Can we just remove <meta name="generator" content="Joomla! >?

vicn1222 · Post by **vicn1222** » Sat Sep 25, 2021 4:10 pm

Finally got website converted to joomla and today is the first day it is online.

Already have huge attacks. I try to ban the bad IPs using firewall, but it seems he has many IPs.

I think the problem is joomla header, which let bad guy know what it is, and find correct attack tools. I edit the code to remove that "generator", but got wiped out on a new update.

<meta name="generator" content="Joomla! - Open Source Content Management" />

(1) Got 2 spam emails, even though I have Captcha on. I had my own simple spam verification on my contact page for years, and never got a single spam email. I simply generate two random numbers, and ask the person to sum them (number is shown inside images), such as 9 + 7 = ?

(2) Someone is attacking with SQL query on search page and sign-in page, such as

Code: Select all

194.61.25.18 - - [25/Sep/2021:01:54:19 -0500] "GET /insider-trading/\"%20RLIKE%20(SELECT%20(CASE%20WHEN%20(4164=6508)%20THEN%20''%20ELSE%200x28%20END))--%20DAyx2016.htm HTTP/1.1" 500 5872 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"
194.61.25.18 - - [25/Sep/2021:01:54:20 -0500] "GET /insider-trading/\"%20RLIKE%20(SELECT%20(CASE%20WHEN%20(4220=4220)%20THEN%20''%20ELSE%200x28%20END))--%20phWW2016.htm HTTP/1.1" 500 5872 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"
194.61.25.18 - - [25/Sep/2021:01:54:20 -0500] "GET /insider-trading/)%20RLIKE%20(SELECT%20(CASE%20WHEN%20(8656=9419)%20THEN%20''%20ELSE%200x28%20END))%20AND%20(7416=74162016.htm HTTP/1.1" 500 5872 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"
194.61.25.18 - - [25/Sep/2021:01:54:21 -0500] "GET /insider-trading/)%20RLIKE%20(SELECT%20(CASE%20WHEN%20(4220=4220)%20THEN%20''%20ELSE%200x28%20END))%20AND%20(1087=10872016.htm HTTP/1.1" 500 5872 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"
194.61.25.18 - - [25/Sep/2021:01:54:22 -0500] "GET /insider-trading/))%20RLIKE%20(SELECT%20(CASE%20WHEN%20(1431=1548)%20THEN%20''%20ELSE%200x28%20END))%20AND%20((8396=83962016.htm HTTP/1.1" 500 5872 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"
194.61.25.18 - - [25/Sep/2021:01:54:23 -0500] "GET /insider-trading/))%20RLIKE%20(SELECT%20(CASE%20WHEN%20(4220=4220)%20THEN%20''%20ELSE%200x28%20END))%20AND%20((8073=80732016.htm HTTP/1.1" 500 5872 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"
194.61.25.18 - - [25/Sep/2021:01:54:23 -0500] "GET /insider-trading/)))%20RLIKE%20(SELECT%20(CASE%20WHEN%20(6195=8060)%20THEN%20''%20ELSE%200x28%20END))%20AND%20(((7613=76132016.htm HTTP/1.1" 500 5774 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"
194.61.25.18 - - [25/Sep/2021:01:54:24 -0500] "GET /insider-trading/)))%20RLIKE%20(SELECT%20(CASE%20WHEN%20(4220=4220)%20THEN%20''%20ELSE%200x28%20END))%20AND%20(((5611=56112016.htm HTTP/1.1" 500 5774 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"
194.61.25.18 - - [25/Sep/2021:01:54:25 -0500] "GET /insider-trading/%20RLIKE%20(SELECT%20(CASE%20WHEN%20(9782=6062)%20THEN%20''%20ELSE%200x28%20END))2016.htm HTTP/1.1" 500 5872 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"
194.61.25.18 - - [25/Sep/2021:01:54:26 -0500] "GET /insider-trading/%20RLIKE%20(SELECT%20(CASE%20WHEN%20(4220=4220)%20THEN%20''%20ELSE%200x28%20END))2016.htm HTTP/1.1" 500 5872 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"
194.61.25.18 - - [25/Sep/2021:01:54:26 -0500] "GET /insider-trading/')%20RLIKE%20(SELECT%20(CASE%20WHEN%20(6565=7780)%20THEN%20''%20ELSE%200x28%20END))%20AND%20('BHoJ'='BHoJ2016.htm HTTP/1.1" 500 6114 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"


194.61.25.18 - - [25/Sep/2021:10:51:09 -0500] "POST /account/sign-in?task=user.login%29%20AND%208819%3DCAST%28%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%288819%3D8819%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28122%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29%20AND%20%287934%3D7934 HTTP/1.1" 200 8632 "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.3) Gecko/20100401 SUSE/3.6.3-1.1 Firefox/3.6.3"
194.61.25.18 - - [25/Sep/2021:10:51:09 -0500] "POST /account/sign-in?task=user.login%20AND%208819%3DCAST%28%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%288819%3D8819%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28122%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29 HTTP/1.1" 200 8621 "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.3) Gecko/20100401 SUSE/3.6.3-1.1 Firefox/3.6.3"
194.61.25.18 - - [25/Sep/2021:10:51:10 -0500] "POST /account/sign-in?task=user.login%27%29%20AND%208819%3DCAST%28%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%288819%3D8819%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28122%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29%20AND%20%28%27DTym%27%3D%27DTym HTTP/1.1" 200 8632 "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.3) Gecko/20100401 SUSE/3.6.3-1.1 Firefox/3.6.3"
194.61.25.18 - - [25/Sep/2021:10:51:11 -0500] "POST /account/sign-in?task=user.login%27%20AND%208819%3DCAST%28%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%288819%3D8819%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28122%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29%20AND%20%27haTS%27%3D%27haTS HTTP/1.1" 200 8632 "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.3) Gecko/20100401 SUSE/3.6.3-1.1 Firefox/3.6.3"
194.61.25.18 - - [25/Sep/2021:10:51:12 -0500] "POST /account/sign-in?task=user.login%20AND%208819%3DCAST%28%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%288819%3D8819%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28122%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29--%20hcJb HTTP/1.1" 200 8627 "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.3) Gecko/20100401 SUSE/3.6.3-1.1 Firefox/3.6.3"
194.61.25.18 - - [25/Sep/2021:10:51:12 -0500] "POST /account/sign-in?task=user.login%29%20AND%207108%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28106%29%2BCHAR%28112%29%2BCHAR%28106%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%287108%3D7108%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28122%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29%20AND%20%285878%3D5878 HTTP/1.1" 200 8643 "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.3) Gecko/20100401 SUSE/3.6.3-1.1 Firefox/3.6.3"
194.61.25.18 - - [25/Sep/2021:10:51:13 -0500] "POST /account/sign-in?task=user.login%20AND%207108%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28106%29%2BCHAR%28112%29%2BCHAR%28106%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%287108%3D7108%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28122%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29 HTTP/1.1" 200 8632 "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.3) Gecko/20100401 SUSE/3.6.3-1.1 Firefox/3.6.3"
194.61.25.18 - - [25/Sep/2021:10:51:14 -0500] "POST /account/sign-in?task=user.login%27%29%20AND%207108%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28106%29%2BCHAR%28112%29%2BCHAR%28106%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%287108%3D7108%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28122%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29%20AND%20%28%27kMmu%27%3D%27kMmu HTTP/1.1" 200 8643 "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.3) Gecko/20100401 SUSE/3.6.3-1.1 Firefox/3.6.3"

Post by **Per Yngve Berg** » Sat Sep 25, 2021 5:22 pm

There is so many ways to identify Joomla, so a missing generator will not make any difference.

1) I'm getting no spam either, using HashCash as Captcha.

https://extensions.joomla.org/extension/hashcash/

sozzled · Post by **sozzled** » Sat Sep 25, 2021 7:13 pm

See viewtopic.php?f=803&t=987908#p3638294 for how to remove "generator" tag.

JTema · Post by **JTema** » Sat Sep 25, 2021 7:16 pm

Also make sure that invisible recaptcha (V2) which is more effective is enabled. See that topic : viewtopic.php?f=706&t=970169

sozzled · Post by **sozzled** » Sat Sep 25, 2021 7:23 pm

The meta generator tag has nothing to do with spam (or counter-spam measures that people may recommend or use).

vicn1222 · Post by **vicn1222** » Sun Sep 26, 2021 4:31 am

sozzled wrote: ↑
Sat Sep 25, 2021 7:13 pm
See viewtopic.php?f=803&t=987908#p3638294 for how to remove "generator" tag.

Thanks, the tag is removed using code below

Code: Select all

    $document = JFactory::getDocument();
    $document->setGenerator( "" );

@JTema : will try the invisible recaptcha.

Have to find a way to automatically ban the bad IPs.

sozzled · Post by **sozzled** » Sun Sep 26, 2021 4:49 am

vicn1222 wrote: ↑
Sun Sep 26, 2021 4:31 am
Have to find a way to automatically ban the bad IPs.

As I wrote (and @Per also observed), the "meta generator" tag has nothing to do with spam ...

Yes, you can remove the meta generator tag by removing a couple of lines from the your site template and, when there's a new update for J!, those lines will be added back in again. That's why you need a system plugin to do this for you automatically.

Post by **imanickam** » Sun Sep 26, 2021 5:22 am

sozzled wrote: ↑
Sun Sep 26, 2021 4:49 am
That's why you need a system plugin to do this for you automatically.

Such Plugin already exists in JED - ByeByeGenerator (https://extensions.joomla.org/extension ... generator/)

sozzled · Post by **sozzled** » Sun Sep 26, 2021 5:28 am

@imanickam: yes, you're right: that plugin exists for J! 3.x but it does not work with J! 4. @Sharky created a plugin that works for both J! 3 and J! 4.

You can read the discussion here: viewtopic.php?f=803&t=987908.

The Joomla! Forum™

Can we just remove <meta name="generator" content="Joomla! >?

Can we just remove <meta name="generator" content="Joomla! >?

Re: Can we just remove <meta name="generator" content="Joomla! >?

Re: Can we just remove <meta name="generator" content="Joomla! >?

Re: Can we just remove <meta name="generator" content="Joomla! >?

Re: Can we just remove <meta name="generator" content="Joomla! >?

Re: Can we just remove <meta name="generator" content="Joomla! >?

Re: Can we just remove <meta name="generator" content="Joomla! >?

Re: Can we just remove <meta name="generator" content="Joomla! >?

Re: Can we just remove <meta name="generator" content="Joomla! >?