In October, I have been keeping watching on my website logs for the whole month. As this is my second time my website is hacked, I take more time to clean the website and try to make sure the site will not be hacked again.
Find Hacking Evidence in Raw Access Logs
In my last post, 5 Tips to Clean Hacked Joomla Website, I found the hacking evidence in the logs. From the logs, I can see where hackers access my website and run the hacking code. This could be the first place to check how people access the website.
Clean Errors and Warnings in Your Website from Error Logs
If the website is powered by PHP based open source project such as WordPress or Joomla, the website has high risk to be hacked through the 3rd plugins or extensions. Therefore, we also have to keep eyes on error logs which records the PHP notice, PHP warning, or even errors. These information can tell us where our website security weak point is. We must need to clean all the problems and keep error logs clean. This could be an efficient way to shut the door on hackers.
Keeping the website safe is a long term job. There is no such one time investment to make your website safe forever. I will keep updating my experience on website security and maintenance and I hope this kind of experience will be helpful for others.
New Hacking Events on Joomla Site (Updated on 28 Sep, 2019)
I start this article on October 31, 2016. After writing the above content, I decided not to release this post as I thought the content is too normal. Today, I come back to continue this article, because the Joomla site is experiencing a new wave of hacking.
It happened several months ago. At the beginning, I just got some user register notification emails. The number is very few, so I didn’t care about it, just deleting the emails and junk accounts. However, it becomes more serious. Now I can get hundreds of emails and the website gets more than two thousands junk accounts. First, I am going to my website backend (cpanel) to check the visit data. Here is one snapshot of the attack records.
From the visit data, I don’t understand why he just register the account, just for fun? Next, I check the Raw Access Logs. In the logs, I find out the hacker try to access the following url which gives 404 page:
Currently, I have two jobs:
- Find out what K2 Joomla extension is?
- Why doesn’t the Securimage PHP Captch work?
After getting some progress, I will come back and update this post.
Securimage PHP Captcha Useless (Updated on 1 Oct, 2019)
First, I have double checked why Securimage PHP Captcha doesn’t work. Actually, the spammer updated his script, which will go to my website register page and submit register information with captcha. According to the log, the spammer has 30%-50% percent chance to guess the correct captcha.
Second, K2 is an extension which makes Joomla as a news/magazine site, a blog, a download manager or a directory listing, etc. But it doesn’t matter as I didn’t install it anyway. The reason the spammer keep access the link, I guess, it could be “ghost spam” or “referrer spam”. In other words, no-one is actually finding URLs related to K2. It’s just people guessing what happens if they try to access the link.
Any way, as the Securimage PHP Captcha doesn’t work well, I have no way to avoid the spammer register at this time.