Page 1 of 1

Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Posted: Mon Oct 28, 2019 6:56 pm
by mavaughan
My sites are set not to allow front end login on most of my Joomla sites, but I am getting error messages for bots trying to login with the userid

\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0


Anyone else getting these also?

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Posted: Mon Oct 28, 2019 7:18 pm
by sozzled
I cannot confirm the instance(s) of spamdexing / referrer spam mentioned by the OP but this kind of phenomenon is not confined to Joomla and it is not evidence of a security problem. I've written about this phenomenon elsewhere on the forum (see viewtopic.php?f=714&t=958501 as one example). It may also help to search the internet for "Who’s snooping around your website?"

I hope that helps. 8)

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Posted: Mon Oct 28, 2019 7:42 pm
by mavaughan
dee-9987 wrote:
Mon Oct 28, 2019 7:27 pm

Are the signs of attempted hacking on the Joomla site?
I do not believe so, but of all the attempted logging hacks I have seen with fake credentials in the past, this one has me puzzled.

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Posted: Mon Oct 28, 2019 7:46 pm
by sozzled
Did you see what I posted? As I said (wrote), this kind of activity—spamdexing/bombing—is commonplace but it does not indicate any specific security problem, per se.

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Posted: Mon Oct 28, 2019 9:44 pm
by SharkyKZ
My sites are set not to allow front end login on most of my Joomla sites
How exactly are you doing this? And where are you seeing these reports?

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Posted: Tue Oct 29, 2019 3:56 pm
by mavaughan
SharkyKZ wrote:
Mon Oct 28, 2019 9:44 pm
My sites are set not to allow front end login on most of my Joomla sites
How exactly are you doing this? And where are you seeing these reports?
Some of my sites do not have registered user content so there is no need to login, so I do not have a front end login for users to login in, so the bots are attempting to login in directly through Joomla user login. Whenever there is a failed login in I have a user report sent to my admin email for each of my sites that I manage.

The report looks like this:

MySite.com: Failed login attempt at http://mysite.com/
Username: \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
IP-Address: 84.232.253.81
Date and time: 2019-10-29 04:35:11
Origin: Frontend

The IP address is coming from Romania...

As the above poster stated this is common but not the username's combination I have never seen before. So I was posting to let others know.

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Posted: Tue Oct 29, 2019 7:59 pm
by Ch3vr0n
Do what many of us do (including me), report the IP on abuseipdb.com ;)

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Posted: Tue Oct 29, 2019 8:49 pm
by Webdongle
Perhaps there is a capcha for a login form https://extensions.joomla.org/tags/captcha/

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Posted: Wed Oct 30, 2019 4:09 pm
by leolam
Ch3vr0n wrote:
Tue Oct 29, 2019 7:59 pm
Do what many of us do (including me), report the IP on abuseipdb.com ;)
Makes no sense at all. I can use any IP to get somewhere if I want. See https://www.techopedia.com/definition/2 ... -hijacking

Leo 8)

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Posted: Wed Oct 30, 2019 4:21 pm
by Ch3vr0n
Yeah, it's not guaranteed, IP spoofing is a very real thing. That site is pretty much just a database of "known" bad acting IP's. IT's not an actual solution.

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Posted: Sun Nov 10, 2019 9:33 pm
by al707
Someone is trying to hack my site through frontend login.
He/she POSTs:
login: \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
Password:

Code: Select all

AAA";s:11[ redacted ]s:6:"return";s:102
I googled: it seems to be Joomla 3.0 - 3.4 vulnerability.
My site is 3.8
But may be there is something new? Are here any experts?

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Posted: Mon Nov 11, 2019 12:35 am
by toivo
al707 wrote:But may be there is something new? Are here any experts?
Did you not read the previous posts?

al707 wrote:My site is 3.8
The latest version of Joomla is 3.9.13. If the website is already in the sights of hackers or script kids, it should be updated asap.

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Posted: Mon Nov 11, 2019 8:12 am
by Webdongle

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Posted: Fri Nov 15, 2019 9:04 am
by notarget
I have edited .htaccess file in acordance with instructions from webpage https://skalolaskovy.ru/joomla/500-htac ... h-parametr:

That example:

Code: Select all

RewriteEngine On

## Redirect from LOGIN PAGE to INDEX page:
RewriteCond %{REQUEST_URI} /component/users [NC]
RewriteCond %{QUERY_STRING} view=login [NC]
RewriteRule .* https://skalolaskovy.ru/? [R=301,L]

RewriteCond %{REQUEST_URI} /component/users [NC]
RewriteRule .* https://skalolaskovy.ru/? [R=301,L]

RewriteCond %{REQUEST_URI} / [NC]
RewriteCond %{QUERY_STRING} option=com_users&view=login [NC]
RewriteRule .* https://skalolaskovy.ru/? [R=301,L]

But in some days I receive new email from my site agent (safety plugin) with the same userid - \0\0\0\0\0\0\0\0\0\0\0\0

Does anybody know, what additional Joomla URLs can be used for log in attempt?

Is it possible to try to log in using direct GET or POST request without opening site?

For example: site.com/component/users/?username=Name&password=Password ???????
Thanks

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Posted: Fri Nov 15, 2019 2:45 pm
by Ch3vr0n
lately the /component/users is being actively targetted by malicious persons/bots to abuse the session. Maybe that's what's happening. For the past few weeks i get a couple of these a week/day by akeeba admin tools.

Can't help on the \0.... though, i get no such reports on any of my sites

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Posted: Sun Nov 17, 2019 9:25 pm
by al707
notarget wrote:
Fri Nov 15, 2019 9:04 am
Does anybody know, what additional Joomla URLs can be used for log in attempt?

Is it possible to try to log in using direct GET or POST request without opening site?
This is not trivial problem..
E.g.
/index.php?option=com_users&view=login
/index.php?option=com_users
/?option=com_users
/index.php/component/users
/component/users

May be this article: https://forum.tamirov.ru/viewtopic.php?f=17&t=237 will help you.

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Posted: Tue Apr 21, 2020 10:07 pm
by mavaughan
Yes, I am still getting these, now more than ever, no sign of success in getting access. The same IP attempts to LFI with an extension that I do not have installed on my Joomla account. It looks like it was on the VEL list a while back so it might be just a bot trying random exploits. They then follow from the same IP an attempt to login in wit the userid 0/0/0/0/0/0/0/0/0/0/0/0/0/0/0.

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Posted: Tue Apr 21, 2020 10:22 pm
by Webdongle