I'm receiving a number of very suspicious requests on a Drupal 5.x site I administer. I've blocked the IP but thought I would inquire about the actual strings used to see if this is a potential security problem. I don't know enough about Drupal's inner workings to know if privilege escalation could be accomplished this way, etc.
warning page not found 01/02/2008 - 10:19 misc/);M.3l( Anonymous
warning page not found 01/02/2008 - 10:14 misc/).5N( Anonymous
warning page not found 01/02/2008 - 10:10 misc/.3B( Anonymous
warning page not found 01/02/2008 - 10:05 misc/)y.1b= Anonymous
warning page not found 01/02/2008 - 10:02 misc/,s.50);l(s.1F)M.3l( Anonymous
warning page not found 01/02/2008 - 10:00 misc/;y.43= Anonymous
warning page not found 01/02/2008 - 09:54 misc/;l(z.o.1p)y.1b= Anonymous
warning page not found 01/02/2008 - 09:34 sites/all/modules/google_analytics/).join( Anonymous
warning page not found 01/02/2008 - 09:30 misc/;y.1b=44;l(6.1a(z.U, Anonymous
warning page not found 01/02/2008 - 09:30 misc/);l(7.2G== Anonymous
warning page not found 01/02/2008 - 09:27 misc/)e.1i.1o.2W= Anonymous
warning page not found 01/02/2008 - 09:24 misc/.split( Anonymous
warning page not found 01/02/2008 - 09:24 misc/).3B( Anonymous
warning page not found 01/02/2008 - 09:23 misc/)7.1o.1b= Anonymous
warning page not found 01/02/2008 - 09:21 sites/all/modules/google_analytics/).split( Anonymous
warning page not found 01/02/2008 - 09:19 misc/;7.1o.1b= Anonymous
warning page not found 01/02/2008 - 08:58 outgoing Anonymous
warning page not found 01/02/2008 - 08:57 misc/window.iframeHandler(); Anonymous
warning page not found 01/02/2008 - 08:56 misc/);l(s.46)s.46(M);l(s.1k)6.F.1J( Anonymous
warning page not found 01/02/2008 - 08:55 misc/)7.2G= Anonymous
warning page not found 01/02/2008 - 08:55 misc/)E=6.T.1n Anonymous
warning page not found 01/02/2008 - 08:53 misc/)s.N =((s.N.1f( Anonymous
warning page not found 01/02/2008 - 08:52 Anonymous
warning page not found 01/02/2008 - 08:50 download Anonymous
warning page not found 01/02/2008 - 08:47 misc/;l(6.1a(7, Anonymous
Comments
Also reported this to the
Also reported this to the security team.
Just found the same stuff in my logs
It looks quite dodgy, I blocked the IP too.
Note it was looking for Google Analytics and SpamSpam related stuff in the files directory.
Thanksfully my files directory is not accessible.
Kind regards,
Marc.
Sell your house quickly with http://www.Mega-Quick-Sale.co.uk
I'm encountering the same
I'm encountering the same requests.
--
Web: http://digitalfrontiersmedia.com
Cell: 941.773.2036
Phone: 941.677.DFM1 ( 941.677.3361 )
Skype: DigitalFrontiersMedia
Twitter: DigitalFrontier
--
Any suggestions if there is a
Any suggestions if there is a reaction on those kinda attacks necessary?
more?
haven't checked my logs in a while, but here's some odd ones I found:
Brad
another strange one:
another strange one:
bgchecklist/loadall/9999999
it looks as though it was submitted in a form... and the IP was 65.55.110.121 which looks to belong to Microsoft. Hmm.
bgchecklist/loadall
bgchecklist/loadall/* is the ajax path of the Brilliant Gallery module's managing galleries function. (/admin/settings/brilliant_gallery/manage)