I've notice some strange behaviour on my Drupal site. I like to understand the data I'm looking at before I take action so that I don't waste time pursuing the wrong measures, but I'm lacking security knowledge to interpret.
A single account has made many odd repeat requests, including attempting to reach the edit profile page, logging in (successfully - someone noticed the account had 250 active sessions a few days ago), and a huge number of password requests. The account does not have admin rights, and anyone can register for an account.
EDIT: Drupal version is 6.17.
My best guesses at what is going on are as follows:
(1) Joe Evil-doer is using multiple reset password requests as a DOS attack (it's working :< )
(2) Joe Evil-doer is trying to somehow build up a dictionary of possible passwords from his repeated requests (I don't see a way that this would work).
(3) I am a victim of a bunch of transactions failing and attempting to recommit many times over.
Any other scenarios? Does any of this match with up with common Drupal exploits?
Here's the data. I ran the following query on the accesslog table in my database:
select count(*), title, path from accesslog where uid = 999 group by title, path;
With the results below (user ID and page names cleaned up, ofc). Count(*) in each column should indicate the number of requests received for each operation.
+----------+-------------------------+------------------------------------------+
| count(*) | title | path |
+----------+-------------------------+------------------------------------------+
| 16 | | home |
| 1334 | Access denied | user/999/edit |
| 184 | Series | events/series |
| 1 | Home | user/register |
| 1 | Reset password | user/reset/999/123124/a2340a1c1123/login |
| 1 | username | user/999 |
| 5 | username | user/999/edit |
| 1 | username | user/me |
| 904 | User account | user/login |
| 11252 | User account | user/password |
| 288 | User account | user/register |
| 1 | Validate e-mail address | user/validate/999/1283452346/a0f123459e |
+----------+-------------------------+------------------------------------------+