What to Do About Malicious Password Reset Requests on Drupal Sites

Update: This is currently a developing story in the Drupal community, and we will continue to monitor and update this post as we learn more information from Drupal on this issue.

Earlier today, it was reported a significant number of Drupal 6 and 7 sites were targeted with what appear to be malicious requests performing automated password resets on accounts. The majority of the accounts targeted appear to be those with commonly used usernames (such as admin, moderator or user etc.).

You can read more about the bug on this thread: Reset admin passwords were sent

While this does not present a direct security vulnerability to your Drupal site, this situation is definitely a great indication that it may be time you perform checks to ensure your site is properly protected from attacks such as these, to rest assured none of your user accounts have been compromised and to implement Drupal security best practices for user accounts.

Directly from the issue thread, you’ll want to make sure you follow these steps:

In general it is best practice to audit admin level accounts on a regular basis.

  • Navigate to the list of people on the site
  • Filter the list for those who have additional roles
  • Sort the list by last login date. If an account has not logged in recently, security could be improved by revoking the role from that account.
  • Review the email address associated with all accounts with elevated roles to confirm it is the right email address.
  • Review the usernames, if any are commonly used consider changing them to something unique to the user (e.g. their name) or unique to the site (e.g. admin.example.com).

If you see anything in the list of accounts that makes you think your site has been compromised, consider going through this more exhaustive set of steps to mitigate those issues.

What else can I do to safeguard against this issue?

In addition to following the tips above, you can also try:

  • Blocking the common IP address from of this scam using iptables: sudo iptables -A INPUT -s 77.222.114.241 -j DROP
  • Ensure none of your accounts have received the following message: "You have tried to use a one-time login link that has either been used or is no longer valid."
  • Put Captcha and Honeypot on all forms for non-logged-in users
  • Limit name guessing attempts with flood control

Drupal security shouldn’t be break-fix

It’s worth noting, when issues like this arise, that Drupal security is a round-the-clock job, and something you want to always keep an eye on. After all, your website is likely the backbone of your business or organization and any kind of compromise could be catastrophic.

Take a moment to review Drupal security best practices, ensure your website is up to date, and have a more experienced set of eyes review your site if you think you need help. There is no benefit in leaving your security to chance.

Should you need assistance from a Drupal security expert, our team at Drupal Connect is here to help, and will work diligently to ensure your business and data have the strongest protections. Please contact us today for a security consultation and to gain peace of mind.

Share This