Support

Hi!

This is a very (I mean, VERY) common problem, especially as of the start of December. First, let me tell you that you needn't worry. These attacks are targeting ancient versions of components, some of which no longer exist, or outdated versions of Joomla! 1.0 and even Mambo, Joomla!'s predecessor which ceased to exist back in 2005! Admin Tools Pro is more than capable of fending off such feeble attacks.

Now, you might wonder why this happens. A security advisory company dug up some ancient security advisories from 2-5 years ago and published them as "current threats". All of them had to do with ancient versions of Joomla! and some of its extensions being vulnerable to RFI and SQLi attacks. Stupid as it may be, this made the rounds in the underground and some older hackers dug up their exploit scripts. They seem to have ended up in the hands of script kiddies who run them against unsuspecting sites.

You might want report the offending IPs to the ISP, but I don't think you'll get anything out of it. Since there was no actual hacking of your site, the criminal act of breaking in to an electronic network may or may not be established, therefore the ISP won't bother taking a proactive action. If you were hacked, however, and made a statement to the authorities and they'd get a warrant, the ISP would gladly turn over the personal information of the attacker and send the police to their house. You get the idea :)

I'd suggest not doing anything, it's wasted time. Admin Tools is capable of protecting you against these attacks.

ACtually, the responsible security advisory resources (like exploit-db.com) will only list a vulnerability after the developer has had adequate time to provide a fix, usually 7-14 days depending on the severity of the exploit. They will also give some generic information about the exploit, but not step-by-step instructions.

There are other resources on the 'net which publicise 0-day exploits (the developer hasn't been notified about them), full details and proof-of-concept code. There are the real jerks of the Internet. It's like having someone give out free guns and unlimited ammo to 15-year-olds. We all know this can't end very well, neither for the kids nor for the innocent bystanders.

Anyway, I digress.

Thank you for your kind words and I'm glad I could be of assistance!

Sounds a bit like dropping a big bomb to kill a few mosquitos, but at least that solved the problem you had :)

Randy,

you can always block the specific IP (put it in the black list) and make sure that "Disallow site access to IPs in Blacklist" is set to Yes in the Configure WAF page.

Yup, if you don't set that switch to Yes the black list does nothing. If you wonder why, it's for performance reasons. When the switch is on, for every request routed through Joomla!'s index.php (even when Joomla!'s cache is enabled) we have to perform a database query to fetch all blacklisted IPs and run a loop, parsing the IP ranges and checking them for a match against the user's IP. If you don't need the blacklisting feature, you have one more MySQL request per page request which can throw off the MySQL cache on tight memory conditions (e.g. shared servers), increasing page load by up to 100msec on average.