A "security researcher"?

screenshot of the log file, as given in the main text

My attention was brought to a whole bunch of "page not found" errors in the log of my website tonight. At first, I just thought it was just someone trying scripts to gain access so I sent an abuse report to Linode as they owned the IP address, 172.105.83.62.

Their reply was vaguely interesting, though. They said that they didn't regard it as abuse as it was a "security researcher" at work. Huh? On my website? Seriously? Wow - they need to set their sights higher!!! 

In this circumstance, our Trust & Safety team have determined that the Linode customer operating this IP is a security researcher, and the traffic is not intended to be malicious.

Anyway, I thought the actual log of locations tried might be useful to others, so here they are:

-------- -------------- ---------------- ---------- ------------------------------------------------------------------------------------------
  ID       Date           Type             Severity   Message
 -------- -------------- ---------------- ---------- ------------------------------------------------------------------------------------------
  437103   06/Sep 07:06   page not found   Warning    /core/modules/help_topics/help_topics/aggregator.overview.html.twig
  437102   06/Sep 07:06   page not found   Warning    /core/modules/help_topics/help_topics/search.index.html.twig
  437101   06/Sep 07:06   page not found   Warning    /core/modules/help_topics/help_topics/workflows.overview.html.twig
  437100   06/Sep 07:06   page not found   Warning    /core/modules/help_topics/help_topics/config.import_full.html.twig
  437099   06/Sep 07:06   page not found   Warning    /core/modules/help_topics/help_topics/field_ui.reference_field.html.twig
  437098   06/Sep 07:06   page not found   Warning    /core/modules/help_topics/help_topics/views_ui.edit.html.twig
  437097   06/Sep 07:06   page not found   Warning    /core/assets/vendor/ckeditor/bender-runner.config.json
  437096   06/Sep 07:06   page not found   Warning    /core/modules/help_topics/help_topics/contact.creating.html.twig
  437095   06/Sep 07:06   page not found   Warning    /core/modules/help_topics/help_topics/field_ui.manage_form.html.twig
  437094   06/Sep 07:06   page not found   Warning    /core/modules/help_topics/help_topics/search.overview.html.twig
  437093   06/Sep 07:06   page not found   Warning    /core/modules/help_topics/help_topics/field_ui.manage_display.html.twig
  437092   06/Sep 07:06   page not found   Warning    /core/scripts/dev/commit-code-check.sh
  437091   06/Sep 07:06   page not found   Warning    /core/modules/help_topics/help_topics/system.maintenance_mode.html.twig
  437090   06/Sep 07:06   page not found   Warning    /core/assets/vendor/ckeditor/CHANGES.md
  437089   06/Sep 07:06   page not found   Warning    /core/modules/help_topics/help_topics/image.style.html.twig
  437088   06/Sep 07:06   page not found   Warning    /core/modules/help_topics/help_topics/responsive_image.style.html.twig
  437087   06/Sep 07:06   page not found   Warning    /core/modules/help_topics/help_topics/views_ui.add_display.html.twig
  437086   06/Sep 07:06   page not found   Warning    /core/modules/help_topics/help_topics/book.adding.html.twig
  437085   06/Sep 07:06   page not found   Warning    /core/assets/vendor/ckeditor/LICENSE.md
  437084   06/Sep 07:06   page not found   Warning    /core/modules/help_topics/help_topics/config.export_full.html.twig
  437083   06/Sep 07:06   page not found   Warning    /core/modules/help_topics/help_topics/content_moderation.configuring_workflows.html.twig
  437082   06/Sep 07:06   page not found   Warning    /core/modules/help_topics/help_topics/layout_builder.overview.html.twig
  437081   06/Sep 07:06   page not found   Warning    /core/themes/olivero/olivero.libraries.yml
 -------- -------------- ---------------- ---------- ------------------------------------------------------------------------------------------

Looks to me like they are trying to access files in core modules and then compare them to know versions to work out the version of Drupal installed. I guess then they know what vulnerabilities are available?

The only thing is, none of those files should be available over the web, anyway – not if a site is setup properly. 

Tags