Website owners be careful


Apr 26, 2018
Hi there business owners

My website on Drupal was not updated for some few months after I read about the cryptojacking I'm happy my website is not between the one.

So, I recommend everybody update their website or migrate to non-open-source platform if your website is small and informative for your business...

you can read on Bleeping computer:

Drupal Sites Fall Victims to Cryptojacking Campaigns

After the publication of two severe security flaws in the Drupal CMS, cybercrime groups have turned their sights on this web technology in the hopes of finding new ground to plant malware on servers and make money through illegal cryptocurrency mining.

Their efforts and expectations were fully rewarded, as the two vulnerabilities —CVE-2018-7600 and CVE-2018-7602— left over one million websites vulnerable to hacks if they didn't receive immediate updates.

Some webmasters updated their sites, but many didn't, and those websites quickly fell victims to backdoors and coinminers shortly after the publication of proof-of-concept attack code.

Now, as time passes by, more malware campaigns targeting Drupal sites are getting off the ground —and two of them have been spotted the past week.

350+ Drupal sites running an in-browser miner
The most recent of these campaigns has been discovered by US security researcher Troy Mursch.

The researcher discovered a group that gained access to Drupal sites and hid a version of the Coinhive in-browser cryptocurrency miner inside a file named "jquery.once.js?v=1.2," loaded on each of the compromised sites.

Mursch initially tracked down the infected files to over 100,000 domains, then narrowed down the results to 80,000 domains, and finally confirmed the infection on at least 350 sites where the in-browsing mining operation was actually taking place.

Among victims, there are many government and university portals, such as the National Labor Relations Board (US federal agency), the Turkish Revenue Administration, the University of Aleppo, and others, which Mursch has recorded in a Google Docs spreadsheet. But the biggest name on the list is surely Chinese hardware maker Lenovo, which Mursch added in an update following the initial publishing of his research.

"Kitty" malware campaign hits Drupal sites
But before's Mursch's discovery, cyber-security firm Imperva also found another malware operation targeting Drupal sites, which they named the "Kitty" campaign because crooks hid an in-browser cryptocurrency miner inside a file named "me0w.js."

Crooks didn't use a version of the Coinhive in-browser miner for these attacks but instead used a similar product provided by legitimate Monero mining pool service

The Imperva team didn't share the number of sites affected by this campaign but said crooks didn't limit themselves to dropping an in-browser miner only.

They also installed a PHP-based backdoor on all compromised servers —for future access, even if the server owner updated his site— and a classic coinminer that utilized the underlying server's resources to mine Monero, instead of the users' browsers.

Imperva says the Monero address used in the Kitty campaign had also been spotted at the start of April in another series of hacks that targeted servers running vBulletin 4.2.x forums.

"The first generation of the 'Kitty malware' we discovered was version 1.5, and the latest version is 1.6," Imperva said in a report published last week. "This type of behavior can be an indication of an organized attacker, developing their malware like a software product, fixing bugs and releasing new features in cycles."

The Drupal bugs disclosed in the past two months have received a lot of media attention, and for good reasons, as they allow an attacker easy access to vulnerable sites. While campaigns are still raging, it is important to remember that updating a hacked site is not enough. Site owners should also scan for backdoors and consider restoring from an older backup or reinstalling the site from scratch.

Last edited by a moderator:
Almost all CMS platform sucks, you need to keep them updated for better security or keep them on autoupdate.
Almost all CMS platform sucks, you need to keep them updated for better security or keep them on autoupdate.
That's correct.

WordPress, Joomla, Drupal, etc. are ok as a CMS I think, but I believe the plugins / extensions of these CMS's have more chances of getting exploited. Well... yeah, the core of these CMS's are not an excluded...
AdBlock Detected

We get it, advertisements are annoying!

Sure, ad-blocking software does a great job at blocking ads, but it also blocks useful features and essential functions on BlackHatWorld and other forums. These functions are unrelated to ads, such as internal links and images. For the best site experience please disable your AdBlocker.

I've Disabled AdBlock