I have a website in drupal 7, and have upgraded it to 7.59 for drupal security issue SA-CORE-2018-004
but somehow on 3rd may, i observed more than 1000 malicious uses created on site. malicious means without any roles. my website's user/register page can be accessed with valid tokens only, that i sent in an email. if any user tries to access user/register page without valid token, they will get access denied message.
I checked access logs, error logs but could not find any suspicious request for user registration.
I seen 1 request, but dont know how it can add 1000 users
xxx.xx.xxx.xxx 398254 - [24/Apr/2018:01:39:03 +0100] "POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)"
I deleted all malicious users, and there is no any such attack till now, but i want to find root cause of it, want to reproduce it.
I tried all exploits for here but no any luck
Thanks in advance