Admin Account Being Attacked / Hacked

Status
Not open for further replies.

kane1x10

Member
Messages
46
Reaction score
0
Points
6
I see in my joomla site logs that someone is trying hundreds of times every 4 hours to login as "admin".


User admin tried to login to admin Users 2 hours ago. Administrator 193.106.31.130 10221
User admin tried to login to admin Users 2 hours ago. Administrator 193.106.31.130 10220
User admin tried to login to admin Users 2 hours ago. Administrator 193.106.31.130 10219

That goes on and on for a couple hundred and then repeats about every 4 hours.

Is there a way to blacklist 193.106.31.130?

It is known to be a hacking site located in Ukraine. https://www.abuseipdb.com/check/193.106.31.130
 
Last edited:

Anna

I am just me
Staff member
Messages
11,733
Reaction score
578
Points
113
The IP should now be blocked in our firewall.
 

kane1x10

Member
Messages
46
Reaction score
0
Points
6
Wow! Such quick response. Thanks a LOT!!

Looking at the logs, that IP should have tried again in the past half hour based on the past pattern. Looks like it is not getting to "try"
to login anymore.
 

kane1x10

Member
Messages
46
Reaction score
0
Points
6
Dang. :-( That same IP is back today. It showed back up at 6:50 PM yesterday. Same pattern as before. The blacklist didn't hold.
 

mycoo368

Member
Messages
183
Reaction score
4
Points
18
Dang. :-( That same IP is back today. It showed back up at 6:50 PM yesterday. Same pattern as before. The blacklist didn't hold.
The only thing I miss with cPanel. The IP manual block. Something I could suggest is to use Cloudflare as the security aspect where you can go in and block the IP
 

spacresx

Community Advocate
Community Support
Messages
2,182
Reaction score
195
Points
63
You can use an htaccess file to block the ip address.
this is the format that i use:
ErrorDocument 403 http://127.0.0.1
Order Allow,Deny
Allow from All
#
Deny from 193.106.31.130
Deny from 193.106.31.0/24
Deny from 193.106.0.0/16
Deny from 193.0.0.0/8
just select which "Deny from" you want to use.
i use the "ErrorDocument 403" to localhost the ip's that i block.
thats optional you dont have to use it.
 

garrettroyce

Community Support
Community Support
Messages
5,611
Reaction score
249
Points
63
You can use an htaccess file to block the ip address.
this is the format that i use:
just select which "Deny from" you want to use.
i use the "ErrorDocument 403" to localhost the ip's that i block.
thats optional you dont have to use it.

Good suggestion. Just a note that the ErrorDocument is not required, but using 127.0.0.1 is pretty funny. The file should go in your public_html folder and is named ".htaccess" (no quotes). The file may already exist, just add your code at the top of the file. IP address can be blocked via full IP, partial IP, or IP block.

Deny from 1.2.3.4 # denies 1 IP address
Deny from 1.2.3 # denies 256 IP addresses 1.2.3.0 to 1.2.3.255
Deny from 1.2 # denies 32,512 IP address from 1.2.0.0 to 1.2.255.255
Deny from 1.2.3.4/32 # denies 1 IP address 1.2.3.4
Deny from 1.2.3.4/31 # denies 2 IP addresses 1.2.3.4 to 1.2.3.5
Deny from 1.2.3.4/30 # denies 4 IP addresses 1.2.3.4 to 1.2.3.7

Some of the block and partial IP address syntax can be tricky and can end up blocking the wrong people (eg "68" or "/0") so be careful. Your x10 administration panel isn't bound by this rule.

Please post if you have any further trouble. Please also note that your .htaccess file may contain sensitive information about your website, so make sure you know what you're posting.
 

kane1x10

Member
Messages
46
Reaction score
0
Points
6
Great idea. I had forgotten about the .htaccess file. Blocking at the firewall for this kind of source is probably better. It is nothing but a bad actor.

The address was gone again during daylight yesterday, CST. Then it came back overnight. It's as if the firewall block goes away.

I will try the .htaccess file and see what that does. This is my Administration for joomla site, so the path is that home, and not my regular site home. I added the deny to both files anyhow.
 

Anna

I am just me
Staff member
Messages
11,733
Reaction score
578
Points
113
Yeah, I did readd it to firewall yesterday, as it had for some reason been removed. I'll investigate to see if there's a better way to do it, so it stays permanently blocked.
 

kane1x10

Member
Messages
46
Reaction score
0
Points
6
Nothing since I added the deny in .htaccess. Not sure if that alone did it or if the firewall block is sticking now.
 

garrettroyce

Community Support
Community Support
Messages
5,611
Reaction score
249
Points
63
Thank you for following up. Please let us know if the issue occurs again.
 
Status
Not open for further replies.
Top