I am getting hacked on a daily continual basis through the K2 module of yours and it is driving the cpu usage out of the roof on the server. What can I do about this???? Immediately,

Here is an email I got from my web hosting company:


"Here’s another plugin that’s getting several spam hits per second from various IP addresses in several different countries including the U.S. (Kansas City, Los Angles, Seattle, etc.), China, Germany, Iran and dozens of others. This kind of activity is usually just spammers leaving advertising information but then a few minutes later the same IP address is tracked to hack attempts on your username and password. Both are causing your CPU to increase and will make your website much slower until removed at least temporarily:

coolrushband.net/index.php/component/k2/item/10-cool-rush-will-be-at-pal-joeys-in-san-diego-on-april-19th-special-guest-musician-troy-dent/10-cool-rush-will-be-at-pal-joeys-in-san-diego-on-april-19th-special-guest-musician-troy-dent?start=40&v=0280"

First of all i cannot access your site. I get "403: Access Forbidden Your location (GR) has been blacklisted". Secondly, K2 is a tool which can do a lot of things. It is important to know how to use it. You are writing that you are being hacked on a daily continual basis. Clarify, so we can help you. K2 has almost zero security issues since the day it was released. If you have set it up to allow comments from everyone without a captcha for example then this is a matter of setup. If you have registration open to your site and you allow front-end item submission then this is also a matter of setup. Provide more details on what's happening so we can give you specific instructions about which settings you need to tweak.

If you are out of the country, you cannot access my site after I installed RS Firewall. Even after installing your K2 module is still getting hacked (attacked) continuously.

I am getting hacked on items that have been deleted. How can that be??? They were deleted 2 weeks ago???

Once again, clarify what do you mean when you say "hacked" ? Do you see items that you have not created appearing in your site? Do you see a lot of spam comments? If bots are just requesting URLs in your site this is not hacking.

coolrushband.net/index.php/component/k2/item/11-cool-rush-at-the-downtown-cafe-in-el-cajon-on-april-11th/11-cool-rush-at-the-downtown-cafe-in-el-cajon-on-april-11th?limitstart=0&post=00061

I am getting the above visitors to my site from K2 items specifically that are driving the CPU usage of the server way up. I am getting hundreds a day. My other sites are not getting this and for every IP address I block, another one comes up from various other countries, mostly Japan and China.

How can I get these items they are going to, that have supposedly been deleted, gone? Are these items "stored" somewhere else in the config files or something. My web server calls them "hacks". Below is a partial email I have received from them:


Hi Dan,

You’ve had an enormous amount of hack attempts today. We noticed that your CPU had gone crazy this morning and wondered why since there’s an email alert the server staff and I get that a user may be sending spam, being spammed, hack attempts, etc. As it turns out there’s obviously no spam being sent but your website is being spammed from various points in the U.S., China, Germany and other areas several times an hour for evidently no reason. I checked into the bug and it was evident in older versions of Joomla for awhile then supposedly fixed. This must be a new one. It’s directly related to a security breach in your configuration with commands taken from this plugin and others:

coolrushband.net/index.php/component/k2/item/11-cool-rush-at-the-downtown-cafe-in-el-cajon-on-april-11th/11-cool-rush-at-the-downtown-cafe-in-el-cajon-on-april-11th?limitstart=0&con=195

There are several more. We may have to block various IP’s not only making attempts to enter your web folders for reasons unknown since there doesn’t appear to be any shopping carts or anything that would store credit card numbers, but also for your own protection of anything on the website that may be valuable to a hacker. Your domain, coolrushband.net username:coolrsh2 is the only account being targeted. Several website forums state that sometimes there are disgruntled employees or someone trying to highjack a website for some reason and then they give or sell your Joomla security breaches to hundreds of users who then access your files using one of the Joomla plugins mentioned. I can send you others if you want so that you can get rid of these pages that are letting the hackers in.

The opening index.php is not the culprit but various Joomla plugins it connects to that have the security bug are letting these hackers in by the dozens. They are not visitors since visitors don’t normally login over and over again with hack attempts to your files and folders. They are most likely using a hacking software of some kind since the usernames and passwords they’re trying to gain entrance to your website with come within only a few seconds of each other and nobody can type that fast.

I installed RSFirewall yesterday and see my attached jpg. It is a screen print of the monitoring results that is mostly happening from your Module. How can I delete your module and since all my articles are not imported into K2 it should not hurt my site should it (to delete your module)???

See attachment. Be sure to look at graph results to the left half of the graph

The screenshot has a very low resolution and i cannot read the text. As i already told you bots who are requesting pages in your site is not hacking. It is high traffic. It would be hacking if they manage to create items or comments without your permission. Did you have comments enabled with no antispam in the past? Did you have front-end editing enabled for new registered users in the past? The most reasonable explanation i can give is that your site was spammed in the past and now bots are just requesting these spam URLs. You need to understand that you cannot block someone for requesting a URL in your site. This is something that needs to be done in the server setup, probably with a Firewall. Here are some things you need to do to every site:

1. If your site does not require registration, disable it in Joomla user manager settings. The fact that you are not displaying a registration form does not prevent users to register if the registration is enabled in your site.

2. Check for spammers registered in your site. Go to Joomla user manager and look out for users that are listed there. Delete spammers accounts.

3. Check for K2 front-end editing settings. If your site does not require front-end editing disable it. If you have this enabled and users registration is enabled it is possible that these users can create items. This has to do with the permissions of default K2 user group that new users are assigned to.

4. Delete any existing spam items. Go to K2 items in administration and delete any suspicious entries there.

5. Check K2 comments settings. If your site does not require comments functionality make sure that you disable them in K2 parameters. Once again even if no form is displayed in your site comments can still be submitted if they are enabled. If your site does require comments then make sure that you have enabled one of the antispam solutions K2 provides for comments. You will also find them in the K2 parameters.

6. Delete any existing spam comments. Go to K2 comments in administration and delete any suspicious comments there.

These steps will prevent your sites from being spammed in the future.

I checked everything you have suggested and I am fine:

Here is what I am getting attacked with every minute of every hour:

coolrushband.net/index.php/component/k2/item/11-cool-rush-at-the-downtown-cafe-in-el-cajon-on-april-11th/11-cool-rush-at-the-downtown-cafe-in-el-cajon-on-april-11th?limitstart=0&post=00061

coolrushband.net/index.php/component/k2/item/11-cool-rush-at-the-downtown-cafe-in-el-cajon-on-april-11th

coolrushband.net/index.php/component/k2/item/11-cool-rush-at-the-downtown-cafe-in-el-cajon-on-april-11th/11-cool-rush-at-the-downtown-cafe-in-el-cajon-on-april-11th?limitstart=0&post=061&ar=0974

coolrushband.net/index.php/component/k2/item/11-cool-rush-at-the-downtown-cafe-in-el-cajon-on-april-11th/11-cool-rush-at-the-downtown-cafe-in-el-cajon-on-april-11th?limitstart=0&post=061


192.184.44.172
/index.php/component/k2/item/11-cool-rush-at-the-downtown-cafe-in-el-cajon-on-april-11th/11-cool-rush-at-the-downtown-cafe-in-el-cajon-on-april-11th?limitstart=0&post=00061
0 = size
error
6/5/14 11:29 AM
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)


117.26.119.180
/index.php/component/k2/item/11-cool-rush-at-the-downtown-cafe-in-el-cajon-on-april-11th
693
error
6/5/14 11:28 AM
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)


198.204.225.34
/index.php/component/k2/item/11-cool-rush-at-the-downtown-cafe-in-el-cajon-on-april-11th/11-cool-rush-at-the-downtown-cafe-in-el-cajon-on-april-11th?limitstart=0&post=061&ar=0974
0
error
6/5/14 11:28 AM
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) )


192.184.44.172
/index.php/component/k2/item/11-cool-rush-at-the-downtown-cafe-in-el-cajon-on-april-11th/11-cool-rush-at-the-downtown-cafe-in-el-cajon-on-april-11th?limitstart=0&post=061
0
error
6/5/14 11:28 AM
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727 ; .NET CLR 4.0.30319)


198.204.225.34
/index.php/component/k2/item/11-cool-rush-at-the-downtown-cafe-in-el-cajon-on-april-11th/11-cool-rush-at-the-downtown-cafe-in-el-cajon-on-april-11th?limitstart=0&post=61&post=00266
0
error
6/5/14 11:28 AM
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)


198.204.225.34
/index.php/component/k2/item/32-looking-for-a-smaller-duo-for-a-more-intimate-venue-try-our-own-paisley-moon-see-below/32-looking-for-a-smaller-duo-for-a-more-intimate-venue-try-our-own-paisley-moon-see-below?start=70
0
error
6/5/14 11:28 AM
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)


192.184.44.172
/index.php/component/k2/item/32-looking-for-a-smaller-duo-for-a-more-intimate-venue-try-our-own-paisley-moon-see-below/32-looking-for-a-smaller-duo-for-a-more-intimate-venue-try-our-own-paisley-moon-see-below?limitstart=0&pid=663&review=430
0
error
6/5/14 11:28 AM
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) )


66.249.79.77
/index.php/component/k2/item/10-cool-rush-will-be-at-pal-joeys-in-san-diego-on-april-19th-special-guest-musician-troy-dent/10-cool-rush-will-be-at-pal-joeys-in-san-diego-on-april-19th-special-guest-musician-troy-dent?start=114280
481
6/5/14 11:28 AM
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)


112.111.175.218
/index.php/component/k2/item/10-cool-rush-will-be-at-pal-joeys-in-san-diego-on-april-19th-special-guest-musician-troy-dent/10-cool-rush-will-be-at-pal-joeys-in-san-diego-on-april-19th-special-guest-musician-troy-dent?limitstart=0&con=856
0
error
6/5/14 11:27 AM
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)


198.204.225.34
/index.php/component/k2/item/10-cool-rush-will-be-at-pal-joeys-in-san-diego-on-april-19th-special-guest-musician-troy-dent
0
error
6/5/14 11:27 AM
Mozilla/4.0 (compatible



The above urls just go on and on and on

Every minute of every hour by different IP Addresses. I block one and 2-3 more take it's place. Every one of the items these things refer to is now non-existant.

Dan

Unfortunately i cannot access these URLs since i am getting 403: Access Forbidden Your location has been blacklisted . Are these URLs displaying an item? Do items with IDs 10,11 and 32 exist in your site? If these are past spam items you need to ensure that you have deleted them. If your site returns a 404 on those links then you are fine and there is nothing more you can do on the site level. You can use a Firewall at your server to block the traffic.