views:

55

answers:

1

I've notice some strange behaviour on my Drupal site. I like to understand the data I'm looking at before I take action so that I don't waste time pursuing the wrong measures, but I'm lacking security knowledge to interpret.

A single account has made many odd repeat requests, including attempting to reach the edit profile page, logging in (successfully - someone noticed the account had 250 active sessions a few days ago), and a huge number of password requests. The account does not have admin rights, and anyone can register for an account.

EDIT: Drupal version is 6.17.

My best guesses at what is going on are as follows:

(1) Joe Evil-doer is using multiple reset password requests as a DOS attack (it's working :< )

(2) Joe Evil-doer is trying to somehow build up a dictionary of possible passwords from his repeated requests (I don't see a way that this would work).

(3) I am a victim of a bunch of transactions failing and attempting to recommit many times over.

Any other scenarios? Does any of this match with up with common Drupal exploits?

Here's the data. I ran the following query on the accesslog table in my database:

select count(*), title, path from accesslog where uid = 999 group by title, path;

With the results below (user ID and page names cleaned up, ofc). Count(*) in each column should indicate the number of requests received for each operation.

+----------+-------------------------+------------------------------------------+
| count(*) | title                   | path                                     |
+----------+-------------------------+------------------------------------------+
|       16 |                         | home                                     | 
|     1334 | Access denied           | user/999/edit                            | 
|      184 | Series                  | events/series                            | 
|        1 | Home                    | user/register                            | 
|        1 | Reset password          | user/reset/999/123124/a2340a1c1123/login | 
|        1 | username                | user/999                                 |   
|        5 | username                | user/999/edit                            | 
|        1 | username                | user/me                                  | 
|      904 | User account            | user/login                               | 
|    11252 | User account            | user/password                            | 
|      288 | User account            | user/register                            | 
|        1 | Validate e-mail address | user/validate/999/1283452346/a0f123459e  | 
+----------+-------------------------+------------------------------------------+
+2  A: 

Most likely it's some sort of no 1. Reset password is only helpful if you have the email and you only need to do it once. I don't think 3 is even possible.

It's pretty easy to fix. For some sites I do this by default. With hook_menu_alter you can remove the menu item for the password reset. It will make it impossible for all users to reset their password.

An other option would be to include a CAPTCHA on the form since it's most likely a bot doing this. Should be pretty easy with an existing module.

googletorp
Turns out the Drupal captcha and recaptcha modules are the bomb-diggity. Extremely simple to install.
Fritz Meissner