photo

Ronny Drappier

shared this question
4 months ago

Employees Involved

photo

PIV Support

Admin

Statistics

3
Comments
1
Views

Relates to

Share

Tags

1
votes

"api->user->update" problem

Hi,

A few days ago I updated to OR 3.3 and I noticed in the Site Log that the API is continuous updating all the users and in all cases more than once. It is doing this 2 continuous days now. At present my Site Log had more than 3000 entries over a 2 day period. To avoid possible problems with my ISP I cleared the log several times, but the API keeps working like crazy.

I also noticed that very often the entries are from the same IP address, but also from many other IP numbers.

Needless to say that I did check the profiles from the Users, but I do not see any changes or anything strange.

I tried to download the log file to sent with this inquiry, but that does not work, so I took a screen shot (see attached). The 157 entries is just in a 7 hour period.

Please advise. Thank you.

Ronny Drappier.

Comments (3)

photo Employee
1

I'm not sure how clearing your log is avoiding problems. 3000 entries in a few days is not a big deal, add 3 more zeros to the end of that figure and that could be a problem. Also, the download log feature only works if you have OR Pro edition.

OR's API is not doing that by itself. It looks to me like a coordinated automated "attack" on your user API because those IPs are in Egypt, Vietnam, Denmark, Thiland, China, etc. These types of attacks on websites are fairly common, whether you are using OR or not. Anyone trying to change your OR user data is going to need to be using a valid OR account that has edit user permissions as well as your site's API key. Since the User Name column in your logs are blank for all of these entries, they are probably trying to brute force their way into changing user data in an attempt to access the back-end.

I would recommend that you open a ticket at Transparent Tech and show them what is happening. if you don't have a Pro edition license, open a Sales ticket.

http://www.transparent-support.com/billing/index.php

photo
1

Hi,

Thank you so much for your reply,

The reason I keep clearing is because a few months ago I was contacted by my ISP that my site was storing way too much inactive data, and that if I would not correct the problem they would have to disable my site until I had solved the problem.

As it turned out, it was the log file which had not been cleared in 5 years or so, and now with these attacks going on, I do not know how fast it builds up again, because sometimes I get over 400 entries in an hour and then again just a few, so I clearing it as much as possible.

I do realize it must be some kind of attacks on the site, because I too checked the locations of the IP addresses.

And even though they are not successful so far (knocking on wood) I am on edge with this going on now.

As you advised, I opened a ticked at Transparent Technologies. Actually I reopened one, because I still had a closed ticked from 2012.

as soon as I get a reply, I will post it here, in case it might help someone with the same issue.

Once again thank you for your reply and have a nice day/evening.

Kind Regards.

photo
1

Hello again,

I got a reply Transparent Tech and they said that the user API should not be logging these attempts and is doing so in error. However there is a patch for the issue in OR v3.3., which they have sent to me, and since then the hacker attempt entries are no longer logged.

They also emphasized that it is extremely important to use strong passwords, which I do, however it raised another question; what if the Users are not using strong passwords, and they confirmed that this is an increased risk for the site so he advised the following:

---------

>What if the Users use weak passwords?

Then their accounts would be subject to possible exploitation, unless your host is using something such as CSF which has the ability to block IP addresses after a certain number of password authentication failures. Most better hosts that provide cPanel also offer CSF. Member accounts in OR don't usually have much to exploit, but any Agent accounts or the Admin account certainly do.<

----------

I hope this ticket helped others as well.

Once again thank you PIV Support.

Kind Regards,

Ronny Drappier.

===============

Comments have been locked on this page!