Community & Support
Support » Post installation

TrendMicro attacks drupal site

Posted by rsbecker on October 26, 2009 at 5:55pm

I have seen similar behavior on two drupal sites on different shared hosts. Both running Drupal 6.14.

It appears that after an authorized user creates or edits content on the site the site is visited by an anonymous user who attempts to edit the same content. In all cases the authorized user had TrendMicro Internet Security running on his computer. The anonymous user comes from a domain registered to TrendMicro or to an entity in Japan. Both the TrendMicro and Japanese domain appear to operate in unison or one follows the other. The anonymous user is denied access, so Drupal appears to be protecting the site's content.

For example, authorized user goes edits the content at www.mysite.com/node/374 by going to www.mysite.com/node/374/edit. A few minutes later an anonymous user at a TrendMicro domain goes to www.mysite.com/node/374/edit and receives an Access Denied. I see this traffic in the site's access log.

I first noticed this several weeks ago when in a span of 20 minutes the site got repeated calls from these domains to list user information www. ... /user 32 and then to edit the same user at www. ... /user/32/edit. There were numerous calls from the TrendMicro domains and the Japanese domains for a series of users. This sequence of events occurred some time after the authorized user edited those users and, I believe, she no longer was online.

It was not until a few days ago, on a different site, that I saw this pattern occur within a minute after an authorized user edited content.

I have reported this behavior to TrendMicro and asked for an explanation. But all I have gotten is techs telling me the company's products don't do those kinds of things. One posited that TrendMicro was probing these sites looking for malware that might infect the user's computer.

As noted above the calls from these domains never got past Drupal's security. But it is very worrysome and TrendMicro apparently has no explanation for why these apparent attacks are coming from its domains or what purpose they serve. I'm hoping someone has seen this and can explain what is going on and why.

Thanks

Login or register to post comments Categories: ,

Comments

Got a web site with the exact

Posted by Slovak on February 12, 2010 at 2:54am

Got a web site with the exact same issue. I just got 321 Access Denied errors in my logs in a span of 90 minutes. Most going to URLs that have never been opened to public. All IP addresses point back to Trend Micro in the US or Japan. Anyone have a guess what this is all about?

All 321 attempts came from these IPs:
150.70.84.155
150.70.84.28
216.104.15.130
216.104.15.134
216.104.15.138
216.104.15.142

Solved here:

Posted by betty66 on November 16, 2011 at 1:58pm

Solved here: http://drupal.org/node/554982#comment-4636500