Drupalgeddon V2 Update: Backdoors by utilizing Shellbot Malware

October 17, 2018
blog drupalgeddon image 3

The same vulnerability of Drupal has been recently discovered to be causing security issues again, but this time aided by Shellbot, or Perlbot.

The recent incidents and upcoming waves of attacks are targeting unpatched Drupal websites that are susceptible to Drupalgeddon 2.0. The threat actors are employing a special method which uses PowerBot malware, a bot controlled by IRC also known as Shellbot or PerlBot.


What are the risk and effects?

Successful backdoors can give attackers complete control over a hacked website.


How dangerous is the Drupal Vulnerability?

According to NIST Common Misuse Scoring System, the rate it got was 24/25 which is severe.


When was it known?

The vulnerability was discovered March of this year by the Drupal security team reporting under CVE-2018-7600.

Attackers look for the said vulnerability on websites, once found if the target has the bug, the perpetrators will scan the register and password in the installation phase while performing a brute force attack for a user password. Now that the perpetrator has decoded the authentication, next is to install the Shellbot backdoor.


What is Shellbot?

It is a backdoor script designed and used to exploit MySQL database driven website, including those with a content management system specifically Drupal. Those who know how to configure Shellbot can reconfigure it to prey on various remote code execution vulnerabilities. As time passed by Shellbot evolved into something that can be used to exploit web vulnerabilities.

DDos attacks, email phishing spam, and disabling any existing cryptominers in order to replace them with a malicious cryptominer are possible once an attacker seizes control of the command-and-control server by looking for SQL injection vulnerabilities.


Patching is ignored?

The lack of patching is still prevalent which explains why a lot of websites are still being exploited and affected by the Drupalgeddon 2.0, the incident with Equifax should have been an eye opener to all those who does not patch their Drupal to the latest version however that does not seem the case because a lot of Drupal sites are not yet patched.

About the author

Leave a Reply