数据上传

编号：

ANVA-BL-OSINT-11010000001242

报送单位：

CNCERT

报送日期：

Tue May 22 00:00:00 CST 2018

标题：

黑客入侵带有Drupal漏洞的网站传播恶意代码-IOC

摘要：

Malwarebytes的研究人员发现黑客正在利用Drupal CMS中的已知漏洞，包括Drupalgeddon2（CVE-2018-7600）和Drupalgeddon3（CVE-2018-7602）传播挖矿代码和RAT，研究人员表示大约50%网站受Drupal 7.5.x版本影响，30%的网站受7.3.x版本影响。

标签：

漏洞; 恶意代码; 挖矿; RAT; IOC; IP; DOMAIN; HASH; OTHER

原文地址-1：

https://securityaffairs.co/wordpress/72745/cyber-crime/drupal-drupalgeddon-attacks.html

发布日期：

2018/05/21

发布者：

securityaffairs

HASH：

48427c995ba46a78b237c5f53e5fef90cd09b5f09e92
6508a11b897365897580ba68f93a5583cc3a15637212
d1ba2c966c5f54d0da15e2d881b474a5091a91f7c702

IP：

185.244.149.74
5.9.242.74
192.34.61.245
192.81.216.165
193.201.224.233
198.211.107.153
198.211.113.147
206.189.236.91
208.68.37.2

DOMAIN：

addressedina.tk
andtakinghis.tk
andweepover.tk
asheleaned.tk
baserwq.tk
blackivory.tk
blownagainst.tk
cutoplaswe.tk
dearfytr.tk
doanythingthat.tk
faithlessflorizel.tk
grey-plumaged.tk
haddoneso.tk
handkerchiefout.tk
himinspectral.tk
hispaintinghad.tk
ifheisdead.tk
itshandupon.tk
iwouldsay.tk
leadedpanes.tk
millpond.tk
mineofcourse.tk
momentin.tk
murdercould.tk
mysimplename.com
nearlythrew.tk
nothinglikeit.tk
oncecommitted.tk
portraithedid.tk
posingfor.tk
secretsoflife.tk
sendthemany.tk
sputteredbeside.tk
steppedforward.tk
sweeppast.tk
tellingmeyears.tk
terriblehope.tk
thatwonderful.tk
theattractions.tk
thereisnodisgrace.tk
togetawayt.tk
toseethem.tk
wickedwere.tk
withaforebodingu.tk

OTHER：

CmGKP05v2VJbvj33wzTIayOv6YGLkUYN
f0y6O5ddrXo1be4NGZubP1yHDaWqyflD
kAdhxvdilslXbzLAEjFQDAZotIVm5Jkf
MKr3Uf5CaT88pcqzAXltkBu4Us5gHWaj
NL9TTsyGeVU8FbKR9fUvwkwU4qPJ4Z2I
no2z8X4wsiouyTmA9xZ0TyUdegWBw2yK
oHaQn8uDJ16fNhcTU7y832cv49PqEvOS
PbNDLKIHLCM0hNXOIM7sRTsk66ZuAamf
RYeWLxbPVlfPNsZUh231aLXoYAdPguXY
XoWXAWvizTNnyia78qTIFfATRgcbJfGx
YaUkuGZ3pmuPVsBMDxSgY45DwuBafGA3
cnhv.co/1nt9z
coinhive.com/lib/coinhive.min.js
coinhive.com/lib/cryptonight.wasm
coinhive.com/lib/worker-asmjs.min.js?v7
ws0-9{3}.coinhive.com/proxy
cryptaloot.pro/lib/justdoit2.js
eth-pocket.com:8585
eth-pocket.de/perfekt/perfekt.js
jsecoin.com/platform/banner1.html?aff1564&utm_content=
greenindex.dynamic-dns.net/jqueryeasyui.js
cloudflane.com/lib/cryptonight.wasm
track.positiverefreshment.org/s_code.js?cid=220&v=24eca7c911f5e102e2ba
click.clickanalytics208.com/s_code.js?cid=240&v=73a55f6de3dee2a751c3

原文地址-2：

https://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/

网络安全威胁信息共享平台