Support

Sorry to go back and forth on this.

I've got the lastest version of JCE 2.4.3 installed. I just turned it off in the Extension Manager.

The 3 security exception which concern me are:

2014-10-22 08:22:17 173.201.0.1 DFIShield http://www.offthebonebarbeque.com/js/fckeditor//editor/filemanager/browser/default/connectors/php/connector.php?Command=GetFolders&Type=File&CurrentFolder=/
2014-10-22 08:22:16 173.201.0.1 DFIShield http://www.offthebonebarbeque.com/js/fckeditor//editor/filemanager/connectors/php/connector.php?Command=GetFolders&Type=File&CurrentFolder=/
2014-10-22 08:22:12 173.201.0.1 DFIShield http://www.offthebonebarbeque.com/js/fckeditor//editor/filemanager/connectors/php/connector.php?Command=GetFolders&Type=File&CurrentFolder=/

The exceptions refer to fckeditor.

The ip address is the website's ip address on a GoDaddy webhosting server. The name of the website is OfftheBoneBarbeque.com. When this DFIShield attack is run it shuts down the website to all traffic.

I thought JCE was fixed so what else could it be?

Thank you.

I'm a little confused. JCE and fckeditor are two different editors. I run JCE on all my sites without any problems from DFISheild.

If you want to use fckeditor, it looks like you will have to set up a WAF exception so it doesn't get flagged as an attack.

Thank you for the quick reply. Let me try to clarify...
I'm not running fckeditor. Its in the path of the security exceptions.

I use JCE, but was concerned it might be how the attacker was able to shut the site down thus making the websites ip address be recognized as a spammer's. So I unpublished JCE in the extension manager. After the attack, no one can get to the website. Everyone get's the "You are a spammer..." message.

So my question is: How can I prevent this?

JCE is only vulnerable if you're running an unpatched version on a Joomla! 1.5.x website. The bug never made it to the Joomla! 2.x series much less 3.x. This has nothing to do with JCE.

This looks like an attack on fckeditor, the attacker is running the attack even though you don't have it installed. It can never be successful because the target isn't there. It is shutting down the site because either it is spoofing the site's own IP and Admin Tools is locking down that IP address or your server is not set up properly and it isn't reporting the attacker's IP address. That's more common than you would think in commercial hosting environments.

On a temporary basis, clear your server's IP from the security log and the auto block list, then turn off your auto block. The DFIShield is still blocking the attack and auto block isn't blocking the attacker anyway. That will get the site back online. I'll ask Nicholas to take a look and see where we go from here.