
Drupal exploit spreads Monero malware to site visitors - velmu
https://drupal.sh/drupal-me0ws-malware-drupalgeddon
======
IronWolve
I had a server get hit with this, lucky I have hourly snapshots. Was an old
centos6 server, rebuilt it with 7, and put selinx on it.

Big problem I have is, I have no server-based IDS. Snort rules detected this
drupal flaw and would have blocked it. With the web server using SSL, snort
and suricata wont work as a host based IDS.

If anyone knows of a freeware server IPTables IDS for centos that uses snort
rules, please share. The closest thing I could find was ETPLC.

[https://github.com/rmkml/etplc](https://github.com/rmkml/etplc)

Using these rules

[https://rules.emergingthreats.net/open/snort-2.9.0/emerging-...](https://rules.emergingthreats.net/open/snort-2.9.0/emerging-
all.rules)

