Joomla admin account being hacked again

Discussion in 'Free Hosting' started by kane1x10, Mar 10, 2020.

Thread Status:
Not open for further replies.
  1. kane1x10

    kane1x10 Member

    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    The block added last week is holding for that one IP. Whoever it is seems quite determined! They have changed to using a lot of different IP sources. All over the world. I would guess some kind of VPN IP address randomizer. :-(

    Any ideas on what to do next?

    It doesn't make much sense. This is a family web page for family and friends. Just pictures and stories. I do have a couple of blogs, but they are for friends. I am not doing any kind of profitable web service or anything to make someone interested. My page hits are too low to be able to be profitable from inserting adware.

    I do have one guess though. A former co-worker who was into hacking. He didn't leave on great terms. Maybe he somehow blames me and put 2 and 2 together and figured out this is my personal web page. We just worked together though. It's not like I got him fired.

    Here is the log for admin logins recently.

    Action Extension Date Name IP Address ID
    User admin logged in to admin Users Less than a minute ago. Administrator <Me Logging In> 12566
    User admin tried to login to admin Users 2 hours ago. Administrator 84.19.26.52 12565
    User admin tried to login to admin Users 2 hours ago. Administrator 212.109.192.123 12564
    User admin tried to login to admin Users 3 hours ago. Administrator 42.112.21.203 12563
    User admin tried to login to admin Users 3 hours ago. Administrator 137.74.117.179 12562
    User admin tried to login to admin Users 4 hours ago. Administrator 164.132.192.43 12561
    User admin tried to login to admin Users 4 hours ago. Administrator 106.15.198.21 12560
    User admin tried to login to admin Users 5 hours ago. Administrator 47.93.3.8 12559
    User admin tried to login to admin Users 6 hours ago. Administrator 5.45.98.97 12558
    User admin tried to login to admin Users 6 hours ago. Administrator 74.208.253.209 12557
    User admin tried to login to admin Users 7 hours ago. Administrator 120.27.239.3 12556
    User admin tried to login to admin Users 8 hours ago. Administrator 139.99.8.31 12555
    User admin tried to login to admin Users 8 hours ago. Administrator 39.97.229.71 12554
    User admin tried to login to admin Users 9 hours ago. Administrator 87.118.76.186 12553
    User admin tried to login to admin Users 9 hours ago. Administrator 212.48.72.62 12552
    User admin tried to login to admin Users 9 hours ago. Administrator 39.106.70.58 12551
    User admin tried to login to admin Users 9 hours ago. Administrator 190.210.132.150 12550
    User admin tried to login to admin Users 9 hours ago. Administrator 34.232.106.159 12549
    User admin tried to login to admin Users 9 hours ago. Administrator 5.77.36.119 12548
    User admin tried to login to admin Users 9 hours ago. Administrator 146.255.103.77 12547
    User admin tried to login to admin Users 9 hours ago. Administrator 149.28.110.13 12546
    User admin tried to login to admin Users 9 hours ago. Administrator 149.202.172.119 12545
    User admin tried to login to admin Users 9 hours ago. Administrator 74.208.253.209 12544
    User admin tried to login to admin Users 9 hours ago. Administrator 112.78.3.185 12543
    User admin tried to login to admin Users 9 hours ago. Administrator 47.98.207.111 12542
    User admin tried to login to admin Users 9 hours ago. Administrator 173.254.250.124 12541
    User admin tried to login to admin Users 9 hours ago. Administrator 78.24.217.9 12540
    User admin tried to login to admin Users 10 hours ago. Administrator 120.78.159.206 12539
    User admin tried to login to admin Users 10 hours ago. Administrator 213.246.101.169 12538
    User admin tried to login to admin Users 10 hours ago. Administrator 147.46.234.77 12537
    User admin tried to login to admin Users 10 hours ago. Administrator 162.243.69.235 12536
    User admin tried to login to admin Users 10 hours ago. Administrator 188.165.194.66 12535
    User admin tried to login to admin Users 10 hours ago. Administrator 41.78.128.16 12534
    User admin tried to login to admin Users 10 hours ago. Administrator 109.96.166.15 12533
    User admin tried to login to admin Users 11 hours ago. Administrator 39.107.100.69 12532
    User admin tried to login to admin Users 11 hours ago. Administrator 173.254.250.124 12531
    User admin logged in to admin Users 2 days ago. Administrator <Me Logging In> 12530
     
  2. kane1x10

    kane1x10 Member

    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    I just added 2FA. Not going to stop the attempts, but maybe it will confuse their script with the additional field to complete. Or not! Maybe it will happily fail over and over and over while trying to login. <sigh>
     
  3. Anna

    Anna I am just me Staff Member

    Messages:
    10,297
    Likes Received:
    431
    Trophy Points:
    83
    Often times hackers target specific versions of a script, usually somewhat older with known vulnerabilities, which is why it is always recommended to keep the script up to date. Though in your case I kind of doubt that is the case, it seem a bit to persistent for that.

    If it is indeed a bot that does the login, it should be a bit thrown of its game, but may still try and fail for a while. If joomla offers any security plugin that automates blocking IP after failed attempts that could be an option to look at. I know wordpress offers that kind of brute force protection so it's not a long stretch to think joomla may too.
     
  4. spacresx

    spacresx Active Member

    Messages:
    593
    Likes Received:
    31
    Trophy Points:
    28
    @ kane1x10
    If you want to stop certain ip's from getting to your website,
    here is a simple way to do it

    in your main .htaccess file (if you have one) add these lines & the ip address
    some examples using the ip address 212.109.192.123.

    Order Allow,Deny
    Allow from All
    #
    Deny from 212.109.192.123
    Deny from 212.109.192.0/24
    Deny from 212.109.0.0/16
    Deny from 212.0.0.0/8

    this is an example of how you can block unwanted ips easily.
     
  5. garrettroyce

    garrettroyce Community Support Community Support

    Messages:
    4,726
    Likes Received:
    162
    Trophy Points:
    63
    Is there a captcha you can install for your admin login screen?
     
  6. kane1x10

    kane1x10 Member

    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    I did 2FA. But they submitted anyhow.
     
  7. kane1x10

    kane1x10 Member

    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    I changed the login name of the Administrator from "admin" to something else. Tested and attempts to "admin" don't even make it to the logs. I assume whoever it is may keep trying, but they will never guess the password because the response does not help them to know which was wrong the password or the ID. I guess at this point just let them keep trying. At least I no longer see the attempts in the log since it does not log wrong username attempts. Although ... I think it should.
     
  8. kane1x10

    kane1x10 Member

    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Did that when it was just one IP. But now they are using a VPN with IP randomizer. There is no way to know what IP it will come from next.
     
  9. spacresx

    spacresx Active Member

    Messages:
    593
    Likes Received:
    31
    Trophy Points:
    28
    @ kane1x10
    there are similar ways to block referrers and user agents to if thats helpful.

    have you tried with googles recaptcha?
    i know of a captcha script called "botprotection" it would trigger googles recaptcha
    if you hook it to the admin login page.

    another suggestion is try Cidram (https://github.com/CIDRAM/CIDRAM) its free,
    and does work very well for blocking stop forum spam ips too.

    but personally i prefer doing the blocking at the htaccess file level myself.
    some may also suggest trying cloudflare but i dont like that one myself.

    these are only suggestions.
     
  10. cjptomas80

    cjptomas80 Member

    Messages:
    247
    Likes Received:
    5
    Trophy Points:
    18
    It doesn't matter to them anyway. All they want is administrator access then insert their code on your site for their own purposes. I have seen a lot of my emails spam folder using the exploit site to do their malicious activity.
     
  11. garrettroyce

    garrettroyce Community Support Community Support

    Messages:
    4,726
    Likes Received:
    162
    Trophy Points:
    63
    @kane1x10 is there anything else you need help with at this time?
     
  12. garrettroyce

    garrettroyce Community Support Community Support

    Messages:
    4,726
    Likes Received:
    162
    Trophy Points:
    63
    @kane1x10 I'm closing this thread due to lack of activity. Please create a new thread if the need arises. Thank you.
     
Thread Status:
Not open for further replies.

Share This Page