By deepsnow on

Folks,

I have a domain i use for learning. it runs 5.x. Well I recently noticed 2 mystery users on my site.
1) Deleted user: thhg_swpd212
.
2) Deleted user: tyhn_nwd259 .

No one has been given access to my site. The offending ip address returns these results:
whois 193.47.166.30

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

The domain is owned by a mystery: Tonny Lee

I googled the email addresses and got weirds anonymous profile entries on the web in all types of languages. ?
I believe one of my modules or drupal itself is being hacked into.

Has anyone else been victim to this?

Here is a list of my modules:
in the /modules folder there is:
aggregator
block
blog
blogapi
book
color
comment
contact
drupal
filter
forum
help
legacy
locale
menu
node
path
ping
poll
profile
search
statistics
system
taxonomy
throttle
tracker
upload
user
watchdog

...phew

Thanks for any input you can offer.

DE

Categories: Drupal 5.x

Comments

deepsnow’s picture

deepsnow commented

here is a request they are issuing:

193.47.166.30 - - [29/Mar/2008:05:15:04 -0500] "GET /user/reset/3/1206725040/d808bfda32b7a6625895270274a2ca8b

im taking down the site. I notified my host to help look into it. and Im going to do a reinstall.

What type of get request are they trying to do here?

What could I do to 'lock' down drupal against this?

DE

nevets’s picture

nevets commented

A couple of thoughts. First typically Drupal sites allow self registration, hiding the link is not enough, you need to change the user settings. As for the url that looks like a password reset, it looks like someones login is failing and they are trying to reset their password. And instead of deleting users it is better to generally block their account (it keeps them from trying to register again with the same email address).

deepsnow’s picture

deepsnow commented

Hey Nevets,

'you need to change the user settings.' -- can you direct me to somewhere to learn about what changes would be appropriate for my situation?

Thanks for the input.

DE

dman’s picture

dman commented

Out-of-the box,
"Visitors can create accounts and no administrator approval is required."
:-(

I don't like this either, so it's the first thing I turn off on a dev site at:
/?q=admin/user/settings

Note that this is ONLY 'registration' - they can't (shouldn't) have access to do anything but maintain their own profile, but still this is an avenue that should be closed by default, not open IMO.

Turn off self-registration and delete the users.

.dan.
How to troubleshoot Drupal | http://www.coders.co.nz/

.dan. is the New Zealand Drupal Developer working on Government Web Standards

Willdex’s picture

Willdex commented

I've just blocked the IP address 193.47.166.30, all emails with %@sevlg% and enabled the approval.
--
Billy | Computer Systems | CityTech@CUNY | Student Block.

mrgoltra’s picture

mrgoltra commented

i got this one 2

simplybrad’s picture

simplybrad commented

I have this same issue on a couple of sites that I have. It is an annoying problem but they cannot ever get pass the registering because the phony email addresses I always get failure notices from my mail server.

I have a couple dozen IPs and emails that are denied.

Brad