Joomla admin account being hacked again

[kane1x10]

The block added last week is holding for that one IP. Whoever it is seems quite determined! They have changed to using a lot of different IP sources. All over the world. I would guess some kind of VPN IP address randomizer. :-(

Any ideas on what to do next?

It doesn't make much sense. This is a family web page for family and friends. Just pictures and stories. I do have a couple of blogs, but they are for friends. I am not doing any kind of profitable web service or anything to make someone interested. My page hits are too low to be able to be profitable from inserting adware.

I do have one guess though. A former co-worker who was into hacking. He didn't leave on great terms. Maybe he somehow blames me and put 2 and 2 together and figured out this is my personal web page. We just worked together though. It's not like I got him fired.

Here is the log for admin logins recently.

Action Extension Date Name IP Address ID
User admin logged in to admin Users Less than a minute ago. Administrator <Me Logging In> 12566
User admin tried to login to admin Users 2 hours ago. Administrator 84.19.26.52 12565
User admin tried to login to admin Users 2 hours ago. Administrator 212.109.192.123 12564
User admin tried to login to admin Users 3 hours ago. Administrator 42.112.21.203 12563
User admin tried to login to admin Users 3 hours ago. Administrator 137.74.117.179 12562
User admin tried to login to admin Users 4 hours ago. Administrator 164.132.192.43 12561
User admin tried to login to admin Users 4 hours ago. Administrator 106.15.198.21 12560
User admin tried to login to admin Users 5 hours ago. Administrator 47.93.3.8 12559
User admin tried to login to admin Users 6 hours ago. Administrator 5.45.98.97 12558
User admin tried to login to admin Users 6 hours ago. Administrator 74.208.253.209 12557
User admin tried to login to admin Users 7 hours ago. Administrator 120.27.239.3 12556
User admin tried to login to admin Users 8 hours ago. Administrator 139.99.8.31 12555
User admin tried to login to admin Users 8 hours ago. Administrator 39.97.229.71 12554
User admin tried to login to admin Users 9 hours ago. Administrator 87.118.76.186 12553
User admin tried to login to admin Users 9 hours ago. Administrator 212.48.72.62 12552
User admin tried to login to admin Users 9 hours ago. Administrator 39.106.70.58 12551
User admin tried to login to admin Users 9 hours ago. Administrator 190.210.132.150 12550
User admin tried to login to admin Users 9 hours ago. Administrator 34.232.106.159 12549
User admin tried to login to admin Users 9 hours ago. Administrator 5.77.36.119 12548
User admin tried to login to admin Users 9 hours ago. Administrator 146.255.103.77 12547
User admin tried to login to admin Users 9 hours ago. Administrator 149.28.110.13 12546
User admin tried to login to admin Users 9 hours ago. Administrator 149.202.172.119 12545
User admin tried to login to admin Users 9 hours ago. Administrator 74.208.253.209 12544
User admin tried to login to admin Users 9 hours ago. Administrator 112.78.3.185 12543
User admin tried to login to admin Users 9 hours ago. Administrator 47.98.207.111 12542
User admin tried to login to admin Users 9 hours ago. Administrator 173.254.250.124 12541
User admin tried to login to admin Users 9 hours ago. Administrator 78.24.217.9 12540
User admin tried to login to admin Users 10 hours ago. Administrator 120.78.159.206 12539
User admin tried to login to admin Users 10 hours ago. Administrator 213.246.101.169 12538
User admin tried to login to admin Users 10 hours ago. Administrator 147.46.234.77 12537
User admin tried to login to admin Users 10 hours ago. Administrator 162.243.69.235 12536
User admin tried to login to admin Users 10 hours ago. Administrator 188.165.194.66 12535
User admin tried to login to admin Users 10 hours ago. Administrator 41.78.128.16 12534
User admin tried to login to admin Users 10 hours ago. Administrator 109.96.166.15 12533
User admin tried to login to admin Users 11 hours ago. Administrator 39.107.100.69 12532
User admin tried to login to admin Users 11 hours ago. Administrator 173.254.250.124 12531
User admin logged in to admin Users 2 days ago. Administrator <Me Logging In> 12530

 

[kane1x10]

I just added 2FA. Not going to stop the attempts, but maybe it will confuse their script with the additional field to complete. Or not! Maybe it will happily fail over and over and over while trying to login. <sigh>

 

[Anna]

Often times hackers target specific versions of a script, usually somewhat older with known vulnerabilities, which is why it is always recommended to keep the script up to date. Though in your case I kind of doubt that is the case, it seem a bit to persistent for that.

If it is indeed a bot that does the login, it should be a bit thrown of its game, but may still try and fail for a while. If joomla offers any security plugin that automates blocking IP after failed attempts that could be an option to look at. I know wordpress offers that kind of brute force protection so it's not a long stretch to think joomla may too.

 

[spacresx]

@ kane1x10
If you want to stop certain ip's from getting to your website,
here is a simple way to do it

in your main .htaccess file (if you have one) add these lines & the ip address
some examples using the ip address 212.109.192.123.

Order Allow,Deny
Allow from All
#
Deny from 212.109.192.123
Deny from 212.109.192.0/24
Deny from 212.109.0.0/16
Deny from 212.0.0.0/8

this is an example of how you can block unwanted ips easily.

 

[garrettroyce]

Is there a captcha you can install for your admin login screen?

 

[kane1x10]

Is there a captcha you can install for your admin login screen?

I did 2FA. But they submitted anyhow.

 

[kane1x10]

I changed the login name of the Administrator from "admin" to something else. Tested and attempts to "admin" don't even make it to the logs. I assume whoever it is may keep trying, but they will never guess the password because the response does not help them to know which was wrong the password or the ID. I guess at this point just let them keep trying. At least I no longer see the attempts in the log since it does not log wrong username attempts. Although ... I think it should.

 

[kane1x10]

@ kane1x10
If you want to stop certain ip's from getting to your website,
here is a simple way to do it

in your main .htaccess file (if you have one) add these lines & the ip address
some examples using the ip address 212.109.192.123.

Order Allow,Deny
Allow from All
#
Deny from 212.109.192.123
Deny from 212.109.192.0/24
Deny from 212.109.0.0/16
Deny from 212.0.0.0/8

this is an example of how you can block unwanted ips easily.

Did that when it was just one IP. But now they are using a VPN with IP randomizer. There is no way to know what IP it will come from next.

 

[spacresx]

@ kane1x10
there are similar ways to block referrers and user agents to if thats helpful.

have you tried with googles recaptcha?
i know of a captcha script called "botprotection" it would trigger googles recaptcha
if you hook it to the admin login page.

another suggestion is try Cidram (https://github.com/CIDRAM/CIDRAM) its free,
and does work very well for blocking stop forum spam ips too.

but personally i prefer doing the blocking at the htaccess file level myself.
some may also suggest trying cloudflare but i dont like that one myself.

these are only suggestions.

 

[cjptomas80]

It doesn't make much sense. This is a family web page for family and friends. Just pictures and stories. I do have a couple of blogs, but they are for friends. I am not doing any kind of profitable web service or anything to make someone interested. My page hits are too low to be able to be profitable from inserting adware.

It doesn't matter to them anyway. All they want is administrator access then insert their code on your site for their own purposes. I have seen a lot of my emails spam folder using the exploit site to do their malicious activity.

 

[garrettroyce]

@kane1x10 is there anything else you need help with at this time?

 

[garrettroyce]

@kane1x10 I'm closing this thread due to lack of activity. Please create a new thread if the need arises. Thank you.