How We Analyze the Logs for Suspicious Logins on a Joomla Website

An important daily task that we perform on the large websites that we maintain is the checking of the IPs that successfully accessed the backend section of the website. We check where these IPs are coming from, and, if they are coming from an unusual location (such as a remote country), then we will look further into it.

So, how do we get the list of IPs that successfully accessed the Joomla backend?

Well, we first password protect the Joomla backend with .htaccess, and we use a unique username in the .htpasswd file, such as websitename_websiteownername. This step is important to do as it allows to know, through the logs, which IPs got past this first authentication.

We then follow the below guide to get the list of IPs:

We ssh to the server as root.
We change the directory to the logs directory of the website’s user:

cd /home/[user]/logs/
We create a folder called itoctopus (if not already created) under the /home folder:

mkdir /home/itoctopus
We copy the backup file of the current month to the itoctopus folder:

cp yourjoomlawebsite.com-Mar-2016.gz /home/itoctopus/
We change the directory to the itoctopus directory using the following command:

cd /home/itoctopus
We extract the gzipped file that we just copied to the itoctopus folder:

gunzip yourjoomlawebsite.com-Mar-2016.gz
We generate the list of IPs that have accessed the administrator section of the website:

grep '/administrator/' yourjoomlawebsite.com-Mar-2016 | grep 'websitename_websiteownername' > administrator-access.txt

(Note: websitename_websiteownername is the user that we created for .htpasswd authentication above and is something like yourjoomlawebsite_jeff.)
We get a list of all the unique IPs that have accessed the backed on the Joomla website:

awk '{ print $1 } ' administrator-access.txt | sort | uniq > administrator-ips.txt
We feed the administrator-ips.txt file to a tool that we have built that will automatically generate the locations (city and country) of all the IPs in the list. Note that before building that tool, we used online IP location tools to check where each IP was coming from (which was a somehow tedious process).
If we notice that there is an IP that has successfully accessed the website from a suspicious location, then we investigate that IP further (in order to know whether it is a legitimate access or not, and, in the latter case, we check the logs for that IP so that we have an idea on what kind of activities it did on the website).

So, there you go, we have disclosed our method for analyzing logs for suspicious logins on a Joomla website. If you think that the above is a bit too much and you don’t have time to do it yourself, then please contact us. We will do it for you daily, weekly, or monthly based on your requirements, we won’t charge you much, and you will sleep better at night, knowing that access to your website is monitored by Joomla experts (that’s us)!

No comments yet.

At itoctopus, we're here to help you with your business! That's our promise to you. Whether you're looking for urgent programming help in the middle of the night, or you need help expanding your website, or you need to claim your projects for R&D, then you're at the right place. We have served a lot of customers since 2001, and we'll be happy to serve you!

If you want to fix an urgent issue (for example, your website is down), then give us a call at 514 961 2804, this line is at your service 24/7/365!
Call Now: 514 933 8036
Just give us a call if you need help on your website, and you'll be surprised how friendly, efficient, and fast we are! Oh, and we genuinely care about your business! (International clients please call +1 514 933 8036)

How We Analyze the Logs for Suspicious Logins on a Joomla Website

Leave a comment