Hopefully, this is the best place to post this -- if not, I'd love some direction where to find answers.
I have a D6 site with blogs, and my database is being attacked. There's spam comments in the database, but since I have comments turned off for now, they do not display. I even have the site set up to approve registration, but I see from the Drupal logs that people are becoming active without my intervention.
On StatCounter, I see 2 types of URLs that may have clues -- can you tell me what type of attack it is? And maybe how to prevent it?
mysite.com/user/reset/1012/1326244801/f4f802afb6cbb1ac20b8f23657f7992b
mysite.com/user/register %5BR%5D POST http://mysite.com/user/register %5B0,0,49745%5D
Also, does D7 "out of the box" have enough security built in that these attacks would not be successful?
Any insight would be most appreciated!
Susan
Comments
If you go to Administer ›
If you go to Administer › User management › User Settings, what is the value under "Public registrations:
?" If it is " Only site administrators can create new user accounts." or " Visitors can create accounts but administrator approval is required." then this seems like the attackers are somehow getting passed the setting. It's possible there is a vulnerability in Drupal core or contributed or custom code on your site.
If that is the case, please don't post a new comment here about it, but instead follow this process http://drupal.org/node/101494
Both Drupal 7 and Drupal 6 generally block this behavior.
The two urls you see are standard urls related to the registration and one-time-login or password reset process. The user/reset is for user number 1012.
knaddison blog | Morris Animal Foundation