Admin Account Being Attacked / Hacked

Discussion in 'Free Hosting' started by kane1x10, Mar 3, 2020.

Thread Status:
Not open for further replies.
  1. kane1x10

    kane1x10 Member

    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    I see in my joomla site logs that someone is trying hundreds of times every 4 hours to login as "admin".


    User admin tried to login to admin Users 2 hours ago. Administrator 193.106.31.130 10221
    User admin tried to login to admin Users 2 hours ago. Administrator 193.106.31.130 10220
    User admin tried to login to admin Users 2 hours ago. Administrator 193.106.31.130 10219

    That goes on and on for a couple hundred and then repeats about every 4 hours.

    Is there a way to blacklist 193.106.31.130?

    It is known to be a hacking site located in Ukraine. https://www.abuseipdb.com/check/193.106.31.130
     
    Last edited: Mar 3, 2020
  2. Anna

    Anna I am just me Staff Member

    Messages:
    11,040
    Likes Received:
    512
    Trophy Points:
    113
    The IP should now be blocked in our firewall.
     
  3. kane1x10

    kane1x10 Member

    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Wow! Such quick response. Thanks a LOT!!

    Looking at the logs, that IP should have tried again in the past half hour based on the past pattern. Looks like it is not getting to "try"
    to login anymore.
     
  4. kane1x10

    kane1x10 Member

    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Dang. :-( That same IP is back today. It showed back up at 6:50 PM yesterday. Same pattern as before. The blacklist didn't hold.
     
  5. mycoo368

    mycoo368 Member

    Messages:
    183
    Likes Received:
    4
    Trophy Points:
    18
    The only thing I miss with cPanel. The IP manual block. Something I could suggest is to use Cloudflare as the security aspect where you can go in and block the IP
     
  6. spacresx

    spacresx Community Advocate Community Support

    Messages:
    1,055
    Likes Received:
    74
    Trophy Points:
    48
    You can use an htaccess file to block the ip address.
    this is the format that i use:
    just select which "Deny from" you want to use.
    i use the "ErrorDocument 403" to localhost the ip's that i block.
    thats optional you dont have to use it.
     
    • Like Like x 1
  7. garrettroyce

    garrettroyce Community Support Community Support

    Messages:
    5,601
    Likes Received:
    239
    Trophy Points:
    63
    Good suggestion. Just a note that the ErrorDocument is not required, but using 127.0.0.1 is pretty funny. The file should go in your public_html folder and is named ".htaccess" (no quotes). The file may already exist, just add your code at the top of the file. IP address can be blocked via full IP, partial IP, or IP block.

    Deny from 1.2.3.4 # denies 1 IP address
    Deny from 1.2.3 # denies 256 IP addresses 1.2.3.0 to 1.2.3.255
    Deny from 1.2 # denies 32,512 IP address from 1.2.0.0 to 1.2.255.255
    Deny from 1.2.3.4/32 # denies 1 IP address 1.2.3.4
    Deny from 1.2.3.4/31 # denies 2 IP addresses 1.2.3.4 to 1.2.3.5
    Deny from 1.2.3.4/30 # denies 4 IP addresses 1.2.3.4 to 1.2.3.7

    Some of the block and partial IP address syntax can be tricky and can end up blocking the wrong people (eg "68" or "/0") so be careful. Your x10 administration panel isn't bound by this rule.

    Please post if you have any further trouble. Please also note that your .htaccess file may contain sensitive information about your website, so make sure you know what you're posting.
     
  8. kane1x10

    kane1x10 Member

    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Great idea. I had forgotten about the .htaccess file. Blocking at the firewall for this kind of source is probably better. It is nothing but a bad actor.

    The address was gone again during daylight yesterday, CST. Then it came back overnight. It's as if the firewall block goes away.

    I will try the .htaccess file and see what that does. This is my Administration for joomla site, so the path is that home, and not my regular site home. I added the deny to both files anyhow.
     
  9. Anna

    Anna I am just me Staff Member

    Messages:
    11,040
    Likes Received:
    512
    Trophy Points:
    113
    Yeah, I did readd it to firewall yesterday, as it had for some reason been removed. I'll investigate to see if there's a better way to do it, so it stays permanently blocked.
     
  10. kane1x10

    kane1x10 Member

    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Nothing since I added the deny in .htaccess. Not sure if that alone did it or if the firewall block is sticking now.
     
  11. garrettroyce

    garrettroyce Community Support Community Support

    Messages:
    5,601
    Likes Received:
    239
    Trophy Points:
    63
    Thank you for following up. Please let us know if the issue occurs again.
     
Thread Status:
Not open for further replies.

Share This Page