Someone is attempting to login to my admin repeatedly (so far 60 attempts). Usually when there are attempts like this I immediately login to my backend, look up the IP address and either blacklist it or block the country. Today this is not working. The hacker has done something to alter the IP address which appears like this: 1.0 WIRELESSSRV or 1.0%WIRELESSSRV

Bye the way the "who is" says "The domain or IP you have entered seems malformed" when I click on the IP address.

I have tried to block this using many different methods with no success. Can anyone help me block this bleeping hackers. I'm Using RS firewall version 1.4.0 with Joomla 1.5.

We just saw someone try to make changes to index.php using the following irregular "listed" IP:

1.0 ISA3

There were a few other records that occured within or concurrently with this that reported IPs

The full log record is:


17 critical 08.01.2013 11:43:54 199.21.99.71 0 /?GoHer=cialis online lloyds pharmacy&reset-settings A protected file has been modified.
Debug information:
/home/domain/public_html/htaccess.txt

18 critical 08.01.2013 11:43:54 1.0 ISA3 0 /index.php?option=com_content&view=article&id=678&Itemid=71 A protected file has been modified.
Debug information:
/home/domain/public_html/index.php

19 critical 08.01.2013 11:43:54 199.21.99.71 0 /?GoHer=cialis online lloyds pharmacy&reset-settings A protected file has been modified.
Debug information:
/home/domain/public_html/index.php

20 critical 08.01.2013 11:43:52 1.0 ISA3 0 /index.php?option=com_content&view=article&id=678&Itemid=71 A core Joomla! file has been modified.
Debug information:
/home/domain/public_html/index.php

21 critical 08.01.2013 11:43:52 1.0 ISA3 0 /index.php?option=com_content&view=article&id=678&Itemid=71 A core Joomla! file has been modified.
Debug information:
/home/domain/public_html/index2.php


Within a minute the followin actions were also taken:

15 critical 08.01.2013 11:45:07 66.249.73.201 0 /index.php?option=com_eventbooking&task=view_calendar&month=01&year=1986&Itemid=0 A core Joomla! file has been modified.
Debug information:
/home/domain/public_html/plugins/user/joomla.php

16 critical 08.01.2013 11:45:07 66.249.73.201 0 /index.php?option=com_eventbooking&task=view_calendar&month=01&year=1986&Itemid=0 A core Joomla! file has been modified.
Debug information:
/home/domain/public_html/plugins/authentication/joomla.php

Still no reply from anyone?? I submitted a ticket too and by now there are over 150 attempts logged (and counting) with no way to block these freaks.

I sure hope that someone finds out the answer... the script is hitting one of my web sites at a rate of once every 12 minutes..... for 6 days now....

HELP SVP

Having the same issue - been going on for a couple of days. Watching for a solution.

I installed an extension that makes the admin url more complicated (Admin Exile), and that worked on 1 site but not another.

Hope someone comes up with a better idea.

This is generated because some of your users are accessing your sites via proxy servers (thus hiding the real user IP). We have recently improved the IP detection process. Please download the RSFirewall! installation file again and run it over your current one (this will act as an update).