Support

Admin Tools

#10142 How to know if SQLi or RFIShield reports are false positives?

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by user41123 on Friday, 09 December 2011 03:35 CST

TurnTex
I have been getting quite a few SQL or RFI security exceptions in my log that appear to come from the same ip range. How can I know if these are false positives or real attacks? I plan to block that range if they are indeed real but don't want to take any chances of blocking legitimate customers. I guess I should trust AdminTools, and I certainly do, but I just have a hard time believing my little old site is worthy of a hacking attempt!

I have attached a pdf file of my log showing what I am seeing.

nicholas
Akeeba Staff
Manager
Hi Curtis,

All of those attacks are real. No false positive. Also, all those attacks are targeting –are you ready for this?– Mambo and Joomla! 1.0, as well some Joomla! 1.5 component versions from 2-3 years ago. ROFLOL! There's not a cat's chance in hell any of those pathetic attacks (targeting software you don't even have installed on your site) stand any chance of being the least dangerous. It looks like some stupid script kiddie just found an ancient exploit script and tries to run it against any site he comes by in an attempt to prove to his empty-headed friends that he's a 133t h4x0r ("elite hacker" in leetspeak) or something.

My assessment: don't bother. Let'em try. Only block that IP range if you're sick and tired of receiving the warning emails.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

user41123
Hi Nicolas,

I have exactly the same issue since a few days with lots of "attacks" from the same IP-adress in the loggings like Curtis.
Now I've banned the range like this 123.123. so I suppose this blocks everything from 123.123.1 till 123.123.255.255.

But...I still recieve mails from the WAF with blocked Ip-adresses in this banned range and I still have the option to add these IP-adresses to the blacklist.
Now I have two question, I hope they're not stupid ones: shouldn't the WAF already "recognize" the IP-adresses in the banned range and disable the option to add the IP-adress to the blacklist and also: stops mails for this already banned range?

Greetings from a very happy Admin Tools user! ;-)

Paul

nicholas
Akeeba Staff
Manager
Paul,

You also have to enable the black-list feature in the Configure WAF page (by default it is off, saving a few unnecessary database queries on each page load). Have you turned it on?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

user41123
Hi Nicholas,

I have activated almost every option from the first day I use this great tool. ;-)
I suppose the blacklist feature is one of the options in the Basic Security section of the page? These options are all set to yes and the option CSRF / Anti-spam formulierbeveiliging (CSRF Schild) is set to "basic".
Or am I missing something?

Greetings, Paul

nicholas
Akeeba Staff
Manager
Hi Paul,

yes, you are missing something :) You have to go to Components, Admin Tools, Web Application Firewall, Configure WAF and set "Disallow site access to IPs in Blacklist" to Yes. As written in the documentation:

""When enabled, if the visitor's IP is in the Blacklist (see the following sections of this documentation about configuring it) they will immediately get a 403 Forbidden error message upon trying to access your site.""

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

user41123
Hi Nicholas,

That's the second option in the Basic Security and is set to Yes since the first day I use Admin Tools Pro.

Greetings, Paul

nicholas
Akeeba Staff
Manager
In that case, the black list is, indeed, enabled. Using something like 123.123. (with a trailing dot) should block all IPs in the 123.123.0.0 - 123.123.255.255 range. Alternatively, you can try using a ip/netmask construct like 123.123.0.0/255.255.0.0 or the more human-friendly IP range format of 123.123.0.0-123.123.255.255.

Also note that older versions of Admin Tools would send you an email whenever someone with a blocked IP would visit your site, the security exception reason mentioned being IP Black List. This was fixed very recently, so please make sure you're using Admin Tools Pro 2.1.14.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

user41123
Hi Nicholas,

I always update the latest version on the day it's released so I'm running 2.1.14
I'll try your suggestions about the IP-ranges. Hope that will stop the loads of mails I still recieve from banned ranges.

Thanks for your advises!

Greetings, Paul

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!