] revision []
msg [Drupal Remote Code Execution - SA-CORE-2018-004: Block all destination q[#]
logdata [Matched "Operator `Rx' with parameter `(\?q\[(\#|(%(25)*23))|(&|%(25)*26)q\[(%(25)*23))' against variable `ARGS:destination' (Value: `node?q[%23][]=passthru&q[%23type]=markup&q[%23markup]=id;uname -a' )]
severity [CRITICAL]

ModSecurity id: [1010035] revision []
msg [Pattern [59d625d65df0bd004c1dcdf1]]
logdata [Matched "Operator `Gt' with parameter `0' against variable `TX:BN_INBOUND_FOUND' (Value: `1' )]
severity [EMERGENCY]

You can see that both the GET and POST data fields contain urlencoded characters (%2523). After urldecoding the data in the GET request, we get this:
['?q=node/99/delete&destination=node?q[#][]=passthru&q[#type]=markup&q[#markup]=id;uname -a']

On the chart below you can see that the frequency of the Drupalgeddon 3 attacks doesn’t seem to decrease: BitNinja has caught 89 incidents of this type (until 11th June) since we’ve released the security patch:

So if you’d like to be protected too, you only need to enable our WAF module, and utilize the BitNinja safe minimum ruleset template. We’ve named the Drupalgeddon rules “Drupal Remote Execution Protection”, and it’s part of the BitNinja safe minimum ruleset template in the BitNinja Ruleset section. It’s rule number is 402003.

Do you have any questions? Please contact us or write a comment!

Share your ideas with us about this article

Previous posts

Kevin Mitnick the most famous hacker
Where it all began Kevin David Mitnick is one of the most famous hackers. At age 13 Mitnick used dumpster dicing and social engineering to bypass the bus ticketing system in Los Angeles, this way he was able to ride the LA area using unused transfer slips. First big step His first unauthorized access to a network was in 79’ , when he was only 16 years old. He broke into DEC’s ( Digital Equipment Corporation ) computer network and simply copied their software, later he was charged for this action in 1988,  got sentenced for 12 months in prison. The prison h...
GDPR and BitNinja - Important updates
By now, you are likely aware that on May 25, 2018, a new data privacy law introduced in Europe called the General Data Protection Regulation (GDPR) will go into effect. GDPR govern how businesses collect, use and share personal data and it allows individuals to exercise their legal rights. Of course, we have taken the necessary steps to ensure that we are compliant with the GDPR. We updated our Privacy Policy and General Contract Terms and Conditions. Also, we created this separate section about the topic in order to keep you updated. The Data Processing Addendum ...