Support

Admin Tools

#11779 Scripting Attacks not stopped by Admin Tools

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Saturday, 31 March 2012 08:07 CDT

Saturday, 31 March 2012 07:43 CDT

user40075
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? No
Have I searched the tickets before posting? No
Have I read the documentation before posting (which pages?)? No
Joomla! version: (unknown)1.5.26
PHP version: (unknown)latest
MySQL version: (unknown)latest
Host: (optional, but it helps us help you)Rochen
Admin Tools version: (unknown)

Description of my issue: For thirty minutes this morning a Chinese attacked my site trying about 100 ways to get in. I attach screen captures of some of the attempts listed in my IP tracker Firestats.

I blocked the IP manually.

My question is shouldn't Admin Tools have picked this up and at least listed it for Bad Behavior or something similar?

I've never seen anything this bad.

Cheers!

Lowtech

Saturday, 31 March 2012 07:49 CDT

nicholas
All of these attempts to access something on your server are run against inexistent PHP files. Unless you have set up your .htaccess files to redirect 404s of random PHP files to Joomla!, Admin Tools will never run (remember, Admin Tools only runs inside Joomla!, not magically on all requests coming in to your site).

Even if you do that, unless the requests have some malicious payload (they don't) they won't be caught by Admin Tools or any other security component. They are just 404 errors. In fact, these seem to be probing requests, trying to figure out if you have an insecure copy of phpMyAdmin on your server.

Even if the requests carried a malicious payload, the IP would only be blocked if you had enabled the automatic IP blocking feature for Admin Tools. And, of course, only access to Joomla! would have been blocked, not generally on your server.

Admin Tools is not supposed to be a panacea, catching anything and everything. It's a tool to secure Joomla!, only Joomla! and nothing but Joomla!. In order to stop probing attacks like the one you experienced you may need to enable mod_security (an Apache module) on your server and have appropriate rules which block IPs causing too many 404s over a period of time. Admin Tools is a Joomla! extension, therefore it can't provide web server level security.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 31 March 2012 08:04 CDT

user40075
Hi Nikko!

Much appreciated response! Scared me completely.

Good to know the information you provided!

I do have the automatic IP blocking feature enabled. 3 attacks in 1 minute and blocked for 5 minutes. I thought that should have sent me the usual admin email telling me the IP was blocked and when it didn't I got worried. I was afraid it was some new kind of attack.

Thanks again,

Fritz

Saturday, 31 March 2012 08:07 CDT

nicholas
Hi Fritz,

You're welcome :) I had updated my security talk two months ago to include information about the different kinds of protection you can have on a site (server level, web daemon level, site/.htaccess level, Joomla! level). Security is much more than installing and configuring a security extension. Hopefully, the guys at Joomla! Day France will publish the video of my most recent security presentation in Joomla! Day France 2012 (I speak in English, Yannick of sh404SEF translates to French) and I can link to it :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!