Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

Drupal Sites Fall Victims To Cryptojacking Campaigns (bleepingcomputer.com) 27

An anonymous reader shares a report: After the publication of two severe security flaws in the Drupal CMS, cybercrime groups have turned their sights on this web technology in the hopes of finding new ground to plant malware on servers and make money through illegal cryptocurrency mining. [...] Now, as time passes by, more malware campaigns targeting Drupal sites are getting off the ground -- and two of them have been spotted the past week.

The most recent of these campaigns has been discovered by US security researcher Troy Mursch. The researcher discovered a group that gained access to Drupal sites and hid a version of the Coinhive in-browser cryptocurrency miner inside a file named "jquery [dot] once [dot] js?v=1.2," loaded on each of the compromised sites. Mursch initially tracked down the infected files to over 100,000 domains, then narrowed down the results to 80,000 domains, and finally confirmed the infection on at least 348 sites where the in-browsing mining operation was actually taking place.

This discussion has been archived. No new comments can be posted.

Drupal Sites Fall Victims To Cryptojacking Campaigns

Comments Filter:
  • by Anonymous Coward

    This is why I only use Wordpress on my important sites

  • They get what they deserve.
  • Drupal needs one click updating for core.

    (Optional) autoupdating would be even better. But at least one click is a minimum these days. The manual screwing around that you have to do to update Drupal is absurd.

    (Not difficult, just absurd. It's because it isn't difficult that it's absurd that it isn't automated.)

    • by thaylin ( 555395 )

      And then you get updates like confluence where you have to make backups of the conf files because it likes to blow them away.

    • by Anonymous Coward

      I think it is immensely dangerous to have that feature. The last thing I want is for the executable and configs and everything to be writable to the process running them. That is just begging for escalation of attacks.

      • I think it is immensely dangerous to have that feature. The last thing I want is for the executable and configs and everything to be writable to the process running them. That is just begging for escalation of attacks.

        You're totally correct, but they could have a simple script that you'd run, assuming you can do such things, that would do the job for you. Though, to be fair, it's not exactly complicated. Extract the archive and rsync it. Then you do have to run db updates, but that could be done by the update script easily enough.

  • On top of already being victims just by having Drupal.

  • And we're back here again, pointing out why Turnkey solutions for internet connected servers is BAD NEWS!

    • Because it's much better to have bespoke security holes?
      • by Anonymous Coward

        Because it's much better to have bespoke security holes?

        Actually yes because nobody is going to waste their time cracking the bespoke site for your small business. The returns are too low for their investment of time and they get exactly one infection out of the deal. The thing that makes turnkey content management systems attractive is precisely the large base of installed users who don't patch their installs regularly after the consultants who set it all up for them leave or have a falling out with the business owner. It's not unusual to have thousands or ev

  • If you don't leave some leaky, bug-ridden CMS on the front end of your web site, there is a lot less to exploit.
    You can probably do it with some plugin or other with Drupal, just like you can with WordPress, Django or whatever. For most people though, you could do well with a static site generator.

    If there's no exploitable hole in the base OS or web server, good luck having your way with HTML.

Avoid strange women and temporary variables.

Working...