Portal Home > Knowledgebase > Articles Database > Constant Attacks on our website
Constant Attacks on our website
| Posted by citycm, 12-07-2011, 07:24 PM |
| About a year ago I installed a plugin for our Joomla based website that alerts me to any hack attempts on the website. Since installing the module, we've had a couple of warnings every couple of months but nothing worth worrying about. However, in the past 48 hours, we've had about 25 alerts, all from different IP addresses but majority of them are originating from the same network. Here is what the alert says:
I'm just wondering if anyone can help me to understand what these people are trying to do and if there's anything I can do to either stop it or protect the server even more than it already is protected?
Thanks in advance
|
| Posted by quantumphysics, 12-07-2011, 07:52 PM |
| umm, ignore it and let them hammer at it
it happens, deal w/it
|
| Posted by Alex LD, 12-07-2011, 08:18 PM |
| I would say that is probably the worst option.
However, I'm not an expert is security or anything, but it looks like an attempted SQL Injection.
Usually, each release developers make is done to ensure security across their frameworks in some way. So first and foremost, I would suggest making sure you're not using an old copy of Joomla. The older its been out, the more time hackers can find ways to hack it. This is true for not just the Joomla Framework alone, but any modules and plugins you may be using.
update:
I just looked up some of the commands attempted, pretty particular its an SQL injection attempt.
The best bit of advice I would offer is block the IP, who knows how big his/their IP arsenal is but eventual they will get tired or run out of IP's. Unless your website has a significance to them, they will probably just pickup an go to the next site.
Good luck.
Last edited by Alex LD; 12-07-2011 at 08:29 PM.
|
| Posted by SolidJoe, 12-07-2011, 08:56 PM |
| I will buy a hat and eat it if this isn't just a random port scan/exploit scan. ANY ip on the net, from your server to your grandma's webtv is going to get scanned by these. If there is no exploit response, they move on. Blocking ips is generally useless, as they are almost certainly just compromised end user machines. The most you would want to do is block for a short period of time, 24 hrs, just to prevent annoyance on your end. Long term blocks would be pointless.
|
| Posted by citycm, 12-07-2011, 09:46 PM |
| Thanks for the replies guys. What leads me to think its not a random scan is it mentions a table called 'jos_users' and another variety of the same attack mentions 'mos_users'. These are standard Joomla SQL table names so it seems they're targeting Joomla sites.
I have been blocking the ip addresses but it's not making any difference
|
| Posted by quantumphysics, 12-07-2011, 09:54 PM |
| It is a random scan, by a ton of unrelated things going on simultaneously.
Joomla has more holes than swiss cheese, almost every joomla extension is probably a crap pile, automated tools will see that because joomla also likes to advertise its version and "powered by" everywhere.
|
| Posted by SolidJoe, 12-07-2011, 10:03 PM |
| You could always try CloudFlare. People seem to rave about it.
|
| Posted by Alex LD, 12-07-2011, 10:59 PM |
| I'm not going to link to the thread I found because It literally shows people how to do an SQL Injection running the same commands that the OP has pasted.
I don't think a generic port scan would target Joomla, and I don't think Joomla would be the only one spitting out the Alert of the issue if it were just a "random port scan/exploit".
If CSF is installed and root email notifications are setup correctly, (assuming its cpanel) you'll get notifications saying port scans were detected and blocked. I think CSF does this by default. But I'm not sure what you're using OP.
|
| Posted by quantumphysics, 12-07-2011, 11:08 PM |
| It's not a port scan, but it IS an automated scan.
|
Add to Favourites 
Print this Article
Also Read
Shared Hosting
Shared Hosting
