Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
-
- Joomla! Apprentice
- Posts: 16
- Joined: Thu Aug 23, 2012 6:01 pm
Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
My sites are set not to allow front end login on most of my Joomla sites, but I am getting error messages for bots trying to login with the userid
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
Anyone else getting these also?
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
Anyone else getting these also?
- sozzled
- Joomla! Exemplar
- Posts: 9974
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
I cannot confirm the instance(s) of spamdexing / referrer spam mentioned by the OP but this kind of phenomenon is not confined to Joomla and it is not evidence of a security problem. I've written about this phenomenon elsewhere on the forum (see viewtopic.php?f=714&t=958501 as one example). It may also help to search the internet for "Who’s snooping around your website?"
I hope that helps.
I hope that helps.

https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?”
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?”

-
- Joomla! Apprentice
- Posts: 16
- Joined: Thu Aug 23, 2012 6:01 pm
- sozzled
- Joomla! Exemplar
- Posts: 9974
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
Did you see what I posted? As I said (wrote), this kind of activity—spamdexing/bombing—is commonplace but it does not indicate any specific security problem, per se.
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?”
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?”

-
- Joomla! Ace
- Posts: 1823
- Joined: Fri Jul 05, 2013 10:35 am
- Location: Parts Unknown
Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
How exactly are you doing this? And where are you seeing these reports?My sites are set not to allow front end login on most of my Joomla sites
-
- Joomla! Apprentice
- Posts: 16
- Joined: Thu Aug 23, 2012 6:01 pm
Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
Some of my sites do not have registered user content so there is no need to login, so I do not have a front end login for users to login in, so the bots are attempting to login in directly through Joomla user login. Whenever there is a failed login in I have a user report sent to my admin email for each of my sites that I manage.
The report looks like this:
MySite.com: Failed login attempt at http://mysite.com/
Username: \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
IP-Address: 84.232.253.81
Date and time: 2019-10-29 04:35:11
Origin: Frontend
The IP address is coming from Romania...
As the above poster stated this is common but not the username's combination I have never seen before. So I was posting to let others know.
-
- Joomla! Explorer
- Posts: 428
- Joined: Sat Sep 26, 2009 11:00 pm
- Location: Belgium
- Contact:
Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
Do what many of us do (including me), report the IP on abuseipdb.com 

- Webdongle
- Joomla! Master
- Posts: 39316
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
Perhaps there is a capcha for a login form https://extensions.joomla.org/tags/captcha/
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.
- leolam
- Joomla! Master
- Posts: 20243
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ UK/ S'pore/Jakarta/ North America
- Contact:
Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
Makes no sense at all. I can use any IP to get somewhere if I want. See https://www.techopedia.com/definition/2 ... -hijacking
Leo

Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services
-
- Joomla! Explorer
- Posts: 428
- Joined: Sat Sep 26, 2009 11:00 pm
- Location: Belgium
- Contact:
Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
Yeah, it's not guaranteed, IP spoofing is a very real thing. That site is pretty much just a database of "known" bad acting IP's. IT's not an actual solution.
-
- Joomla! Apprentice
- Posts: 9
- Joined: Sun Dec 20, 2015 8:39 pm
Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
Someone is trying to hack my site through frontend login.
He/she POSTs:
login: \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
Password:
I googled: it seems to be Joomla 3.0 - 3.4 vulnerability.
My site is 3.8
But may be there is something new? Are here any experts?
He/she POSTs:
login: \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
Password:
Code: Select all
AAA";s:11[ redacted ]s:6:"return";s:102
My site is 3.8
But may be there is something new? Are here any experts?
Last edited by toivo on Mon Nov 11, 2019 12:33 am, edited 1 time in total.
Reason: mod note: hack code removed
Reason: mod note: hack code removed
- toivo
- Joomla! Master
- Posts: 13083
- Joined: Thu Feb 15, 2007 5:48 am
- Location: Zagreb, Croatia
Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
Did you not read the previous posts?al707 wrote:But may be there is something new? Are here any experts?
The latest version of Joomla is 3.9.13. If the website is already in the sights of hackers or script kids, it should be updated asap.al707 wrote:My site is 3.8
Toivo Talikka, Global Moderator
- Webdongle
- Joomla! Master
- Posts: 39316
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
Please see viewtopic.php?f=714&t=946026
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.
-
- Joomla! Fledgling
- Posts: 1
- Joined: Fri Nov 15, 2019 8:44 am
Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
I have edited .htaccess file in acordance with instructions from webpage https://skalolaskovy.ru/joomla/500-htac ... h-parametr:
That example:
But in some days I receive new email from my site agent (safety plugin) with the same userid - \0\0\0\0\0\0\0\0\0\0\0\0
Does anybody know, what additional Joomla URLs can be used for log in attempt?
Is it possible to try to log in using direct GET or POST request without opening site?
For example: site.com/component/users/?username=Name&password=Password
????
Thanks
That example:
Code: Select all
RewriteEngine On
## Redirect from LOGIN PAGE to INDEX page:
RewriteCond %{REQUEST_URI} /component/users [NC]
RewriteCond %{QUERY_STRING} view=login [NC]
RewriteRule .* https://skalolaskovy.ru/? [R=301,L]
RewriteCond %{REQUEST_URI} /component/users [NC]
RewriteRule .* https://skalolaskovy.ru/? [R=301,L]
RewriteCond %{REQUEST_URI} / [NC]
RewriteCond %{QUERY_STRING} option=com_users&view=login [NC]
RewriteRule .* https://skalolaskovy.ru/? [R=301,L]
But in some days I receive new email from my site agent (safety plugin) with the same userid - \0\0\0\0\0\0\0\0\0\0\0\0
Does anybody know, what additional Joomla URLs can be used for log in attempt?
Is it possible to try to log in using direct GET or POST request without opening site?
For example: site.com/component/users/?username=Name&password=Password

Thanks
-
- Joomla! Explorer
- Posts: 428
- Joined: Sat Sep 26, 2009 11:00 pm
- Location: Belgium
- Contact:
Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
lately the /component/users is being actively targetted by malicious persons/bots to abuse the session. Maybe that's what's happening. For the past few weeks i get a couple of these a week/day by akeeba admin tools.
Can't help on the \0.... though, i get no such reports on any of my sites
Can't help on the \0.... though, i get no such reports on any of my sites
-
- Joomla! Apprentice
- Posts: 9
- Joined: Sun Dec 20, 2015 8:39 pm
Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
This is not trivial problem..
E.g.
/index.php?option=com_users&view=login
/index.php?option=com_users
/?option=com_users
/index.php/component/users
/component/users
May be this article: https://forum.tamirov.ru/viewtopic.php?f=17&t=237 will help you.
-
- Joomla! Apprentice
- Posts: 16
- Joined: Thu Aug 23, 2012 6:01 pm
Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
Yes, I am still getting these, now more than ever, no sign of success in getting access. The same IP attempts to LFI with an extension that I do not have installed on my Joomla account. It looks like it was on the VEL list a while back so it might be just a bot trying random exploits. They then follow from the same IP an attempt to login in wit the userid 0/0/0/0/0/0/0/0/0/0/0/0/0/0/0.
- Webdongle
- Joomla! Master
- Posts: 39316
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.