Support

 Hi,

I was doing some site maintenance and while I was checking Admin Tools Security Exceptions Log I realized that I am receiving admin query string alerts from my office IP address.I guess I should've spotted this sooner, but that's a bit of water under the bridge at this point.

I have the Secret Key set, but there is an unusually large number of attempts to access the site admin with the standard http://mysite.com/administrator/ page. The weird part is (as I've mentioned), that they're coming from my own IP address.

Another oddity I've seen is that they seem to be mostly on a regular basis:
2014-06-12 10:46:34
2014-06-12 11:46:33
2014-06-12 11:46:34
2014-06-12 12:46:33
2014-06-12 12:46:34
2014-06-12 13:46:33
2014-06-12 13:46:34
2014-06-12 14:46:33
2014-06-12 14:46:34

There's many more, but that should give you the idea...

While searching for a solution I came across these threads:
https://www.akeebabackup.com/support/admin-tools/14255-receiving-security-exception-for-my-own-ip-and-a-couple-of-other-questions.html

https://www.akeebabackup.com/support/admin-tools/13486-admin-query-string-2-2-2-2.html

But neither really gave me an understanding of what might be going on here. So, I guess I'm asking if you've seen anything similar to this before?

I've thought about whitelisting my IP, but my ISP uses rolling IP addresses and it will only change again at some unknown point in the future. It also won't give me any insight as to just what is going on here, in the first place. If there's something fishy going on I'd like to resolve the issue once and for all, if possible.

As always, any suggestions or input you have is greatly appreciated.

Thanks,
Will

Hi Davide,

Not seeing anything being 'blocked', but I assume you mean the 'Target URL' field.
Most of the exceptions are:
Most of them are simply: http://estateresources.net/administrator/

But there is a list of other ones too. If that's what you are looking for, here you go:

http://estateresources.net/administrator/index.php?option=com_admintools
http://estateresources.net/administrator/index.php?option=com_languages&view=overrides
http://estateresources.net/administrator/index.php?option=com_acymailing&ctrl=newsletter
http://estateresources.net/administrator/index.php?option=com_rsform
http://estateresources.net/administrator/index.php?option=com_acymailing&ctrl=stats
http://estateresources.net/administrator/index.php?option=com_sobipro
http://estateresources.net/administrator/index.php?option=com_content&layout=edit&id=153
http://estateresources.net/administrator/index.php?option=com_roksprocket&layout=edit&id=286
http://estateresources.net/administrator/index.php?option=com_content&view=article&layout=edit&id=113

Does that give you any ideas?

Thanks,
Will

Hi Davide,

Thanks. The site is live and in the middle of a marketing campaign, so disabling everything but the system plugins isn't really possible at the moment. I cleared the exceptions log and am tracking everything I touch, and am only working with one component at a time to see if I can track anything based on it's use. As an example, Acy Mail is installed on the site. I worked with it extensively after I cleared the log and didn't get any exceptions. I'm triggering a cron job later today, so I'll check after it runs and see if it throws any exceptions. If it doesn't, I'll move on to another component and continue testing in that way and see if I can narrow it down some. I know it might not be the best way to get to the bottom of this issue, but since I can't disable everything right now I figure it's the best way at the moment.

Here's something I did notice, however. I have a secret key set for the admin url. When I'm in the admin and walk a way for a bit (longer than the system time-out), as expected, the system logs me out. There's no indication of this when I return, but if I attempt to navigate anywhere in the admin, I'm directed to the home page of the site (which is expected behavior because Joomla is trying to load /administrator without the secret key), and I see that I get an exception in the log. The url of the exception relates to the component I was trying to access after the timeout took place. All of this makes sense, but does lead to a large number of entries in the exceptions log.

So that leads me to a couple of quick questions. If I white list my IP address, will this stop the exceptions being logged? Even if it does, my ISP rolls my IP address from time to time. That means that every time my IP changes, I'll need to change it in Admin Tools. Since that happens randomly, it could become quite the PITA to handle the exception that way. In lieu of that, is there a way to force Joomla to redirect to [/administrator?mysecretkey] instead of simply [/administator]? I'm not really looking to hack the core of Joomla to achieve this, but it would be nice if there is some kind of work-around to achieve this that I'm just simply not aware of.

Thanks again for your reply and I look forward to hearing your thoughts,
Will

Hi Nick,

Thanks for the detailed reply. I appreciate your insights.Since clearing the log, I haven't had a repeat of the issue yet.

It looks to me as if you have set up an application which monitors your site every one hour.

I do have Pingdom monitoring the site for downtime, but it only monitors the public side of the site. I have the monitor set up to ping the main url every 5 minutes, so if that was the case I'd probably be seeing the exceptions happen 12 times more often than I already was.

If you've bookmarked your site's administrator login page without the secret URL parameter that explains what you're seeing. It happened to me too. All I had to do was change the bookmark to include the secret URL parameter.

This could be what is happening, but still have to check some of the devices I use. Thanks for the head's-up though. I was unaware that this might be causing the issue.

Disable the secret URL parameter and enable the administrator password protection feature.

I actually had the site set-up that way originally. Unfortunately, the other website administrator is a bit thick when it comes down to working with his computer. He has pop-ups and JS turned off in his browser and thinks that allowing this behavior will open his computer up to a host of vulnerabilities. He's also working on a computer that's about 10 years old, runs Windows XP and has 1GB ram (I know, I know... don't shoot the messenger!). I can't convince him to change his ways on either issue (along with quite a few others), and he pays the bills. So rather than argue with him, I'll continue to create workarounds that (although unnecessary) suit his fancy.

When you come back to your site after a while, you are not logged in to the administrator area. Joomla! has a bug which allows you to see exactly one page (I consider it a security issue in Joomla! 3 to be perfectly honest) before the system catches up with your session expiration and reports you as not logged in.

I've often wondered about this behavior. Thanks for explaining it in terms a mere mortal like myself can understand. :-)

So, what you are really asking is whether we can help you shoot your feet with a rather big shotgun.

Well put. When I read your reply I must admit that I hadn't thought about it in that way. After pondering it for a bit, I had another thought that I'd like to run by you.

The way I understand it, Joomla inherently redirects to /administrator when the admin session times out. Admin Tools is the component that redirects to the main site url when /administrator is trying to be accessed without the secret key. If that is correct, it seems that there might be a relatively simple solution that doesn't create an additional security risk. If the inherent redirect simply leads to the main website url (instead of /administrator) when the admin session times out, theoretically I should see the same behavior I already have. The only difference would be that Admin Tools wouldn't be throwing an exception. Correct, or am I missing something?

Thanks again,
Will