Folks
I'd muchly appreciate it if someone could take a look at this. It's my Drupal 4.8 log revealing a number of edits made by an anonymous user, despite the access permissions being set so this should not be possible (the actual URL has been stripped in case there is still a security issue):
http://jondh.me.uk/things/dev/drupal-hack-log.jpg
The only tick in "access control" against "anonymous user" is "node module -> access content". Meanwhile the access logs for the defacement, for this IP, limited to just POSTs, is thus:
217.44.x.x - - [24/Jan/2007:23:16:52 +0000] "POST /?q=user/register HTTP/1.1" 302 5 "http://myserver/?q=user/register" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"
217.44.x.x - - [25/Jan/2007:02:43:08 +0000] "POST /?q=user&destination=user HTTP/1.1" 200 3836 "http://myserver/?q=user" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"
217.44.x.x - - [25/Jan/2007:02:43:50 +0000] "POST /?q=user&destination=user HTTP/1.1" 200 3836 "http://myserver/?q=user&destination=user" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"
217.44.x.x - - [25/Jan/2007:02:44:26 +0000] "POST /?q=user&destination=user HTTP/1.1" 302 5 "http://myserver/?q=user&destination=user" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"
217.44.x.x - - [25/Jan/2007:03:06:31 +0000] "POST /?q=node/add/story HTTP/1.1" 200 63643 "http://myserver/?q=node/add/story" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"
217.44.x.x - - [25/Jan/2007:03:08:07 +0000] "POST /?q=node/add/story HTTP/1.1" 200 63643 "http://myserver/?q=node/add/story" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"
217.44.x.x - - [25/Jan/2007:03:10:43 +0000] "POST /?q=node/add/story HTTP/1.1" 200 64333 "http://myserver/?q=node/add/story" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"
217.44.x.x - - [25/Jan/2007:03:12:59 +0000] "POST /?q=node/add/story HTTP/1.1" 302 5 "http://myserver/?q=node/add/story" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"
217.44.x.x - - [25/Jan/2007:08:14:20 +0000] "POST /?q=admin/node HTTP/1.1" 302 5 "http://myserver/?q=admin/node" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"
217.44.x.x - - [25/Jan/2007:08:16:09 +0000] "POST /?q=node/480/edit HTTP/1.1" 302 5 "http://myserver/?q=node/480/edit" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"
217.44.x.x - - [25/Jan/2007:09:51:23 +0000] "POST /?q=user/6/edit HTTP/1.1" 302 5 "http://myserver/?q=user/6/edit" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0)"It looks like the miscreant registered for an account, even though only admin users are set to create new users. I suspect this could have been through an automated "hunt the Drupal installation" server? Anyone any ideas how they did this? Might there be an SQL injection that remains undiscovered?
Comments
Could you just clarify the
Could you just clarify the exact version of Drupal your running (there isn't a version 4.8)
Like books? Check out booktribes the new (Drupal based) community for book lovers
from Computerminds
Mike,
Computerminds offer Drupal development, consulting and training
What version are you running?
There is no Drupal 4.8. Do you mean 4.6.8?
Laura
_____ ____ ___ __ _ _
design, snap, blog
_____ ____ ___ __ _ _
Laura Scott :: design » blog » tweet
Aha, you're right!
Sorry, I was thinking "the one up from 4.7". I had a 4.7 install and applied the 4.7.5 patches when they came out (http://drupal.org/drupal-4.7.5). So I guess I am running 4.7.5 :-)
Thanks both.
By the way, I can make the
By the way, I can make the GET requests available to if this will help figuring it out.
Got that wrong too...
... in fact my prior version number according to the above link was 4.7.4. Am now running 4.7.5. Got there in the end!
Locking the installation down
In the meantime, I have prevented access to a number of points that might have injection weaknesses, using mod_rewrite:
Ping thread...
Hi both - or anyone else - have you any suggestions?
TIA :)
Thanks for any help
Sorry to keep bouncing this thread up, but I think it is of interest to Drupal users other than myself. Thanks to anyone who can supply any guesses!
:)
This is still important
- responses would be welcome and appreciated.
Thanks.