Login Bots using userid \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

[mavaughan]

My sites are set not to allow front end login on most of my Joomla sites, but I am getting error messages for bots trying to login with the userid

\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0


Anyone else getting these also?

[sozzled]

I cannot confirm the instance(s) of spamdexing / referrer spam mentioned by the OP but this kind of phenomenon is not confined to Joomla and it is not evidence of a security problem. I've written about this phenomenon elsewhere on the forum (see viewtopic.php?f=714&t=958501 as one example). It may also help to search the internet for "Who’s snooping around your website?"

I hope that helps.

[mavaughan]

Are the signs of attempted hacking on the Joomla site?

I do not believe so, but of all the attempted logging hacks I have seen with fake credentials in the past, this one has me puzzled.

[sozzled]

Did you see what I posted? As I said (wrote), this kind of activity—spamdexing/bombing—is commonplace but it does not indicate any specific security problem, per se.

[SharkyKZ]

My sites are set not to allow front end login on most of my Joomla sites

How exactly are you doing this? And where are you seeing these reports?

[mavaughan]

My sites are set not to allow front end login on most of my Joomla sites

How exactly are you doing this? And where are you seeing these reports?

Some of my sites do not have registered user content so there is no need to login, so I do not have a front end login for users to login in, so the bots are attempting to login in directly through Joomla user login. Whenever there is a failed login in I have a user report sent to my admin email for each of my sites that I manage.

The report looks like this:

MySite.com: Failed login attempt at http://mysite.com/
Username: \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
IP-Address: 84.232.253.81
Date and time: 2019-10-29 04:35:11
Origin: Frontend

The IP address is coming from Romania...

As the above poster stated this is common but not the username's combination I have never seen before. So I was posting to let others know.

[Ch3vr0n]

Do what many of us do (including me), report the IP on abuseipdb.com

[Webdongle]

Perhaps there is a capcha for a login form https://extensions.joomla.org/tags/captcha/

[leolam]

Do what many of us do (including me), report the IP on abuseipdb.com

Makes no sense at all. I can use any IP to get somewhere if I want. See https://www.techopedia.com/definition/2 ... -hijacking

Leo

[Ch3vr0n]

Yeah, it's not guaranteed, IP spoofing is a very real thing. That site is pretty much just a database of "known" bad acting IP's. IT's not an actual solution.

[al707]

Someone is trying to hack my site through frontend login.
He/she POSTs:
login: \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
Password:

Code: Select all

AAA";s:11[ redacted ]s:6:"return";s:102

I googled: it seems to be Joomla 3.0 - 3.4 vulnerability.
My site is 3.8
But may be there is something new? Are here any experts?

[toivo]

But may be there is something new? Are here any experts?

Did you not read the previous posts?

My site is 3.8

The latest version of Joomla is 3.9.13. If the website is already in the sights of hackers or script kids, it should be updated asap.

[Webdongle]

Please see viewtopic.php?f=714&t=946026

[notarget]

I have edited .htaccess file in acordance with instructions from webpage https://skalolaskovy.ru/joomla/500-htac ... h-parametr:

That example:

Code: Select all

RewriteEngine On

## Redirect from LOGIN PAGE to INDEX page:
RewriteCond %{REQUEST_URI} /component/users [NC]
RewriteCond %{QUERY_STRING} view=login [NC]
RewriteRule .* https://skalolaskovy.ru/? [R=301,L]

RewriteCond %{REQUEST_URI} /component/users [NC]
RewriteRule .* https://skalolaskovy.ru/? [R=301,L]

RewriteCond %{REQUEST_URI} / [NC]
RewriteCond %{QUERY_STRING} option=com_users&view=login [NC]
RewriteRule .* https://skalolaskovy.ru/? [R=301,L]

But in some days I receive new email from my site agent (safety plugin) with the same userid - \0\0\0\0\0\0\0\0\0\0\0\0

Does anybody know, what additional Joomla URLs can be used for log in attempt?

Is it possible to try to log in using direct GET or POST request without opening site?

For example: site.com/component/users/?username=Name&password=Password ????
Thanks

[Ch3vr0n]

lately the /component/users is being actively targetted by malicious persons/bots to abuse the session. Maybe that's what's happening. For the past few weeks i get a couple of these a week/day by akeeba admin tools.

Can't help on the \0.... though, i get no such reports on any of my sites

[al707]

Does anybody know, what additional Joomla URLs can be used for log in attempt?

Is it possible to try to log in using direct GET or POST request without opening site?

This is not trivial problem..
E.g.
/index.php?option=com_users&view=login
/index.php?option=com_users
/?option=com_users
/index.php/component/users
/component/users

May be this article: https://forum.tamirov.ru/viewtopic.php?f=17&t=237 will help you.

[mavaughan]

Yes, I am still getting these, now more than ever, no sign of success in getting access. The same IP attempts to LFI with an extension that I do not have installed on my Joomla account. It looks like it was on the VEL list a while back so it might be just a bot trying random exploits. They then follow from the same IP an attempt to login in wit the userid 0/0/0/0/0/0/0/0/0/0/0/0/0/0/0.

[Webdongle]

viewtopic.php?f=714&t=946026