| Posted by elialum, 05-29-2013, 08:56 AM | | Hi,
In the last couple of days I've noticed high traffic & cpu spikes in some sleepy sites.
Investigating the access-logs, I've noticed a *massive* brute force on the joomla administrator.
This is not the first time I've seen this, but usually it's from one single ip, and we easily mitigate these attacks (just block the ip).
This one is different - there are dozens of simultaneous connections from different ips from all around the world to one single site.
It looks like the previous attack on wordpress sites, only that now it aims mainly on Joomla.
If anyone else have some more information about this, please share.
Eli.
|
| Posted by CharmServer, 05-29-2013, 09:10 AM | | We noticed an increase of login requests to Joomla administrator pages last night and in some cases we had the server load increased to very high levels. It seems it is Joomla under attack now. We are monitoring closely the situation and hope that they stop the attack soon.
|
| Posted by XLT_Frank, 05-29-2013, 09:53 AM | | Does the server you are on have CSF? If son enable or have someone enable login failure detection of Apache .htpasswd connections. Then setup a htaccess/htpasswd file for the administration directory, whether it is Joomla, vBulletin, etc. It's a second authentication and is a great way to push an IP to the block list.
|
| Posted by (Stephen), 05-29-2013, 10:11 AM | | We are seeing as well on the admin pages now.
|
| Posted by albatroz, 05-29-2013, 12:18 PM | | Any further updates on this?
|
| Posted by BestServerSupport, 05-29-2013, 12:19 PM | | If this is happening from the same IP address continuously then I would suggest you to block this IP address in your server firewall. CSF is a better choice to use as a firewall.
Also, please make sure that the plugins you have installed are up to date.
|
| Posted by darkhorse, 05-29-2013, 12:55 PM | | It's common issue, there will nothing happen after blocking IP in CSF. Need to check with Joomla theme, module, plugins etc, there is high possibility that they are vulnerable, uninstall unwanted modules/plugins. this should helps.
|
| Posted by IPv4_for_lease, 05-29-2013, 01:11 PM | | Not that much to do to mitigate these attacks. It seems to be going off and on for a month already hitting from different IPs every time. Just make sure to e-mail your clients who uses Joomla or Wordpress and tell them to make sure that they have a secure password that's not common and help them lock down their login page.
|
| Posted by WeWatch, 05-29-2013, 01:35 PM | | The best method to prevent a successful login is to have a good, strong password. At least 9 characters, upper and lower case, numbers and some special characters too.
The .htaccess/.htpassword double login works well too. But too often we see where people don't like that - of course they also don't want their site to get infected either.
In the log files for Joomla sites that we've been seeing these attacks, there is also other probing going on almost hidden in the sea of attempted logins.
The hackers appears to be looking for outdated components. If it's a Joomla 1.5.x site they look for outdated jce. We've also seen many probes for openflashcart/tmp-upload-images. This folder is also seen in openflash (no cart after).
Things that are ineffective are blocking by IP address. This is like the old adage of the dog chasing it's tail.
What's interesting is that we've been seeing IP addresses from the hosting provider being used to attack Joomla sites by the same hosting provider. this really makes blocking by IP address a waste of time. So let's say you're Joomla site is hosted with 'X' who has large blocks of IP addresses. The hackers infect one Joomla site hosted with 'X' then use that site to attack other Joomla sites hosted with 'X'.
All of this is just our experience and your mileage may vary...
|
| Posted by IPv4_for_lease, 05-29-2013, 02:45 PM | | How are the hackers infecting the hosted Joomla site is the question. Is it the client side that gets infected or are they actually getting into the host machine and messing with Apache?
This seems a bit similar to what happened with Godaddy about a month ago. Wordpress sites on Godaddy got compromised and injected with a malicious code through the use of Apache.
|
| Posted by WeWatch, 05-29-2013, 02:56 PM | | Most likely it's an exploit targeted at Joomla or a component/module. There are many, many outdated Joomla sites.
In all the Joomla cases we've handled in the past 2 weeks (1,741), the site used to attack other Joomla websites was an outdated version of Joomla. That's across 9 different hosting providers.
|
| Posted by bune, 05-29-2013, 04:19 PM | | make sure joomla is upgraded to latest version
tweak mod_security
install firewall like csf
|
| Posted by whmcsguru, 05-30-2013, 05:34 AM | | I've seen a lot of these myself as well the past couple of days.
Unfortunately, this isn't going to be simply solved by adding a firewall, or strong passwords (though of course, strong passwords are always recommended).
The goal of these is to DDOS your server. From what I've seen so far, this is the same, exact thing as the (later) wordpress admin attacks. These guys are using the same practices, launching attacks from hundreds of different IP's, in an effort to not actually gain access to your admin area , but to take down the server itself.
Solution:
use an htaccess, something like
This will prevent the attacker from actually doing anything (ie: tying up server resources with php/mysql and simply show a webserver error saying they shouldn't be there.
|
| Posted by 5wire, 05-30-2013, 11:41 AM | | CloudFlare released a blog post about a similar thing happening with WordPress a few weeks ago, something similar that could be happening with Joomla too.
As with the previous suggestions, ever since we installed CSF across all our servers three months ago we've noticed such brute force attacks being closed off very quickly.
Good practice is to encourage customers to install failed login protection plugins available for their systems.
|
| Posted by whmcsguru, 05-30-2013, 12:11 PM | | This is precisely the same thing. Not only this, but the WP attack is coming back as well. It had died down, after migrating to multiple IP's, but it's back now from what I've observed
CSF can't help here. Why? well, simply put, this is a legitimate distributed attack. From what I've seen the past 3 or 4 days:
These attackers aren't coming at you in a method that a firewall can prevent. They're taking one shot at your login, failing, and moving along. We're not talking 20, 30 ip addresses, we're talking 400+ from a plethora of ranges This isn't something a firewall was designed to prevent, honestly.
|
| Posted by 5wire, 05-30-2013, 12:18 PM | | Ah yes of course, my mistake. CSF protects against cPanel services rather than scripts.
|
| Posted by whmcsguru, 05-30-2013, 12:21 PM | | CSF / LFD can do alright against login failures and DOS attacks. I'm not going to deny that, but for a true DDOS attack (which these are becoming), you're going to have to spend a hefty fee for hardware firewalls, and even then, it's not likely they will help more than hurt.
|
|
 Add to Favourites
 Print this Article
|
