Using the Redirects component as an early warning system of possible site attacks

[sozzled]

All too often we read in this forum about how people have asked about the source of successful attacks on their websites (including the discovery they've made about "peculiar" files that have been added to their websites).

A lot of people puzzle over why, after many years of operating their Joomla website(s), people might be interested in attacking them. People also ask how they may be forewarned of impending attacks.

I don't know the answers to most of these questions. For the time being, I'm fairly confident that none of my websites is the victim of a successful attack; I'm not remaining complacent, of course, but I'm "quietly confident" that I've taken adequate precautions and I'm vigilant to prevent the likelihood of attack.

What makes a website a target of attack? Is your website a potential target? Do you know if your website is being targeted?

I don't know what makes a website particularly attractive to hackers. Some people just have too much time on their hands, I guess. The point of this topic is to share with others one way I've recently discovered how several of my sites are being "hit" with random attempts to crash the site security.

I normally don't use the Components » Redirects feature; in fact, most people don't use it, either. To use this feature requires the plugin System - Redirect to be enabled. A couple of days ago I enabled the plugin. I was surprised to see, within the space of less than 48 hours, the following failed attempted URLs had been used (see the image below)

j3x_redirects.png

The key point is that none of these URLs actually exist on that website. They're just URLs entered at random to attempt to exploit known vulnerabilities that exist elsewhere on the internet; they're guesses to see if my site can be attacked in similar ways.

If you're wondering the same thing, try it for yourself: enable the System - Redirect plugin, wait a few hours, and see what URLs are collected by the Redirects component. You may be surprised at the results!

Cheers

[sozzled]

What's even better is, after you've discovered all those attempt to exploit URLs containing the text string "/wp-*" you can send them all away and breathe easier. If your .htaccess file looks something like this:

Code: Select all

## Mod_rewrite in use.

RewriteEngine On

## Begin - Rewrite rules to block out some common exploits.
# If you experience problems on your site then comment out the operations listed 
# below by adding a # to the beginning of the line.
# This attempts to block the most common type of exploit `attempts` on Joomla!
#
# Block any script trying to base64_encode data within the URL.
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
# Block any script that includes a <script> tag in URL.
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block any script trying to set a PHP GLOBALS variable via URL.
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block any script trying to modify a _REQUEST variable via URL.
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root home page
RewriteRule .* index.php [F]
#
## End - Rewrite rules to block out some common exploits.

you can add the following two lines

Code: Select all

RewriteCond %{REQUEST_URI} /wp-
RewriteRule ^ https://www.google.com [L,R]

After making that change, if someone tries to get into your website by searching for URLs containing "/wp-*" (e.g. www.example.com/wp-includes/css/upload.php) they'll be sent on their merry way looking at Google's home page!

[effrit]

sozzled, most hacked site's are victims of automatic scanners. so it's not like someone tried to hack your site personally, but just many bots try activate any vulnerability from their database.
and this situation is not new, so this is not about "early warning system of possible site attacks" but "see how you site exist EVERY SINGLE DAY"'.

and activation of redirects produce addition load to server, so normally you must not use it.
so useful point of topic - you must keep your Joomla and extensions up to date.

[sozzled]

sozzled, most hacked site's are victims of automatic scanners

You could be right but, so what? I didn't say what most sites are victims of. I was trying to point out that that many people are totally unaware that their web assets may be at risk of attack.

So it's not like someone tried to hack your site personally

I never made that claim but, you're probably right: it's "something" trying exploit some known vulnerability.

This situation is not new ...

No, this situation is not new, but it comes as news to people who haven't been around for as long as you or me and that's the point that I am making. Many people have no early warning of possible attacks on their website. I was only saying that the Redirects component—that most people never use—could give people that early warning.

Activation of redirects produce addition load to server, so normally you must not use it.

Actually that's not entirely true. The process of gathering the 404 pages—that's the purpose of the System - Redirect plugin—is not processor intensive. I mean, a 404 is a 404 is a 404, right? And, yes, there are also ways—non performance-intensive ways—to redirect pages; I'm not talking about the component at this time. The claim that someone "must not use it" is totally without context. Perhaps you would like to explain, in detail, precisely how much "additional load to the server" there may be and why my suggestion "must" not be used?

So useful point of topic: you must keep your Joomla and extensions up to date.

Well, duh! But that's completely off-topic.

[effrit]

Disabling ALC (if not needed) and redirect component is one of the first solution to overloading servers.
so if you don't use redirects you better not activate it.

your solution is not preventing from hacking, it's, as i mention before, just show why site owner must update site.

"Many people have no early warning of possible attacks on their website"

and if they read your post ALL of them must be in panic because ALL of them will see many -wp- and other redirects...

but it's just daily routine for any site. new site, old site - any. you put your site in web - you get this bots.
And this new users can not protect their sites from hacking this way. This is just simplified variation of access log.

It's like "See - sharks are always around! So don't let your site dive with leaking wounds".

[sozzled]

@effrit: you've entirely missed the point of this topic. I'm sorry that you don't understand what I'm saying.

I am not saying that people should run around in a blind panic if they see attempts to utilise URLs containing the characters "/wp-"; I am, however, saying

All too often we read in this forum about how people have asked about the source of successful attacks on their websites (including the discovery they've made about "peculiar" files that have been added to their websites).

I think you missed that point.

Using the System - Redirect plugin—to gather information about 404s—is not a solution; I never claimed that it was a solution. I'm talking about early warning of a possible attack not about how to deal with the situation after an attack has been successful. I only see one person here who's making every effort to undermine the purpose of this topic: if you want to start your own topic on the value of keeping your website up to date, please start your own topic on the value of keeping your website up to date. Please don't try to imply that I'm against keeping website software up to date or that other housekeeping tasks are unnecessary.

New users can not protect their sites from hacking this way.

You're right! I never claimed prople can protect their sites from successful attacks by using the Redirects component. Where did I write that?

[Per Yngve Berg]

The danger is that enabling the plugin will make you database grow until it de-pleats your hosting accounts space restriction.

[fcoulter]

The danger is that enabling the plugin will make you database grow until it de-pleats your hosting accounts space restriction.

It's true, although nowadays it is very simple to purge them, by using the 'purge disabled' button, so I think it is not a reason for not using it now.

[sozzled]

The purpose of my suggestion is fairly simple. I'm not proposing that people should rely only on this method to provide an early warning system. When you use the System - Redirect plugin to collect information about 404 pages, the database table could grow—I wouldn't go as far as to say that the growth rate is excessive or unmanageable—and the entries can be purged periodically (as @fcoulter reminds us).

I've been running with this method for a few weeks and I haven't seen more than a couple of dozen entries added to the _redirect_links table. Some websites, however, may be more "attractive" to 'bots or intentional hackers than others. Of course, if a website is hit with a few million random requests every few seconds this indicates a different kind problem (a DoS attack) not the kind of sporadic let's-see-if-site-is-potentially-weak. In that case, it's already too late to have obtained any early warning of such kinds of attacks.

The table _redirect_links should be routinely inspected with the Redirects component and purged when you've understood what's happening and (perhaps) taken other steps (including updating your software) to remove any possible security threat(s).

[sozzled]

As a follow-up to this topic, after you've found the source of these "random URLs" (by examining your server logfiles), it's fairly straightforward to develop some rules to block the attacks at the souce.

I see that one source (originating in Ukraine) has been active in this area recently: see https://cleantalk.org/blacklists/193.106.30.99

[Webdongle]

... I'm not proposing that people should rely only on this method to provide an early warning system. ....

Then that is a paradox because your title says it is !!!

[effrit]

It must be "How block some noisy bots to access to your site using data from Redirects component".

[sozzled]

How block some noisy bots to access to your site using data from Redirects component".

No. The Redirects component cannot block "noisy bots" but the System - Redirect plugin can give you an early indication that your site is being targeted by "noise".

[effrit]

Man, you make instruction, was writing about .htaccess and how use data from component to block bots, but current title is completely wrong.
And this component don't give any Warnings to you. How can you make warning system based on silent component?
So current naming just wrong.

[sozzled]

@effrit: I'm sorry that you do not understand the purpose of this topic and that you feel that it is important to argue with me. I have written what I have written and I will not change one word of it.

For everyone else's benefit: a lot of people use this forum to ask why, after many years of operating their Joomla website(s), their websites are "suddenly" vandalised without warning. People also ask how they may be forewarned of impending attacks. I don't know the answers to most of these questions. For the time being, I'm fairly confident that none of my websites is the victim of a successful attack. No-one should ever be complacent, of course, but I'm "quietly confident" that I've taken adequate precautions and I'm vigilant to prevent the likelihood of attack.

What makes a website a target of attack? Is your website a potential target? Do you know if your website is being targeted?

I normally don't use the Components » Redirects feature; in fact, most people don't use it, either. To use this feature requires the plugin System - Redirect to be enabled. I was surprised to see, within a very short time, a number of strange URLs had been used: none of these URLs actually exist on that website. They're just URLs entered at random to attempt to exploit known vulnerabilities within Joomla and Wordpress website's that exist elsewhere on "less robust" websites than mine; they're guesses to see if my sites can be exploited in similar ways.

The Redirects component doesn't block bad 'bots or hackers from visiting your website; the component simply displays the failed attempts (404s) collected by the System - Redirect plugin. How you use that information is your business.

If you're wondering the same thing, try it for yourself: enable the System - Redirect plugin, wait a few hours, and see what URLs are displayed by the Redirects component. You may be surprised at the results!

Cheers

[Webdongle]

@effrit: I'm sorry that you do not understand the purpose of this topic and that you feel that it is important to argue with me. I have written what I have written and I will not change one word of it...

I do not understand the purpose of your Topic either and English is my first language. And effrit is not arguing ... you are the one that is arguing.

[sozzled]

@Webdongle: Years ago (before most people who use this forum were even born), Tom Demarco wrote the seminal text on project and engineering control—Controlling software projects—Measurement, Management & Estimation:

You can't control what you can't measure.

Many people use this forum to ask for techniques about how to manage (or control) attacks on their websites. A lot of people using this forum have no idea that their websites are being probed for weaknesses.

The purpose of this topic is to show people that there exists—built into the Joomla CMS—one mechanism for obtaining information about potential attacks. Obviously there are many ways to find out if your websites are being probed by suspicious activities. People can use malware scanning tools or website integrity checking tools such as Sucuri or Watchful.li and no-one is denying the benefits of using these tools.

The problem that exists with many website owners is their complacency. A lot of people think that, just because they've created a website and they do nothing, their websites are safe; some people think that they're immune from attack. I am not complacent; I don't believe that my websites are immune from attack. Unfortunately, we read in this forum (far too often, I'm sorry to say) people asking for help after their websites have been attacked. Wouldn't it be nice if people had some knowledge, some advanced warning, that their sites may be weak?

How people respond to the knowledge that their sites may be under some form of attack is entirely their business (although I've given a couple of examples of what people could do); I'm not writing about how to control suspicious activity. I'm writing about how to detect that activity and one method (and it's not the only method ... and it's not even a reliable method) of being forewarned that people's websites might be potential victims. Most people are unaware that their websites are being probed for vulnerabilities.

You can't control what you can't measure. If you don't understand that then, I'm sorry, I can't help you either.

[Webdongle]

There you go again. A little bit more water with it next time.

[sozzled]

@Webdongle: can you please explain what you mean by the last post you wrote? I'm sorry but I haven't a clue what you're trying to say.

[effrit]

@sozzled, problem is - you can measure nothing useful with redirect component.
because if you see redirect - you are safe (have not such page/component, etc they tried to reach).

and if you don't see - it's not because nobody trying to broke your site, but exactly opposite - they are know what you use joomla and make many DDoS request for search component, for example.

or they already hack your site because it have vulnerability and they use it (and redirects component record NOTHING).

so, your topic is just about side effect of using Redirects component for curious users, FIRST step to understand how bad gays tried hack your site.
it's just portion of knowledge and not warning system.

[sozzled]

... it's just a portion of knowledge ...

I completely agree with you!

As I wrote earlier, the Joomla "redirects" feature is a way

... to detect [suspicious] activity and one method (and it's not the only method ... and it's not even a reliable method) of being forewarned that people's websites might be potential victims. Most people are unaware that their websites are being probed for vulnerabilities.

It's not a guaranteed method of being alerted to suspicious activity before a concentrated attack is successful. Each person will have to decide for themselves if this idea is suitable for them or not.

We both agree that it's better to have some knowledge than not have any knowledge at all, right?

[Webdongle]

A little knowledge is a dangerous thing

[sozzled]

"The only good is knowledge and the only evil is ignorance", Herodotus ca. 484-425 BC