Support

Admin Tools

#24337 Strange behaviour AdminTools

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Thursday, 03 March 2016 17:20 CST

websystem
 Hi,

I have a problem.

JOOMLA: 3.4.8
AT: 3.6.8
PHP: 5.5.25

I have a subscription.

I started use AdminTools after exploit in 1.5-3.4.6 JOOMLA!.
My site was hacked. I installed AT and clean site, update all extension, remove not used.
For a 2 weeks was everything OK (no modified/added files) but from the last Monday it started again.

AdminTools don't stop attack and few files was added and folders on my FTP with lot of files ready to send spam.

I send a logs:

95.215.61.192 - - [01/Feb/2016:07:37:04 +0100] "POST /modules/mod_login/tmpl/joomla_rss.php HTTP/1.1" 200 17836 "-" "Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20130405 Firefox/22.0"

95.215.61.192 - - [01/Feb/2016:07:37:05 +0100] "POST /modules/mod_login/tmpl/joomla_rss.php HTTP/1.1" 200 4026 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:21.0) Gecko/20130331 Firefox/21.0"

37.115.190.37 - - [01/Feb/2016:05:07:05 +0100] "GET /modules/mod_login/tmpl/joomla_rss.php HTTP/1.1" 200 455 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:37.0) Gecko/20100101 Firefox/37.0"

37.115.190.37 - - [01/Feb/2016:05:07:05 +0100] "GET /modules/mod_login/tmpl/joomla_rss.php HTTP/1.1" 200 455 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2145.12 Safari/537.36"

What do You think about It.

tampe125
Akeeba Staff
Hello Miroslaw,

Just because you have Admin Tools installed and a .htaccess file generated doesn't make your site unhackable. The first obvious reason is that no security tool can ever be watertight. All security tools, including Admin Tools, are designed to make it very much harder for someone to hack your site. Making it impossible, though? Not a chance. If there were such a magic solution we'd be selling it for several millions of dollars – just think about how much money big companies lose when their servers are penetrated.

Now, besides that, all security solutions protect you from hacks coming from the outside as long as the requests are routed through them. This has two very important corollaries:

1. It is possible that the attacker is able to execute an arbitrary PHP file or exploit a vulnerability in a directly web accessible .php file. The .htaccess Maker front-end and back-end protection block, by default, access to all .php files except Joomla!'s index.php files. However, you can add exceptions. If you add an exception which allows specific .php files to be accessed and they are vulnerable then you've opened a back door to your site. If you enable direct access to all files (including .php) for a articular directory it is possible that the attacker found a way to upload a malicious script and execute it, hacking your site. If you have a secondary site, e.g. a Wordpress installation, inside your site's root and you allow access to it, it is possible that the attacker hacked it and used it as a back door to hack your Joomla! site. Of course there is also the possibility that if you didn't enable the front-end and back-end protection in Admin Tools .htaccess maker that a hacker found a vulnerability which allowed him to upload and execute a malicious script.

2. There's what I call the "under the radar" attack. On most shared hosts it is possible that if a hacker infiltrates another site on the same server he has write access to your site's files. It all depends on ownership and permissions. If the files are owned by the same user under which the web server runs for all sites hosted on the server (as opposed to being owned by your account's FTP user) then you are definitely vulnerable to this attack. Permissions with their second or third digit set to 6 or 7 (e.g. 664, 646, 775, 757 and so on) may also make you vulnerable to such an attack.

3. If you are using outdated software it is possible that it suffers by a vulnerability which cannot be prevented by a security solution. For example, Joomla! 1.6 and 1.7 allow malicious users to create Super Admin users if the user registration is enabled. Due to the nature of that bug no security solution can prevent this. Check the versions of everything you have installed.

Another possibility is the "exploited yesterday, ready to be hacked tomorrow" method. I've seen that many times. A site was infiltrated by a hacker months ago and they installed a back door. Months later they come back and hack your site. The thing is that all your backups are now "infected" with this back door. Restoring your site from a backup will allow the hacker to hack your site again and again and again.

Of course there is the low tech approach: somehow you admin or FTP credentials were stolen. Stealing admin or FTP credentials is dead simple, as long as the hacker is connected to the same network (wired or wireless) as you and your site does not use HTTPS. Stealing FTP logins can also be performed by malware such as keystroke loggers or by more specialised malware which steals, for example, FileZilla's saved connections INI file which contains the credentials in plain text.

I would recommend following the advice in our Unhacking Your Site walkthrough to first identify the point of entry, unhack your site and patch the security hole which made the hack possible in the first place.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

websystem
Hi,

You wrote

The .htaccess Maker front-end and back-end protection block, by default, access to all .php files except Joomla!'s index.php files.

I don't set anything to .htaccess in AdminTools.
Can You write what I should set to make as You said?

tampe125
Akeeba Staff
Simply get inside the Htaccess Maker and hit the Save and generate .htaccess button.
Default values are the recommended ones.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!