Drupal Spam patterns

subdian - May 27, 2008 - 09:05

Hi,

(Apologies, originally posted in wrong forum)

I manage a relatively busy Drupal site. Lately, I've been seeing a lot of spam activity (for a start I had to totally disable trackback module).

Recently though, the spam has been looking quite odd, or structured. It usually manifests itself as a comment in the approval queue, looking something like:

2mild6 buesgzhyokxr, [url=http://jyvswlkywxmg.com/]jyvswlkywxmg[/url], [link=http://laxacmuxcxjz.com/]laxacmuxcxjz[/link], http://ljdtdhziiova.com/

The structure is always 5 characters, followed by 12 characters, and then some gibberish url, and link as shown above. The URLs are always gibberish, so I'm not sure what the goal is, perhaps a new spam sytem being tested.

Spam in the approval queue is fine, so long as it doesn't make it to the site, and it normally doesn't. However, over the weekend, a forum topic in our forum was overwritten with spam similar to that included above. This is a very worrying thought. I can't figure out which user changed the node, and maybe the user had been using a simple password, but it is extremely worrying to see this happening.

I would love to hear if anyone else has experienced this, and what can be done, if anything.

Thanks
Subd

» Login or register to post comments

To inhibit spam generally,

gpk - May 27, 2008 - 11:27

To inhibit spam generally, www.mollom.com (possibly your site will be too busy for the free service).

If you think content has been trashed maliciously, then there are various things to think about:
- are Drupal core plus all contrib modules updated to the latest version?
- are the site permissions correctly set up?
- is the server LAMP stack properly patched + configured for security?
- and, as you say, could a rogue user/bot have got in by guessing a password

If there's a major hole then probably you'd expect more significant damage than you've seen, so the last option is perhaps most likely. By checking your permissions you should be able to see which users would have permission to make such a change. If access was indeed gained through the "front" of Drupal then you should be able to find evidence - e.g. admin/logs/watchdog should show when the forum node was updated and by which user, the {node} table in the DB lists the "owner" of each node (the original creator unless it's been changed by an admin) which the {node_revisions} table shows who created the latest revision. Both have timestamp info. If statistics.module is enabled you can look at activity on the site around the time of the change. You should also look in your webserver logs for same, and e.g. you could filter that log for all attempts to access the node in question (both as node/x, node/x/edit [or node/x/*], plus via any URL alias).

It's also possible that a user's computer is/was compromised, or possibly they forgot to log out when using a public terminal.

Should be an interesting little investigative job!

gpk
----
www.alexoria.co.uk