Log In | Subscribe | | |

Beware IP address 65.99.177.125

Publication: 
Editorial Staff
chiefofficersnet

When we found this address was the source for a brute-force attack by hackers on our own administration system, we checked and found that it's being used to mount attacks on Drupal CMS systems around the world.

RECOMMENDATION: BLOCK IT AND PREVENT IT REACHING YOUR CMS.

Many spam-scams link to pages injected by hackers into Wordpress CMS-based websites. Rarely do we learn that Drupal sites have been compromised in the same way.

But someone using the above IP address, located in Sweden, is trying to access the admin systems of Drupal sites by the simple expedient of trying to use the username "admin."

The same IP address has been used for attacks before, say monitoring sites. However, the Drupal Admin attacks began, on this occasion, within the past few hours.

The root cause of the problem is well known: all Drupal-based sites have their login pages accessible by the route /?q=user and, as a result, hackers hit registration/login pages heavily. It has been suggested that there be a facility for installers to generate their own login page ID, so that hackers could not simply use the same page ID on all sites, but the core developers have not followed those suggestions.

WHAT CAN YOU DO TO STOP IT?

The first is that all versions of Drupal have a facility to block individual IP addresses. Drupal 6 allowed the blocking of ranges. The development ethos for D7 and 8 was to remove functions from core and have them as modules. Unfortunately, the blocking of ranges of IP addresses, which was extremely simple to use, was removed from core and the replacement modules are clunky and frankly too awkward to use.

That is not, altogether, a bad thing. You can prevent the hacker getting as far as the Drupal installation by creating an entry in the .htaccess file. This is a lot easier than you might think. Using an FTP program such as FileZilla (free, donation-ware), you can navigate to the relevant directory on your server and find the .htaccess file. In FileZilla, right click and choose "view/edit" and the file will open in the text editor on your PC.

In that file, look for "order allow, deny" and insert, on a separate line "Deny from 65.99.177.125"

Save the file. Filezilla will prompt you to save it to the server.