I'm receiving a number of very suspicious requests on a Drupal 5.x site I administer. I've blocked the IP but thought I would inquire about the actual strings used to see if this is a potential security problem. I don't know enough about Drupal's inner workings to know if privilege escalation could be accomplished this way, etc.

warning page not found 01/02/2008 - 10:19 misc/);M.3l( Anonymous
warning page not found 01/02/2008 - 10:14 misc/).5N( Anonymous
warning page not found 01/02/2008 - 10:10 misc/.3B( Anonymous
warning page not found 01/02/2008 - 10:05 misc/)y.1b= Anonymous
warning page not found 01/02/2008 - 10:02 misc/,s.50);l(s.1F)M.3l( Anonymous
warning page not found 01/02/2008 - 10:00 misc/;y.43= Anonymous
warning page not found 01/02/2008 - 09:54 misc/;l(z.o.1p)y.1b= Anonymous
warning page not found 01/02/2008 - 09:34 sites/all/modules/google_analytics/).join( Anonymous
warning page not found 01/02/2008 - 09:30 misc/;y.1b=44;l(6.1a(z.U, Anonymous
warning page not found 01/02/2008 - 09:30 misc/);l(7.2G== Anonymous
warning page not found 01/02/2008 - 09:27 misc/)e.1i.1o.2W= Anonymous
warning page not found 01/02/2008 - 09:24 misc/.split( Anonymous
warning page not found 01/02/2008 - 09:24 misc/).3B( Anonymous
warning page not found 01/02/2008 - 09:23 misc/)7.1o.1b= Anonymous
warning page not found 01/02/2008 - 09:21 sites/all/modules/google_analytics/).split( Anonymous
warning page not found 01/02/2008 - 09:19 misc/;7.1o.1b= Anonymous
warning page not found 01/02/2008 - 08:58 outgoing Anonymous
warning page not found 01/02/2008 - 08:57 misc/window.iframeHandler(); Anonymous
warning page not found 01/02/2008 - 08:56 misc/);l(s.46)s.46(M);l(s.1k)6.F.1J( Anonymous
warning page not found 01/02/2008 - 08:55 misc/)7.2G= Anonymous
warning page not found 01/02/2008 - 08:55 misc/)E=6.T.1n Anonymous
warning page not found 01/02/2008 - 08:53 misc/)s.N =((s.N.1f( Anonymous
warning page not found 01/02/2008 - 08:52 Anonymous
warning page not found 01/02/2008 - 08:50 download Anonymous
warning page not found 01/02/2008 - 08:47 misc/;l(6.1a(7, Anonymous

Comments

ryanthered’s picture

Also reported this to the security team.

marco88’s picture

It looks quite dodgy, I blocked the IP too.

Note it was looking for Google Analytics and SpamSpam related stuff in the files directory.

Thanksfully my files directory is not accessible.

Kind regards,
Marc.

Sell your house quickly with http://www.Mega-Quick-Sale.co.uk

digitalfrontiersmedia’s picture

I'm encountering the same requests.

--
Web: http://digitalfrontiersmedia.com
Cell: 941.773.2036
Phone: 941.677.DFM1 ( 941.677.3361 )
Skype: DigitalFrontiersMedia
Twitter: DigitalFrontier
--

Passer’s picture

Any suggestions if there is a reaction on those kinda attacks necessary?

BradM’s picture

haven't checked my logs in a while, but here's some odd ones I found:

apps/apps.php
node/apps/apps.php
usr=../modules/fs/mod
_vti_bin/owssvr.dll
MSOffice/cltreq.asp
misc/8w/x-6b-6f-6i

Brad

BradM’s picture

another strange one:

bgchecklist/loadall/9999999

it looks as though it was submitted in a form... and the IP was 65.55.110.121 which looks to belong to Microsoft. Hmm.

eroglik’s picture

bgchecklist/loadall/* is the ajax path of the Brilliant Gallery module's managing galleries function. (/admin/settings/brilliant_gallery/manage)