Support

Mandatory information about my setup:


Joomla! version: 2.5.4
PHP version: 5.3.8
MySQL version: 5.1.52-cll
Host: Arvixe
Admin Tools version: 2.2.6

Description of my issue:

Hi Nick. Remember I mentioned how I had been variously hacked and spammed, over the last few years? Well, ever since I turned on "ban repeat offenders" and the email to notify me about it, it's been ticking along like a clock -- between 10:16pm and 11:46pm, I got 13 notifications, and many of them had verrrrrry similar IPs, like the first 2 or 3 parts of the 4-part IP -- I finally had to change the email to my alternate one. So, do you think this type of situation would warrant using that bad behavior system? I did read the docs about it, and obviously I don't want to turn away legit template seekers, or how will I get subscribers? ;-) But with the level of "attack" I'm seeing, of whatever kind, I'm thinking sterner measures might be called for. I setup the HoneyPot thing, I've liked them for a long time; it's nice to have it integrated into this program.

I did set the password for the admin area, and I found the htaccess and htpasswd in the admin dir; how long a time is that session good for? Because it has only asked me for it once. I tried the secret url parameter, but when the session times out unexpectedly -- like when you try to save something! -- being dumped into the front page is a mite unsettling, and inconvenient. Maybe there should be some kind of option for desired behavior, in that situation.

But so far this thing has already proved its worth to me! Awesome! (picture an emoticon here with both thumbs in the air) :-D

Andria

Yeah that session timeout thing has always busted my chops; in 2010 I had a subscription to JoomlaPraise, and I used their extension to monitor the session-time; I've also seen an extension to keep the admin always logged in, but I'm not sure that's a really good idea for a production site that's demonstrably got some hack/attack issues; might be fine for a dev site.

I hope you're right about the script-kiddie; if it's the damn arabs again, I'm definitely going to use the Bad Behavior, and I might even start doing the geographic blocking on that part of the world. But before I leap to possibly erroneous conclusions, I'm going to try looking up those IPs and see what I can see. (these idiots never do seem to realize that they can be TRACKED!)

;-P
Andria

Well, I looked up the IPs in a couple of different ways; first off, I looked them up on the Honeypot website, and sure enough, they're from a known comment spammer -- in China! (trying to flog everything from boner-pills to "rolex" watches!) So, then I went to the security exceptions log, and they appear to be all from the same "person", since they're all trying to use the same password to login -- remember I said I wanted to get rid of all those spam usernames, by just trashing the old 1.5 site and replacing it with the new 2.5 site? I've had a msg posted to that effect for almost a month now, but along comes Mr Chinese Spammer and tries logging in with all those spam usernames -- which all use the same passwords! So, now I'm going thru the exceptions log and blacklisting Mr Chinese Spammer, and I have a question -- if I delete them from the log, will they stay blacklisted?

I'm so glad I found this program, you have no idea! :D :D :D

Andria

Well, I knew I had a big problem with spammers, but this is ridiculous. This one individual tried over 500 times to login -- 500 different spam usernames, 17 different IPs, but all using the same password. Then there are two other IPs that Honeypot says have been reported as exhibiting "behavior consistent with a comment spammer," so I blacklisted them too -- one of those, interestingly enough, didn't hit the main domain, either crypticsites.com or www.crypticsites.com, but hit www.crypticsites.com/components/users -- which I thought seemed fairly suspicious in itself, even without the report from Honeypot. I'm wondering if that one should be reported somewhere.

Thx!
Andria