Recently I looked through the logs of the administered site built on Joomla , and I found out that there were unusually many requests to the admin panel of the site (for the main, I know that I’ve lost all the standard addresses ). Began to delve into the requests to the site, and found the sequence:

  1. Some IP is trying to access wp_admin.php (because Joomla is not there, but still)
  2. Next is the appeal to the admin area, already the correct address.

In this situation, IP was extremely embarrassed - it turned out to be a closed proxy located in France.

Next, I closed access to the admin area, and changed its address.

The next day, the request from France was repeated (again, first at wp_admin, then at the standard address), but having received the 404th error, after 10 minutes the request was repeated from another closed proxy, this time from Luxemburg.

I thought that someone was deliberately trying to get, or already got access.

What advise to do in this situation? and how to protect yourself from such hackers?

  • 2
    wp_admin.php this is a wordpress admin, it looks like some kind of program is looking for opportunities to send spam through known holes - dfhsfhgfj

3 answers 3

I would advise not to panic. If there are no holes on the site, the potential FIG cracker will gain access to the admin panel without knowing the password. Well, someone's script is trying to punch through the standard addresses of the admins through a proxy, and that's why the cracker, so that the admin doesn't sleep.

Recheck the password just in case, make sure it is strong enough. Make a local backup of the site in case of hacking and replacing pages. Recheck the content, if someone has not uploaded something bad to the site (the site’s appearance doesn’t necessarily change, the hacker can add an iframe 1x1). And rest easy, the weekend :-)

Yes, and set up automatic copying of logs to another server - just in case.

  • Thanks :) backup, passwords, and the page will go do / check. and bothers me more, the fact that these requests seriously load the host. The hoster really hasn't written anything yet, but I think he may soon send a letter) - IVsevolod
  • 3
    Hm, and really many requests come? If yes, it would be necessary to dynamically send to the ban those that take a lot more traffic than a normal client. Surely there are ready-made or semi-ready solutions, maybe networkers on the site will advise something. - VladD
  • Dopil on the admin site checking geolocation on his republic. If you try to come from another place, then I’ll upload the 272 article of the Russian Federation to the government "Illegal access to computer information" - IVsevolod
  • one
    @IVsevolod: You are still more cautious, but then suddenly you go on a business trip or on vacation, and you need to change something urgently. Or your provider will let you know through Australia. - VladD
  • @VladD is by itself, I can quickly rewrite the code in principle) but I am quite satisfied with the temporary solution). Well, another problem is if the IP base becomes obsolete, and that method will not be correctly determined) - IVsevolod

Backup is yes, holy in this situation. And regular.

But for burglars (these are mostly bots), you need to make a honeypot (a barrel with honey). Once it searches for the wp_admin.php file, create it. And inside, just take out the trash by the symbol, but with a delay. You can even spy that should such a file display and show something similar. Such a long conclusion will most likely cause the bot to hang. And it's better that one hangs for hours (of course, the Apache will need to be tweaked, otherwise php scripts usually don't work for more than 30 seconds) than hundreds make their way through.

Some experts in these scripts prescribe a redirect to Yandex or Google (they say they are big and will withstand a hundred or two extra requests), but this should be done carefully and well after consulting with experts (and, maybe, depending on the country, with lawyers).

    And I would take some tricky measure - let 404 be displayed on each page in the headers. The page itself is standard in content, and in the header - 404. Well, plus the traditional logs and backups.

    Generally, if after 404 anonimus falls behind, wait for the month and take it off. If not, then it means most likely focused. Then write here, we will tell :)