Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By tangent on
I have been noticing an increase of suspicious 404 entries in my Drupal logs. Today I have a bunch that seem to be looking for backdoors to reply to blog entries. The bot started at 5:35 and proceeded to check for nids 1 through 19 at irregular intervals between 13 and 20 minutes.
2005/01/05 - 6:48am 404 error: blog/node/5 not found. Anonymous
2005/01/05 - 6:48am 404 error: blog/comment/reply/5 not found. Anonymous
2005/01/05 - 6:33am 404 error: blog/node/4 not found. Anonymous
2005/01/05 - 6:33am 404 error: blog/comment/reply/4 not found. Anonymous
2005/01/05 - 6:09am 404 error: blog/node/3 not found. Anonymous
2005/01/05 - 6:09am 404 error: blog/comment/reply/3 not found. Anonymous
2005/01/05 - 5:52am 404 error: blog/node/2 not found. Anonymous
2005/01/05 - 5:52am 404 error: blog/comment/reply/2 not found. Anonymous
2005/01/05 - 5:35am 404 error: blog/node/1 not found. Anonymous
2005/01/05 - 5:35am 404 error: blog/comment/reply/1 not found. Anonymous
What is interesting is that these URLs (which look like Drupal URLs) are obviously bogus. Are these possibly URL styles of a previous or forked version of Drupal?
Comments
Bad crawlers
The URLs are caused by crawlers who ignore the <base> tag which is required for clean URLs to work. I wouldn't worry about it.
Nasty stuff
It looks like a comment-spam crawler to me. We've been getting hit pretty hard lately and it looks like it's specifically targeted at Drupal (since the queries probe the comment/reply URL). We ended up enabling anonymous comment moderation so none of them actually get posted, but still, someone has to go through the queue every day, ban the IP, and delete all of it. In the last month, we've gotten messages from almost 300 distinct IP addresses (averaging about 8-10 a day). Either they're faking the addresses or they have a lot of relays all over the world.
We're still on 4.4.1 and I don't know if the new comment spam module works on it or not. From what I've read about the module, it would snag the type of comments we're getting (mostly links to casinos, drugstores, etc.)
I'd keep an eye on that comment log if I were you. You may want to look into banning anonymous comments or at least moderating them.