#Drupal7 sites under attack — Don't panic!
Two days ago, Drupal announced version 7.32 was available. This version fixes a particularly nasty bug, allowing a SQL injection at any stage of interaction (that means, previous to the authentication taking place).
As soon as I could, I prepared and uploaded Debian packages for this — So if you run a Debian-provided Drupal installation, update now. The updated versions are:
- sid / jessie (unstable / testing)
- wheezy (stable)
- squeeze-backports (oldstable)
And, as expected, I'm already getting several attacks on my sites. Good thing that will help you anyway: Even though it won't prevent the attack from happening, if you use suhosin, several of the attacks will be prevented. Yes, sadly suhosin has not been in a stable Debian release since Wheezy, but still... :-|
Partial logs. This looks like a shellcode being injected as a file created via the menu_router mechanism (shellcode snipped):
- Oct 16 15:22:21 lafa suhosin: ALERT - configured request variable
- total name length limit exceeded - dropped variable 'name[0; INSERT INTO
- `menu_router` (`path`, `load_functions`, `to_arg_functions`, `description`,
- `access_callback`, `access_arguments`) VALUES ('deheky', '', '', 'deheky',
- );;# ]' (attacker '184.108.40.206', file '/usr/share/drupal7/index.php')
While the previous one is clearly targetting this particular bug, I'm not sure about this next one: It is just checking for some injection viability before telling me its real intentions:
- Oct 17 10:26:04 lafa suhosin: ALERT - configured request variable
- name length limit exceeded - dropped variable
- (attacker '220.127.116.11', file '/usr/share/drupal7/index.php')
So... looking at my logs from the last two days, Suhosin has not let any such attack reach Drupal (or I have been h4x0red and the logs have all been cleaned — Cannot dismiss that possibility :-) )
Anyway... We shall see many such attempts in the next weeks :-|
[update] Yes, I'm not the only one reporting this attack in the wild. Zion Security explains the same attempt I logged: It attempts to inject PHP code so it can be easily executed remotely (and game over for the admin!)
For the more curious, Tamer Zoubi explains the nature and exploitation of this bug.