Support

Admin Tools

#26690 Attacks

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by dlb on Friday, 09 December 2016 08:18 CST

Thursday, 08 December 2016 10:41 CST

Pablo33
 What tried this person to do? 30 hits slightly different from code:

https://www.bloderpelze.at/index.php/component/mailto/?tmpl=component&template=j51_revolve&link=8096adf347abe5772af473e6ea198ddc00d4fffa

https://www.bloderpelze.at/index.php/component/mailto/?tmpl=component&template=j51_revolve&link=f9219175682912b5b05c8913a473b0d58e9cbefe

https://www.bloderpelze.at/index.php/component/mailto/?tmpl=component&template=j51_revolve&link=d5fa13dafccce69c22d5d9e482a7f19dfac5812d

Thursday, 08 December 2016 11:02 CST

dlb
Someone is trying to use the Mailto button on an article and is being blocked.

Go to Web Application Firewall, Configure WAF, on the Visual Fingerprinting Protection tab, change the field "Allow site templates" to Yes.

If you do not have the Mail to button enabled on your site, then it is a script trying to use the button and you can just ignore it.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Edited by dlb on 2016-12-08 11:03 CST

Friday, 09 December 2016 02:56 CST

Pablo33
I did as you commanded to me. Mail button works in my contact formular. But the ip`s where from strange countries like Brasil or Ukraine. I blocked them all. Only the last one came from Germany and seems to be a person who want to contact us. Can I release all those ip´s with /mailto/? from the blacklist?

Thanks for answering and the software, since it is installed I have no infection!

Friday, 09 December 2016 08:18 CST

dlb
Hackers do not use their own IP addresses. So when you blacklist an IP address, you are really blocking a proxy server or an innocent bystander with an infected computer. The hacker just moves on to the next address in his list of compromised computers. That is why the auto ban function releases the ban after a period of time, it allows the real owner of the IP address to visit your site after the hacker stops using it.

Most of these attacks come from unattended bots just going from one IP to the next trying various vulnerabilities to see if they can find a site that is using old software. You still see bots trying the JCE bug from Joomla! 1.5 or WordPress bugs tried on Joomla! sites. The hacker really does not care if it fails, it is just a bot. If the bot finds one that works, then the human gets involved.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!