drupalgeddon2 - Crawler, Spider, and User Agent ID forum at WebmasterWorld - WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

drupalgeddon2

TorontoBoy

1:34 pm on Jul 1, 2018 (gmt 0)

Top Contributors Of The Month

UA: drupalgeddon2
Protocol: HTTP/1.1
Robots.txt: No
Host: OVH Hosting
158.69.0.0 - 158.69.255.255
CIDR: 158.69.0.0/16

Caught this guy scanning for a known Drupal vulnerability. Looking for the changelog and a bootstrap theme. I have my sites in subdirectories, but I ban most of OVH anyway.

CVE-2018-7600 | Drupal < 7.58 / 8.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1 - 'Drupalgeddon2' RCE (SA-CORE-2018-002) hacking code on: github.com/dreadlocked/Drupalgeddon2

158.69.133.*[22/Jun/2018:14:43:23 GET /CHANGELOG.txt HTTP/1.1
158.69.133.* [22/Jun/2018:14:43:24 GET /core/CHANGELOG.txt HTTP/1.1
158.69.133.* [22/Jun/2018:14:43:24 GET /includes/bootstrap.inc HTTP/1.1
158.69.133.* [22/Jun/2018:14:43:24 GET /core/includes/bootstrap.inc HTTP/1.1
158.69.133.* [22/Jun/2018:14:43:24 GET /includes/database.inc HTTP/1.1
158.69.133.* [23/Jun/2018:18:28:23 GET /CHANGELOG.txt HTTP/1.1
158.69.133.* [23/Jun/2018:18:28:23 GET /core/CHANGELOG.txt HTTP/1.1
158.69.133.* [23/Jun/2018:18:28:23 GET /includes/bootstrap.inc HTTP/1.1
158.69.133.* [23/Jun/2018:18:28:24 GET /core/includes/bootstrap.inc HTTP/1.1
158.69.133.* [23/Jun/2018:18:28:24 GET /includes/database.inc HTTP/1.1

[edited by: keyplyr at 7:06 pm (utc) on Jul 1, 2018]
[edit reason] Delinked URL [/edit]

lucy24

4:42 pm on Jul 1, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

<slight tangent>
If I had thought of it in time, I would have named my newly-created /includes/ directory something else--anything else!--because then any and all requests for /includes/blahblah could be met with an immediate 403 or manual 404 without having to check for {THE_REQUEST} first. Well, too late now.
</st>

You gotta admit it’s thoughtful of them to give the robot a name that says outright “we are looking for vulnerabilities in suchandsuch”.

TorontoBoy

12:15 pm on Sep 5, 2018 (gmt 0)

Top Contributors Of The Month

158.69.133.* continues every couple of days, even as I serve up 403s. It has been 2 months. They seem to try me twice, first with two CURLs, followed by Drupalgeddom2

POST /ps.php HTTP/1.1
POST /ps.php HTTP/1.1

GET /CHANGELOG.txt HTTP/1.1
GET /core/CHANGELOG.txt HTTP/1.1
GET /includes/bootstrap.inc HTTP/1.1
GET /core/includes/bootstrap.inc HTTP/1.1
GET /includes/database.inc HTTP/1.1
GET /?q=user/password HTTP/1.1

Request Headers

2018-09-04:01:40:26
URL: /ps.php
IP: 158.69.133.*
Content-Length: 100
Content-Type: application/x-www-form-urlencoded
Accept: */*
Host: www.example.com
User-Agent: curl/7.47.0

2018-09-02:22:45:*
URL: /CHANGELOG.txt
IP: 158.69.133.**
Connection: close
Host: www.example.com
User-Agent: drupalgeddon2

Slightly different method, different IP range. I recognize these people from previous log history. They request similar URLs.
182.1.45.**
182.0.0.0 - 182.15.255.255
netname: TELKOMSEL-ID PT. Telekomunikasi Selular (Telkomsel) Indonesia

GET /example/includes/bootstrap.inc HTTP/1.1
GET /example/CHANGELOG.txt HTTP/1.1
GET /example/includes/database.inc HTTP/1.1
GET /example/core/CHANGELOG.txt HTTP/1.1
GET /example/core/includes/bootstrap.inc HTTP/1.1

Request Headers are a little different

2018-09-02:08:07:02
URL: /example/includes/bootstrap.inc
IP: 182.1.45.**
Content-Length: 0
Content-Type: application/x-www-form-urlencoded
Connection: close
Host: example.com
User-Agent: drupalgeddon2

Obscured IP address per Forum Charter [webmasterworld.com]

[edited by: keyplyr at 8:27 pm (utc) on Sep 5, 2018]

keyplyr

10:00 pm on Sep 5, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

...continues every couple of days, even as I serve up 403s.

Which tells us this is not a bot that is crawling, it is a script that is most likely retrieving response headers & other server information. Then if any of these files are accessible, a second campaign will deliver the payload.