[kwlug-disc] Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002
Khalid Baheyeldin
kb at 2bits.com
Tue Apr 17 17:01:27 EDT 2018
Now we know where the issue was: the Mail field on the registration form.
The fix was released March 28th.
Then on April 12th, Checkpoint wrote this blog, with proof of concept
attack code:
https://research.checkpoint.com/uncovering-drupalgeddon-2
Automated attacks started that same day later in the evening, now that
the vulnerability was specific to a certain field.
If you patched before April 12th, then your site is safe.
On Fri, Apr 13, 2018 at 11:53 PM, Khalid Baheyeldin <kb at 2bits.com> wrote:
> The exploits have started.
>
> Coin mining seems to be what the crackers aim for.
>
> PSA
> https://www.drupal.org/psa-2018-002
>
> Details
> https://pantheon.io/blog/drupal-sa-2018-002-weaponized-coin-mining-exploits-wild
>
> If you updated your sites within an hour or two of the original
> update, you don't need to do anything else.
>
> If you have not updated, check your CPU usage for coin mining exploits.
--
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
Simplicity is the ultimate sophistication. -- anonymous
More information about the kwlug-disc
mailing list