Greeting Drupals,

My web site runs on Drupal and lately I'm seeing lot of access denied logs. First I thought that these logs came from my users but when examine IP addresses I concluded that these logs are not coming from my users. IP addresses registered on Drupal are from MS Cooperation, China Telecom, Inktomi Corporation etc, and since my website is on my local language It can’t be that users are trying to connect from this part of the world specially China. Furthermore I don’t think someone from M$ or other mentioned cooperation would like to see my users profile. (see logs below)

Firstly it looks to me like some kind of exploit and I’m writing here to see if any of you is aware of any exploit circulating?
Another strange thing is that it seems that IP’s are spoofed. Since HTTP is used does it make any sense to do so?

Site runs on Drupal 4.6.1

Here are some logs registered on my Drupal. I’ve selected only type of log and location requested. ( I didn’t post IP addresses but if someone sees same logs and wants to compare IP addresses I’ll post them ). TOP 20

LOG

access denied /?q=profile/gender/male
access denied /?q=user/616
access denied /profile/
access denied /?q=user/591
access denied /?q=user/7
access denied /?q=user/670
access denied /?q=user/3
access denied /?q=user/5
access denied /?q=user/1807
access denied /?q=user/5
access denied /?q=user/1807
access denied /?q=user/638
access denied /?q=user/7
access denied /?q=user/530
access denied /?q=user/179
access denied /?q=user/2
access denied /?q=user/39
access denied /?q=user/621
access denied /?q=user/2
access denied /?q=user/39

ENDLOG

Best regards,
lamer1

Comments

pamphile’s picture

I don't know if this is much help... but

To me it only looks like they are trying to access a hidden page.

Are they using any $_POST or $_GET data ?

http://scriptmigration.com
http://01debug.com

pgtremb’s picture

I see in the log file a similar access denied error from 65.54.188.14.

Can someone tell me why sometime we see in the url this: ?q=user/register&PHPSESSID=1ed9a3ba67594fcd7689eb0ab8c84f1d because all the acces denied comme from this URL.

Is this safe?

killes@www.drop.org’s picture

$host 65.54.188.14
$14.188.54.65.in-addr.arpa domain name pointer msnbot.msn.com.

IOW: your visitor is Microsoft's MSN-Bot.

--
Drupal services
My Drupal services

Emiliano’s picture

Hi!

My site has receveid thousands of very weird request lately, but I don't know if it's someone trying to mess it up or something related to throttle x clean urls x cache x css includes, etc...

The fact is that my watchdog has 80 pages of entries like this:

404 error: taxonomy/term/taxonomy/term/66 not found
404 error: taxonomy/term/node/1340 not found

I set up a 404 custom page and it got 3.000 hits in 2 days...

I noticed most of the errors were logged after throttle reached level 4 or 5, then I tend to believe some modules were disabled and some pages "disappeared", but I still think those urls in the watchdog are too weird.

It's a mistery like yours, lamer1...

killes@www.drop.org’s picture

In your case it is a bot that does not understand our base href tag. Ban it, it is stupid.
--
Drupal services
My Drupal services

Emiliano’s picture

killes,
Thanks a lot for your reply!

I was uneasy with so many 404 errors...

Just wanted to register my thanks!

Emiliano
http://www.novayork.com

killes@www.drop.org’s picture

Those log entries are from some bot that visits your pages to index them. For Drupal versions before 4.6 those user pages where always visible and the bot got links to them from some page on your site. Now, the bot come back and looks for changes on those pages. As of Drupal 4.6.0 those pages are no longer accessible by default. The bot gets errors now and those are logged.

You can either ignore the log entries and wait untill the bot noticed that it cannot access those urls anymore or just enable the "access user profiles" permission for anonymous users.

--
Drupal services
My Drupal services

tille’s picture

hello hello,

i seem to have a similar bot.. "Anonymous 66.249.72.67" (google?!) ..although it seems to be following me..?! For example: if i have a look at my user page, about the same time 66.249.72.67 goes to that user page. If I edit my user page -> 66.249.72.67 gets an access denied..

..anybody any suggestions..?

..greetz! t..

___________________________

killes@www.drop.org’s picture

Emiliano’s picture

Hi!

If you have adsense on your site, when you access pages which anonymous users cannot, google adsense won't be able to access/scan them either.

Maybe the adsense module takes care of this, I really don't know. But if you put the adsense code straight in the template, you'll get lots of 'access denied' entries in watchdog. (Sure you can write some code to solve this).

You can also use blocks to publish the ads and configure them accordingly.

Regards,
Emiliano.
http://www.novayork.com