Attackers looking for vulnerable Drupal 7.x sites. A security flaw patched on July 13 in core modules built into the Drupal CMS are being exploited in live attacks, according to Johannes Ullrich of the SANS Internet Storm Center.
Ullrich says that, in the last two months, honeypot servers installed around the Internet, have started catching scans that probe if Drupal installations are running older versions of a specific module, and are trying to exploit the disclosed flaws.
Attackers scan for older versions of the RESTWS Drupal module
The issues they scan for are in RESTful Web Services (RESTWS) module packed with Drupal 7.x installations. According to an advisory released by the Drupal team, all versions of this module before 7.x-2.6 and 7.x-1.7 (the patched versions) allow an attacker to execute commands on the underlying web server by accessing a URL with special parameters.
This URLs with a non-standard format is what Ullrich has been catching on his honeypots.
“So far in our honeypot, I got 44 attempts today from 16 different IPs,” Ullrich revealed. “Exploit attempts go back to July, just after the vulnerability was announced. Earlier versions use a slightly different test.”
Other vulnerabilities in other core Drupal modules were released in mid-July, along with this one. It’s very likely that we’re seeing exploitation attempts right now precisely because security researchers released proof-of-concept exploit code for the RESTWS module vulnerability.
Attackers using other hacked sites to scan for more vulnerable hosts
Ullrich also took a look at the IP addresses these exploitation attempts came from. Quick searches revealed that these requests came from web servers hosting other Drupal sites.
The people behind these scans are hacking unpatched Drupal installations, and then using these servers to break into other websites, without revealing their real IP.
Ullrich also noted something strange. The compromised websites didn’t host any malware, rogue advertising, or pharma spam. At the moment, it appears that the crooks are slowly building their botnet, without giving away clues about their presence on infected websites.