Want to get Lullabot article, videocast, and podcast announcements delivered right to your in-box?
Let us know your email address (we won't share it) and we'll let you know when anything exciting happens.
Is that site running Drupal?
May 30, 2008
Various attempts at "fingerprinting" a Drupal site have been tried in the past, none of which are completely fool-proof.
These range from *super* easy stuff like checking for CHANGELOG.txt to checking the source for a reference to "drupal.css" (Drupal 4.7) to checking for common paths like taxonomy/term/1, and /user, (which might be aliased to something else with something like Pathauto/Path Redirect module), and so on.
However, since Drupal 4.6, there's a super geeky trick you can use to fingerprint a Drupal site that works 90% of the time.
- Get Firefox.
- Get the Live HTTP Headers extension.
- After restarting Firefox, click Tools > Live HTTP Headers. This'll pop up a little window to the side.
- Visit a website you suspect of being Drupalish. You know, like http://drupal.org/ (except, you know, I bet they're running WordPress...).
- Highlight the Live HTTP headers window and type "exp", looking for the following in the output:
Expires: Sun, 19 Nov 1978 05:00:00 GMT
You know, like so!
Update 2008-May-31 Or! For you command-line junkies out there, check out TBarregren's helpful bash script which allows you to just do ./is-drupal www.lullabot.com - Awesome!
By the way, this date has special significance in the Drupal community. Anyone know why? ;)
Hat tip to chx for this trick. :)
Comments
Might it have something to
Might it have something to do with this fellow?
Why only 90%?
Why only 90%?
Probably 99.99999%
But always safer to be conservative. ;)
Oh joy.
How convenient for script kiddies. Now they have one more litmus test to find sites vulnerable to the next 0-day exploit.
No problem...
A quick hack to /includes/bootstrap.inc takes care of that. Set it to your own birthday instead of Dries'.
How is this convenient? It
How is this convenient? It is much easier to write a bot that scans sites for certain URLs. People who want to harm other sites will find enough sites that way.
Agreed; additionally...
This is pretty safe as fingerprints go. It only identifies the presence Drupal itself, not any particular version (other than "4.6 or newer," which should hopefully be *all* Drupal sites by this point ;)). Script kiddies really need to know the version of Drupal down to the point release (4.6.9) in order to do anything really damaging.
Hide Drupal-specific URLs too?
Perhaps Drupal-specific URLs could be done away with or hidden then too? I like the idea of obscuring the software running the site.
Cool trick
And is there a good way to figure out the version number?
Patch
http://drupal.org/node/5900#comment-295465
A cracker tip!
Thanks Angie. I have been looking for an answer to this question for some time. I'm pretty non-technical so a simple tool like this is most welcome.
Before you go blaming Angie for helping script kiddies...
... you should know that there have always been dozens of ways to find out if a site is running Drupal. And they're not hard to find. Take the time and install a default Drupal and then start picking some of the texts you see. Any of these can be googled. Think of those smurfs on the search page when no results are found. When the zero day exploits come, it won't be hard to find Drupal sites, and obfuscating the fact that any site is running Drupal is very hard. This is true of any stock CMS. If you're really worried about people knowing what software you run, roll your own. After all, starting from scratch and writing it all yourself is well known to be best way to produce bug-free code.
Of course!
Couldn't have said it more sarcastically myself. :D Thanks!
Some obscurity may be good
If your site is not vulnerable to the simplest/most common ways to programmatically pick out a Drupal site, then your site may be spared when the next 0-day Drupal exploit hits. In other words, it may be good to be different.
I don't think this post would help hackers much, but it does raise this issue of hiding that a Drupal site is Drupal.
No No No
Obscurity is NOT security, nor is it really helpful.
Please see http://drupal.org/node/79018 for more info on this subject.
Many many, admins will tell you that the script kiddies don't care at all about checking a site first. They just run the actual exploit. The number of log entries on a major site for forum software issues (most common), or vulnerabilities in other CMS software is staggering.
Reasons for hiding the software behind a site, often include trying to prevent others from knowing the technology decisions being made inside corporations, or just not understanding the real issues of security.
A command line option
An easier way to do this without firing firefox and installing extensions would be (on a Unix based machines:
$ 2>&1 wget -S http://drupal.org|grep ExpireExpires: Sun, 19 Nov 1978 05:00:00 GMT
(replace drupal.org with your site in question)
Thanks for the nice tip!
Shell script
Wonderful trick. Thank you for sharing it.
An alternative to using Firefox with HTTP Live Headers is this trivial Bash script:
#!/usr/bin/env bash
wget -S $1 2>&1 | grep -q -m 1 "Expires: Sun, 19 Nov 1978 05:00:00 GMT" && echo "Yes" || echo "No"
Save the script in a file called
is-drupal, and make it executable (i.e.chmod +x is-drupal). Now, you can easily check a site with following command:./is-drupal www.lullabot.com:)
Very cool; smart thinking.
Wicked!!
I added a note about this to the original article. Thanks! And thanks to yhager too! :)
Curl version
Some OSes (like Mac OS X) don’t have wget installed by default. Here’s a curl version of the same script:
#!/usr/bin/env bash
curl -I $1 2>&1 | grep -q -m 1 "Expires: Sun, 19 Nov 1978 05:00:00 GMT" && echo "Yes" || echo "No"
Add -f, -s, -L to Curl command
You might want to add the -f, -s, and -L options to the Curl command. That way, it can handle failures silently, silence progress output (-s), and follow redirects to new locations (-L).
Without -L, redirects (or URL rewrites) that send the user to site.com from www.site.com (or vice versa) won’t be followed, and would produce the erroneous output of “No.” With -L, however, I have had it follow such redirects and produce the expected output.
#!/usr/bin/env bash
curl -fsIL $1 2>&1 | grep -q -m 1 "Expires: Sun, 19 Nov 1978 05:00:00 GMT" && echo "Yes, this appears to be a Drupal site." || echo "No, this does not appear to be a Drupal site."
better, faster:
don't wget the whole page, but only the headers, with a http head request:
wget -S --spider ...
better, faster:
don't wget the whole page, but only the headers, with a http head request:
wget -S --spider ...
Thanks...
I'll be running this daily, I'm sure.
Although, this may be less and less important as we start to ask the question -- "Wait, is this one of THOSE sites NOT running Drupal?"
And btw, do we still have to tell people to "Get Firefox?"
Sigh. Soon my friends, soon.
Strange
When I do this on lullabot.com I get june 1st 2008 as expiration-date...
grep should be "^Expires"...
grep should be "^Expires"... you're grepping the cookie expires.
Page for checking if a site is running drupal
Hi!
I've made this little page on my website for checking this basing on the comments of this post :)
You can check it out here:
http://cambrico.net/check-drupal-site
I noticed most drupal sites
I noticed most drupal sites have this kind of pattern,
@import "/sites/[website]/files/css/bcb7ecf370d40044ccf58487dc993ea6.css";
any accuracy in this assumption?
I think that this import of
I think that this import of css is done only when you have the compress css performance setting enabled (you should!), if not, you will see a lot of css files imported (one for each module that uses its own css file)
How about the following
How about the following URL?
http://sitename/user
Thanks for the tip, this
Thanks for the tip, this will definitely help me add more sites to the gallery.
thanks
Post new comment