Folks

I'd muchly appreciate it if someone could take a look at this. It's my Drupal 4.8 log revealing a number of edits made by an anonymous user, despite the access permissions being set so this should not be possible (the actual URL has been stripped in case there is still a security issue):

http://jondh.me.uk/things/dev/drupal-hack-log.jpg

The only tick in "access control" against "anonymous user" is "node module -> access content". Meanwhile the access logs for the defacement, for this IP, limited to just POSTs, is thus:

217.44.x.x - - [24/Jan/2007:23:16:52 +0000] "POST /?q=user/register HTTP/1.1" 302 5 "http://myserver/?q=user/register" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"
217.44.x.x - - [25/Jan/2007:02:43:08 +0000] "POST /?q=user&destination=user HTTP/1.1" 200 3836 "http://myserver/?q=user" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"
217.44.x.x - - [25/Jan/2007:02:43:50 +0000] "POST /?q=user&destination=user HTTP/1.1" 200 3836 "http://myserver/?q=user&destination=user" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"
217.44.x.x - - [25/Jan/2007:02:44:26 +0000] "POST /?q=user&destination=user HTTP/1.1" 302 5 "http://myserver/?q=user&destination=user" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"
217.44.x.x - - [25/Jan/2007:03:06:31 +0000] "POST /?q=node/add/story HTTP/1.1" 200 63643 "http://myserver/?q=node/add/story" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"
217.44.x.x - - [25/Jan/2007:03:08:07 +0000] "POST /?q=node/add/story HTTP/1.1" 200 63643 "http://myserver/?q=node/add/story" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"
217.44.x.x - - [25/Jan/2007:03:10:43 +0000] "POST /?q=node/add/story HTTP/1.1" 200 64333 "http://myserver/?q=node/add/story" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"
217.44.x.x - - [25/Jan/2007:03:12:59 +0000] "POST /?q=node/add/story HTTP/1.1" 302 5 "http://myserver/?q=node/add/story" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"
217.44.x.x - - [25/Jan/2007:08:14:20 +0000] "POST /?q=admin/node HTTP/1.1" 302 5 "http://myserver/?q=admin/node" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"
217.44.x.x - - [25/Jan/2007:08:16:09 +0000] "POST /?q=node/480/edit HTTP/1.1" 302 5 "http://myserver/?q=node/480/edit" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"
217.44.x.x - - [25/Jan/2007:09:51:23 +0000] "POST /?q=user/6/edit HTTP/1.1" 302 5 "http://myserver/?q=user/6/edit" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"

It looks like the miscreant registered for an account, even though only admin users are set to create new users. I suspect this could have been through an automated "hunt the Drupal installation" server? Anyone any ideas how they did this? Might there be an SQL injection that remains undiscovered?

Comments

mdixoncm’s picture

Could you just clarify the exact version of Drupal your running (there isn't a version 4.8)

Like books? Check out booktribes the new (Drupal based) community for book lovers
from Computerminds

laura s’s picture

There is no Drupal 4.8. Do you mean 4.6.8?

Laura
_____ ____ ___ __ _ _
design, snap, blog

_____ ____ ___ __ _ _
Laura Scott :: design » blog » tweet

halfer’s picture

Sorry, I was thinking "the one up from 4.7". I had a 4.7 install and applied the 4.7.5 patches when they came out (http://drupal.org/drupal-4.7.5). So I guess I am running 4.7.5 :-)

Thanks both.

halfer’s picture

By the way, I can make the GET requests available to if this will help figuring it out.

halfer’s picture

... in fact my prior version number according to the above link was 4.7.4. Am now running 4.7.5. Got there in the end!

halfer’s picture

In the meantime, I have prevented access to a number of points that might have injection weaknesses, using mod_rewrite:

  # Disable user/password, user/register, rss.xml for safety reasons!
  RewriteRule user/password - [L,F]
  RewriteRule user/register - [L,F]
  RewriteRule rss\.xml - [L,F]

  RewriteCond %{QUERY_STRING} rss.xml [OR]
  RewriteCond %{QUERY_STRING} user/password [OR]
  RewriteCond %{QUERY_STRING} user/register
  RewriteRule .* - [L,F]
halfer’s picture

Hi both - or anyone else - have you any suggestions?

TIA :)

halfer’s picture

Sorry to keep bouncing this thread up, but I think it is of interest to Drupal users other than myself. Thanks to anyone who can supply any guesses!

:)

halfer’s picture

- responses would be welcome and appreciated.

Thanks.