So far in 2020, I've been keeping a closer eye on the logs of this Drupal site. Back in the day, I used to pore over logs in a sort of 'bender' fashion, presumably as I was bored or something similar. Rarely was something particularly interesting, but it was a good way to figure out and correct some random things. Still is...but it's 2020 and nobody manually looks at logs anymore.
Drupal's Log Reporting
I've come to appreciate Drupal's built in 'Recent log entries' report, since it's easily filterable and provides some interesting insight. In the past I've used the report to figure out and correct some weird/broken behavior in some templates, along with some CAPTCHA issues (this isn't fixed, per se, but is addressed as best/simplest I can given it's ultimately a known module problem).
What has been most interesting, however, is to see what else is getting pinged/hit from a vulnerability angle.
WordPress Users Beware
Unofficially, without analysis, I'd say that 70% of
page not found entries are obvious attempts to exploit what I would assume to be a known vulnerability in WordPress, a WP plugin, or default/weak login credentials. That's not particularly shocking given how widely WP is deployed on the Internet, but it's certainly eye-opening from the angles of 'damn, patch thy systems' and 'use strong passwords.'
Having a couple of WP sites in my purview, its auto-update feature was one of the first things I enabled when setting them up. Giving the sites a periodic checkup and updating plugins as necessary are just good practice tidbits. Having your WP site compromised would definitely ruin your day.
Other Known Vulnerabilities
I'd gather that about 20% of the remaining
page not found entries would appear to be attacks against known vulnerabilities in other popular (if obscure) web applications or "plugins" for ecommerce, common libraries, and so forth. Basically, if it's even remotely common...all the more reason to patch, eliminate, or update that shit.
I have a primary site with a lot of history, so another ~5% of
page not found entries are 'legitimate.' Depending on the domain hit (many point to the same underlying site nowadays), the pointer might be to something that was around over twenty years ago but isn't anymore. Sometimes that's an indicator to fix a rewrite rule or something, but most of the time I don't care anymore. There's often a reason that old stuff doesn't carry forward...
Of the remaining ~5%, I've been recently seeing some oddly 'disturbing' sort of crawler/attack behavior. There's the more standard crawling for common-ish paths thing (which is different than the known vulnerabilities thing, but similar), but I'm seeing some interesting hits against things that look to edit or delete content. This is both on the
page not found entries but also in
access denied entries. If there wasn't already an important enough reason to use strong credentials, this is certainly it.
Be Careful Out There
By themselves, patching and strong credentials certainly aren't guarantees against gnarly attacks or vulnerabilities, but given my armchair analysis of the info having those simple things in place are clearly a great advantage over a 'set it and forget it' mentality.
Headline image via giphy