Support

Admin Tools

#15082 Security Exception 192.168

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by CoalaWeb on Tuesday, 19 February 2013 04:10 CST

Tuesday, 19 February 2013 03:32 CST

CoalaWeb

Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? No
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (WAF Security Exceptions)? Yes
Joomla! version: (2.5.9)
PHP version: (5.3.15)
MySQL version: (5.5.23-55)
Host: (optional, but it helps us help you)
Admin Tools version: (2.4.4)

Description of my issue: I have noticed on one of my sites that the exceptions log has a repeated 192.168.254.5 "Admin Query String" entry. Would that mean that the attempts are somehow  originating from within the Joomla installation? I'm accustomed to seeing the usual attempts to find the admin string and they get blocked after a certain amount of attempts but a 192.168 IP worries me.

That do you think?

Thanks

Steve

Tuesday, 19 February 2013 03:39 CST

nicholas

Hello Steve,

The "Admin Query String" means that someone tried to access your site's administrator area without providing the correct administrator secret URL parameter configure in Admin Tools.

The 192.168.*.* range belongs to the private IPv4 range. These are not public IPs. They can only be used by private (as opposed to Internet-facing) networks. If this is a live site and you see a lot of those IPs it means that you either have a misbehaving script inside your host's network or your server configuration is wrong and ends up reporting the wrong IP address to PHP. If you are on an intranet then the IP is most likely genuine and shows that the owner of this IP is trying to do something nasty.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 19 February 2013 03:48 CST

CoalaWeb

It's a live site that’s why I thought it was weird to be reporting a non public (non routable) IP address. Do you think by a "misbehaving script" it could be a malicious script from with in the Joomla installation. I have many sites running on the same server (Hostgator reseller) and this is the only one reporting a non public exception so I'm assuming its a script specific to this installation rather than a server misconfiguration.

I guess I should have a closer look at the "PHP file change Scanner" can you suggest any other check I should do?


Thanks

Tuesday, 19 February 2013 03:59 CST

nicholas

I would recommend first asking your host if the IP that generates the security exception belongs to the same server as yours or a different one. Normally if a script attack is launched from the same server you should see 127.0.0.1 as the attacker's IP, barring a different Apache configuration (e.g. Apache listening only to the public and internal network IP and the attacker using the internal network hostname... but this is a far cry and would not work due to the name-based vhost configuration all cPanel-based hosts follow).

I am more willing to believe that the problem is a wrong IP forwarding from a transparent proxy sitting in front of your server. The easiest way to test the theory is launching an attack on yourself :) Try to do something which triggers Admin Tools and then take a look at the Security Exceptions Log. Which IP address do you see?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 19 February 2013 04:03 CST

CoalaWeb

I was thinking the same so I  tried logging in without the admin query string and the log reports my IP address correctly. I would also be expecting a loop back  127.0.0.1 if it was on my server so I'm a bit stumped.

Tuesday, 19 February 2013 04:08 CST

nicholas

It's time to call your host and ask them where does that IP come from.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 19 February 2013 04:10 CST

CoalaWeb

Thanks I'll chase that up.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!