Your software
My Mautic version is: 3.3.3-19-r70
My PHP version is: 7.3.29
My Database type and version is: Maria-DB
Your problem
My problem is:
For some reason, during the 19 days of not using Mautic, and I have not even logged in, there were random contacts being added to my Mautic as the dashboard shown.
I didn’t use Mautic after 12th of August, but new contacts kept being added up to hundreds during these days of not using Mautic.
However, when I go into the contacts and looked for import history, there was no trace of having contacts added or email campaign sent.
Am I being hacked? Or this is an odd behavior of Mautic?
If I am being hacked, what are some security measure I can use to prevent this from happening again?
Also, when I proceed as I normally would to log into the Mautic page, Chrome suddenly notifies me that “this website is NOT safe”.
Hi, enable anonymous mode (in contacts on the right side the little man icon) click on the IP of the person and check what pages they looked it.
They might be just normal unidentified contacts.
I have followed your instructions and looked at the anonymous contacts.
All the pages they clicked on do not exist, and what is worrying me is that our Mautic is currently not yet connected to any page, and it is not yet in production for our customers to reach. So apart from our testing emails, and certain people who have access to the page, there shouldn’t be anyone accessing our Mautic at all. Where would all these anonoymous contacts come from?
I am quite new to Mautic, and seeing all these contacts being added from random IP without knowing what they are doing in my Mautic is really concerning.
During the 19 days I didn’t use Mautic, there were over 1500 anonoymous contacts being added, and I don’t even know where they come from.
Is there anyway for me to improve the security of my Mautic?
Hello!
Can you plz give an example page those IPs check?
It is common to look for vulnerabilities and looking for certain files.
Once you have 100x larger real traffic you don’t even notice them.
I found, that some hackers try to fish around and hope, that a system admin left a backup somewhere laying around in a public folder. They would search for stuff like:
This is exactly right. Scripts are used to scan directories on servers looking for common vulnerabilities, or access to files that can be edited to give escalated privileges. The script gets a 404 error if its web based or access denied if its otherwise. Keeping your server up to date and using something like Fail2ban is an easy way to secure. Here is a snap of my Fail2Ban log with 4500+ blocked IP address for exactly this issue.
I have checked the example pages, it seems like they all include the IP address of " 13.238.219.9", does that mean this IP is potentially hacking my site?
These are the example sites that I see visited from anonymous contacts. It looks pretty unusual.
More anonoymous contacts kept being added everyday, and it just looks really weird since we have not officially start to use Mautic at all.
I have read through the link you provided, it makes me feel better than at least I am not alone, and others have the exact same issue too.
However, I am still a bit puzzled, since I use this on an AWS instance (packaged on Bitami), and I am a bit confused about adding the code you have given to the file on the instance. So I thought about using what you have mentioned, Fail2ban.
Can you please give me some direction on how to install Fail2ban on the server?