Security Experts:

Connect with us

Hi, what are you looking for?



Hackers Exploit Drupalgeddon2 to Install Backdoor

A threat actor was observed targeting Drupal vulnerabilities patched earlier this year to install a backdoor on compromised servers, IBM reports.

A threat actor was observed targeting Drupal vulnerabilities patched earlier this year to install a backdoor on compromised servers, IBM reports.

The hackers target CVE-2018-7600, or Drupalgeddon2, a critical vulnerability found to impact Drupal versions 6, 7 and 8, but which was addressed in March this year. Assigned a risk score of 21/25, the vulnerability could be exploited to gain full control over a site, including access to non-public data.

Within weeks after a patch was released and the vulnerability became public, the first attempts to exploit it were observed. Soon after, while cybercriminals were targeting vulnerable sites with backdoors and crypto-miners, Drupal patched another highly critical flaw related to Drupalgeddon2.

Now, IBM’s security researchers reveal that both vulnerabilities are being targeted in a series of attacks that appear to be part of a financially-motivated campaign aiming at mass-infecting vulnerable Drupal websites. Although both security bugs have been patched, delays in applying fixes make them persistent.

The researchers observed that the same HTTP POST request was being repeatedly sent from the same IP address, which then revealed similar traffic from multiple command-and-control (C&C) servers. Part of a widespread cyber-attack, the requests would download a Perl script to launch the Shellbot backdoor.

The Shellbot malware would connect to an Internet Relay Chat (IRC) channel and use it to receive instructions. The bot contains functionality to perform distributed denial-of-service (DDoS) attacks, as well as to scan for SQL injection weaknesses and other vulnerabilities, in an attempt to reach root level on the victimized system.

“The vulnerabilities used in this campaign were leveraged in an automated way, allowing attackers to scan a large number of websites with minimal effort. Moreover, if successfully exploited, the flaw could lead to a potential compromise of the web application with the possibility of spilling over to the underlying operating system as well,” IBM notes.

Around since 2005, Shellbot was designed to open remote command line shells, launch DDoS attacks, run tasks and processes, download additional files onto the infected system, and change the endpoint’s settings, among others.

Although old, Shellbot is being used by several threat groups, and the security researchers observed it last year in attacks targeting an Apache Struts vulnerability (CVE-2017-5638) as well, when it was packaged as the C&C with the PowerBot malware, which dropped crypto-mining modules.

“It costs a lot of time and money to find or buy a zero-day flaw — two resources cybercriminals are typically not willing to invest. It is much more lucrative to use existing vulnerabilities such as Drupalgeddon and attack code in an automated way, especially when users delay patching and updating their applications,” IBM concludes.

Related: Drupal Patches New Flaw Related to Drupalgeddon2

Related: Drupal Sites Targeted With Backdoors, Miners in Drupalgeddon2 Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.