Drupal Sites Fall Victims To Cryptojacking Campaigns (bleepingcomputer.com) 27
An anonymous reader shares a report: After the publication of two severe security flaws in the Drupal CMS, cybercrime groups have turned their sights on this web technology in the hopes of finding new ground to plant malware on servers and make money through illegal cryptocurrency mining. [...] Now, as time passes by, more malware campaigns targeting Drupal sites are getting off the ground -- and two of them have been spotted the past week.
The most recent of these campaigns has been discovered by US security researcher Troy Mursch. The researcher discovered a group that gained access to Drupal sites and hid a version of the Coinhive in-browser cryptocurrency miner inside a file named "jquery [dot] once [dot] js?v=1.2," loaded on each of the compromised sites. Mursch initially tracked down the infected files to over 100,000 domains, then narrowed down the results to 80,000 domains, and finally confirmed the infection on at least 348 sites where the in-browsing mining operation was actually taking place.
The most recent of these campaigns has been discovered by US security researcher Troy Mursch. The researcher discovered a group that gained access to Drupal sites and hid a version of the Coinhive in-browser cryptocurrency miner inside a file named "jquery [dot] once [dot] js?v=1.2," loaded on each of the compromised sites. Mursch initially tracked down the infected files to over 100,000 domains, then narrowed down the results to 80,000 domains, and finally confirmed the infection on at least 348 sites where the in-browsing mining operation was actually taking place.
You work for me now (Score:1)
This is why I only use Wordpress on my important sites
Re:You work for me now (Score:5, Informative)
If one goes open source PHP... (Score:2)
Re: If one goes open source PHP... (Score:2)
Re: (Score:2)
Re: (Score:2)
Drupal needs one click updating for core. (Score:2)
Drupal needs one click updating for core.
(Optional) autoupdating would be even better. But at least one click is a minimum these days. The manual screwing around that you have to do to update Drupal is absurd.
(Not difficult, just absurd. It's because it isn't difficult that it's absurd that it isn't automated.)
Re: (Score:2)
And then you get updates like confluence where you have to make backups of the conf files because it likes to blow them away.
Re: (Score:1)
I think it is immensely dangerous to have that feature. The last thing I want is for the executable and configs and everything to be writable to the process running them. That is just begging for escalation of attacks.
Re: (Score:2)
I think it is immensely dangerous to have that feature. The last thing I want is for the executable and configs and everything to be writable to the process running them. That is just begging for escalation of attacks.
You're totally correct, but they could have a simple script that you'd run, assuming you can do such things, that would do the job for you. Though, to be fair, it's not exactly complicated. Extract the archive and rsync it. Then you do have to run db updates, but that could be done by the update script easily enough.
That's harsh (Score:2)
On top of already being victims just by having Drupal.
Turnkey again! (Score:2)
And we're back here again, pointing out why Turnkey solutions for internet connected servers is BAD NEWS!
Re: (Score:2)
Re: (Score:1)
Because it's much better to have bespoke security holes?
Actually yes because nobody is going to waste their time cracking the bespoke site for your small business. The returns are too low for their investment of time and they get exactly one infection out of the deal. The thing that makes turnkey content management systems attractive is precisely the large base of installed users who don't patch their installs regularly after the consultants who set it all up for them leave or have a falling out with the business owner. It's not unusual to have thousands or ev
Static sites FTW (Score:2)
If you don't leave some leaky, bug-ridden CMS on the front end of your web site, there is a lot less to exploit.
You can probably do it with some plugin or other with Drupal, just like you can with WordPress, Django or whatever. For most people though, you could do well with a static site generator.
If there's no exploitable hole in the base OS or web server, good luck having your way with HTML.