Distributed brute force attacks against Drupal

9 August 2010
We're using a combination of Drupal 6 with the syslog module and OSSEC to monitor our Drupal web applications at work. I've noted a frightening trend recently of multiple failed login attempts for the same username from different IP addresses. This appears to be the work of a botnet. The following are some of the logs that we've gotten recently:
Aug  6 22:00:19 hostname drupal: http://www.example.org|1281146419|user|95.169.185.240|http://www.example.org/?q=user||0||Login attempt failed for Esmerelda.
Aug  6 22:00:19 hostname drupal: http://www.example.org|1281146419|user|95.169.184.130|http://www.example.org/?q=user||0||Login attempt failed for Esmerelda.
Aug  6 22:00:18 hostname drupal: http://www.example.org|1281146418|user|95.169.184.240|http://www.example.org/?q=user||0||Login attempt failed for Esmerelda.
Aug  6 22:00:18 hostname drupal: http://www.example.org|1281146418|user|95.169.185.240|http://www.example.org/?q=user||0||Login attempt failed for Esmerelda.
Aug  6 22:00:17 hostname drupal: http://www.example.org|1281146417|user|95.169.184.240|http://www.example.org/?q=user||0||Login attempt failed for Esmerelda.
Aug  6 22:00:22 hostname drupal: http://www.example.org|1281146422|user|69.10.38.27|http://www.example.org/?q=user||0||Login attempt failed for Esmerelda.
Aug  6 22:00:21 hostname drupal: http://www.example.org|1281146421|user|69.10.38.30|http://www.example.org/?q=user||0||Login attempt failed for Esmerelda.
Aug  6 22:00:21 hostname drupal: http://www.example.org|1281146421|user|69.10.38.30|http://www.example.org/?q=user||0||Login attempt failed for Esmerelda.
Aug  6 22:00:21 hostname drupal: http://www.example.org|1281146421|user|69.10.38.29|http://www.example.org/?q=user||0||Login attempt failed for Esmerelda.
Aug  6 22:00:21 hostname drupal: http://www.example.org|1281146421|user|69.10.38.27|http://www.example.org/?q=user||0||Login attempt failed for Esmerelda.
The attackers are using the default login page at /?q=user but looking at the above you can see that there are several distinct IP addresses attempting to gain access in what looks to be a coordinated fashion. Luckily these attempts appear to fail but I've seen them on a couple of different Drupal sites. From this I'd infer that these IP's are probably attacking Drupal sites across the internet. Because we haven't observed any successful logins it's tough to say what the attacker is after. For more information on enabling OSSEC monitoring of Drupal 6 see http://madirish.net/?article=463