First Confirmed Drupal Brute Force
29 March 2010
Recently we instituted the Drupal Login Security module on our Drupal sites. This module alerts the site administrator of multiple failed login attempts among other defensive mechanisms. I installed the module in response to a proof of concept that I developed that explored how attackers could enumerate and then brute force Drupal accounts.
Today at 9:17 we got an automated alert that an account had failed to log in multiple times with the following alert showing up repeatedly in the watchdog logs:
Details
Type user
Date Monday, March 29, 2010 - 09:17
User Anonymous
Location http://xxxxxxxxx/user/
Referrer http://xxxxxxxxx/user/
Message Login attempt failed for admin.
Severity notice
Hostname 217.41.13.233
In seems that people are out there actively attacking Drupal accounts through the default user login screen at /user. I had never noticed activity like this before on any of our sites, but prior to the module I hadn't been looking as carefully as I probably should have.
Moving forward I'd ideally like to build a notification for OSSEC based on the activity so I can leverage the Drupal 6 core Syslog module and have our host based intrusion detection system also handle alerts. If you're running a Drupal site though you should seriously consider implementing the Login Security module.