cancel
Showing results for 
Search instead for 
Did you mean: 

10,000 logins attempted from my servers IP?

SOLVED

10,000 logins attempted from my servers IP?

Hello,

 

I have installed Wyomind's extension to record attempted logins to my magento site. I have seen over 10,000 attemped logins which appear to be based on a dictionary style name attack every two minutes. When I view the extensions details it is stating that the logins are occuring at /downloader/index.php?A=loggedin and are coming from the IP address of my server i.e. the same IP address that my site is hosted on. I have checked the raw access logs and these appear to tally with the extension suggesting the extension is providing the correct information.

 

Is this a rouge extension on my server trying to gain access or is it something I should not worry about?

 

Any advice would be greatly appreciated.

 

Mike Prentice

2 REPLIES

Re: 10,000 logins attempted from my servers IP?

Not sure as to why they're appearing to come from your server address, unless you're on a shared server, one of the accounts has been compromised and somebody's using curl or htget with a script to automate the dictonary attack directly from the server.

 

10,000 tries on a dictionary attack is nothin', they have the whole dictionary to try, and Magento has no security against it unless you have a module that watches, records bad attempts and more importantly, locks down the backend access when the login retries exceed a certain amount.

 

Do the following to protect your admin backend and download utility, neither of which should be exposed to any more than a number of addresses you can count on one hand. The random ip address access from a coffee shop anywhere in town " 'cause ya just need ta check the graph to see how many sales you made in the last 30 minutes" is a pipe dream in today's security environment.

 

Use .htaccess to limit by ip range, who can access the following URLs

 

downloader/

downloader/index.php

admin/

index.php/admin/

 

Change your admin url in app/etc/local.xml if you already haven't.

 

 

 

 

Re: 10,000 logins attempted from my servers IP?

Hi Chiefair,

 

Thanks for taking the time to write such a detailed reply, it's really appreciated.

 

I will follow your advice and restrict the IP range and move the admin login. I will also contact my host to see if there is anything they can dig up.

 

Thanks again

 

Mike