Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Post Reply
mavaughan
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Aug 23, 2012 6:01 pm

Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Post by mavaughan » Mon Oct 28, 2019 6:56 pm

My sites are set not to allow front end login on most of my Joomla sites, but I am getting error messages for bots trying to login with the userid

\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0


Anyone else getting these also?

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 9886
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Post by sozzled » Mon Oct 28, 2019 7:18 pm

I cannot confirm the instance(s) of spamdexing / referrer spam mentioned by the OP but this kind of phenomenon is not confined to Joomla and it is not evidence of a security problem. I've written about this phenomenon elsewhere on the forum (see viewtopic.php?f=714&t=958501 as one example). It may also help to search the internet for "Who’s snooping around your website?"

I hope that helps. 8)
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

mavaughan
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Aug 23, 2012 6:01 pm

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Post by mavaughan » Mon Oct 28, 2019 7:42 pm

dee-9987 wrote:
Mon Oct 28, 2019 7:27 pm

Are the signs of attempted hacking on the Joomla site?
I do not believe so, but of all the attempted logging hacks I have seen with fake credentials in the past, this one has me puzzled.

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 9886
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Post by sozzled » Mon Oct 28, 2019 7:46 pm

Did you see what I posted? As I said (wrote), this kind of activity—spamdexing/bombing—is commonplace but it does not indicate any specific security problem, per se.
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

SharkyKZ
Joomla! Ace
Joomla! Ace
Posts: 1818
Joined: Fri Jul 05, 2013 10:35 am
Location: Parts Unknown

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Post by SharkyKZ » Mon Oct 28, 2019 9:44 pm

My sites are set not to allow front end login on most of my Joomla sites
How exactly are you doing this? And where are you seeing these reports?

mavaughan
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Aug 23, 2012 6:01 pm

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Post by mavaughan » Tue Oct 29, 2019 3:56 pm

SharkyKZ wrote:
Mon Oct 28, 2019 9:44 pm
My sites are set not to allow front end login on most of my Joomla sites
How exactly are you doing this? And where are you seeing these reports?
Some of my sites do not have registered user content so there is no need to login, so I do not have a front end login for users to login in, so the bots are attempting to login in directly through Joomla user login. Whenever there is a failed login in I have a user report sent to my admin email for each of my sites that I manage.

The report looks like this:

MySite.com: Failed login attempt at http://mysite.com/
Username: \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
IP-Address: 84.232.253.81
Date and time: 2019-10-29 04:35:11
Origin: Frontend

The IP address is coming from Romania...

As the above poster stated this is common but not the username's combination I have never seen before. So I was posting to let others know.

Ch3vr0n
Joomla! Explorer
Joomla! Explorer
Posts: 428
Joined: Sat Sep 26, 2009 11:00 pm
Location: Belgium
Contact:

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Post by Ch3vr0n » Tue Oct 29, 2019 7:59 pm

Do what many of us do (including me), report the IP on abuseipdb.com ;)

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 39235
Joined: Sat Apr 05, 2008 9:58 pm

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Post by Webdongle » Tue Oct 29, 2019 8:49 pm

Perhaps there is a capcha for a login form https://extensions.joomla.org/tags/captcha/
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20243
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Post by leolam » Wed Oct 30, 2019 4:09 pm

Ch3vr0n wrote:
Tue Oct 29, 2019 7:59 pm
Do what many of us do (including me), report the IP on abuseipdb.com ;)
Makes no sense at all. I can use any IP to get somewhere if I want. See https://www.techopedia.com/definition/2 ... -hijacking

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

Ch3vr0n
Joomla! Explorer
Joomla! Explorer
Posts: 428
Joined: Sat Sep 26, 2009 11:00 pm
Location: Belgium
Contact:

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Post by Ch3vr0n » Wed Oct 30, 2019 4:21 pm

Yeah, it's not guaranteed, IP spoofing is a very real thing. That site is pretty much just a database of "known" bad acting IP's. IT's not an actual solution.

al707
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Sun Dec 20, 2015 8:39 pm

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Post by al707 » Sun Nov 10, 2019 9:33 pm

Someone is trying to hack my site through frontend login.
He/she POSTs:
login: \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
Password:

Code: Select all

AAA";s:11[ redacted ]s:6:"return";s:102
I googled: it seems to be Joomla 3.0 - 3.4 vulnerability.
My site is 3.8
But may be there is something new? Are here any experts?
Last edited by toivo on Mon Nov 11, 2019 12:33 am, edited 1 time in total.
Reason: mod note: hack code removed

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 12932
Joined: Thu Feb 15, 2007 5:48 am
Location: Zagreb, Croatia

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Post by toivo » Mon Nov 11, 2019 12:35 am

al707 wrote:But may be there is something new? Are here any experts?
Did you not read the previous posts?

al707 wrote:My site is 3.8
The latest version of Joomla is 3.9.13. If the website is already in the sights of hackers or script kids, it should be updated asap.
Toivo Talikka, Global Moderator

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 39235
Joined: Sat Apr 05, 2008 9:58 pm

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Post by Webdongle » Mon Nov 11, 2019 8:12 am

http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.

notarget
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Fri Nov 15, 2019 8:44 am

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Post by notarget » Fri Nov 15, 2019 9:04 am

I have edited .htaccess file in acordance with instructions from webpage https://skalolaskovy.ru/joomla/500-htac ... h-parametr:

That example:

Code: Select all

RewriteEngine On

## Redirect from LOGIN PAGE to INDEX page:
RewriteCond %{REQUEST_URI} /component/users [NC]
RewriteCond %{QUERY_STRING} view=login [NC]
RewriteRule .* https://skalolaskovy.ru/? [R=301,L]

RewriteCond %{REQUEST_URI} /component/users [NC]
RewriteRule .* https://skalolaskovy.ru/? [R=301,L]

RewriteCond %{REQUEST_URI} / [NC]
RewriteCond %{QUERY_STRING} option=com_users&view=login [NC]
RewriteRule .* https://skalolaskovy.ru/? [R=301,L]

But in some days I receive new email from my site agent (safety plugin) with the same userid - \0\0\0\0\0\0\0\0\0\0\0\0

Does anybody know, what additional Joomla URLs can be used for log in attempt?

Is it possible to try to log in using direct GET or POST request without opening site?

For example: site.com/component/users/?username=Name&password=Password ???????
Thanks

Ch3vr0n
Joomla! Explorer
Joomla! Explorer
Posts: 428
Joined: Sat Sep 26, 2009 11:00 pm
Location: Belgium
Contact:

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Post by Ch3vr0n » Fri Nov 15, 2019 2:45 pm

lately the /component/users is being actively targetted by malicious persons/bots to abuse the session. Maybe that's what's happening. For the past few weeks i get a couple of these a week/day by akeeba admin tools.

Can't help on the \0.... though, i get no such reports on any of my sites

al707
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Sun Dec 20, 2015 8:39 pm

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Post by al707 » Sun Nov 17, 2019 9:25 pm

notarget wrote:
Fri Nov 15, 2019 9:04 am
Does anybody know, what additional Joomla URLs can be used for log in attempt?

Is it possible to try to log in using direct GET or POST request without opening site?
This is not trivial problem..
E.g.
/index.php?option=com_users&view=login
/index.php?option=com_users
/?option=com_users
/index.php/component/users
/component/users

May be this article: https://forum.tamirov.ru/viewtopic.php?f=17&t=237 will help you.

mavaughan
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Aug 23, 2012 6:01 pm

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Post by mavaughan » Tue Apr 21, 2020 10:07 pm

Yes, I am still getting these, now more than ever, no sign of success in getting access. The same IP attempts to LFI with an extension that I do not have installed on my Joomla account. It looks like it was on the VEL list a while back so it might be just a bot trying random exploits. They then follow from the same IP an attempt to login in wit the userid 0/0/0/0/0/0/0/0/0/0/0/0/0/0/0.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 39235
Joined: Sat Apr 05, 2008 9:58 pm

Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

Post by Webdongle » Tue Apr 21, 2020 10:22 pm

http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.


Post Reply

Return to “Security in Joomla! 3.x”