Support

Admin Tools

#27073 Admin Tools log file triggers cPanel scanner

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Saturday, 11 March 2017 17:17 CST

Wednesday, 08 February 2017 05:11 CST

gbe
Hi,

I have exactly the same issue as in these tickets:
  • #15116 – Warning malicious files found under your account on server
    #24432 – logs/admintools_breaches.log

(I use Admin Tools Pro on Essentials subscription)

I know you've seen this before, and I know this is a problem with the hosting company, but please read on.

In my case, when there are files discovered that trigger their scan, the provider blocks outbound ports, such as 80, 443, 25, 587, etc. In some sites that don't depend on outbound access, this is a good way to prevent a botnet-style infection from spreading... but for Joomla, it needs outbound access all the time, else you cannot do updates, send notifications, etc.

Here's the response I got from the hosting company:

As per the analysis of the file "[path-deleted]/log/admintools_breaches.log", we observe that the file is just logging the attempt to the files to help identify any potential ongoing intrusions.



Yes, you are correct as per virus scan analysis it seems that only one particular file was caught for infection. Details have been provided below for you kind perusal.

#######################################

[path-deleted]/log/admintools_breaches.log: SiteLock-HTML-SEOSPAM-kfe.UNOFFICIAL FOUND



----------- SCAN SUMMARY -----------

Infected files: 1

Time: 128.719 sec (2 m 8 s)

#######################################



I have downloaded the file and do find that this particular file just logs the attempt to the file above to help identify any potential ongoing intrusions. For now I have removed the immutable attribute assigned to this file and have changed the file permission back to 644. Please note that port blocks for port 80,443 have been removed.



We had escalated the reported issue to our System Administration team and the ClamAV support team. We have analyzed the issue and will be unable to whitelist the ClamAV signature generated while scanning the file "[path-deleted]/log/admintools_breaches.log".



Please note that the signature generated while scanning the file [path-deleted]/log/admintools_breaches.log is a know malware infection. However, our server admin team have excluded the given file from the next ClamAV scan.



If you receive mails about malware infection about the same file, kindly update us and we will get the same checked from our end.


I'd imagine this must affect a lot of Admin Tools users, since this seems to be a common way that hosts set up cPanel to do scans. I understand their side: they have all kinds of different sites, not just Joomla, and they cannot tell (automatically) whether a certain folder (which is in the webspace) MIGHT be executable somehow. I also understand your side: it's not your fault that some hosts have aggressive and poorly-configured scanners that cannot whitelist.

But this seems like it might be widespread, if it's part of cPanel.

So perhaps a potential solution...

How about an option or setting in Admin Tools, that if enabled, would cause it to write these logs slightly differently, so that instead of recording the full malware signature, it could use one of the following measures:
  1. Partial malware signatures (not enough to trigger a scanner), or
  2. No signature, but rather a REFERENCE to the malware, such as a CVE id (though this one could be tricky unless Admin Tools already has the id). or,
  3. A hash made of "[signature]+[some fixed string]. This would keep it easy to identify within Admin Tools, but no scanner would be able to tell what the source of the hash was.


I know this isn't your problem to fix. But an option in Admin Tools could be the solution, making life easier for your users.

Many thanks for your time and your exceptional software. I will continue to support your efforts by renewing my subscription, as I have done for the past 5 years.

Kind regards

Geoff.

Wednesday, 08 February 2017 06:39 CST

nicholas
I'd imagine this must affect a lot of Admin Tools users, since this seems to be a common way that hosts set up cPanel to do scans.


No, this is NOT the common way hosts using cPanel perform scans. To wit, our own site is hosted on such a (managed, not dedicated!) server and is still up. Same goes with thousands of sites using Admin Tools. Only very basic hosts who lack network engineers who know what they are doing will ever institute such an IDIOTIC measure as automatically cutting all inbound traffic to the server when a file is flagged as possibly malware. More so when you are scanning source code files which makes it impossible to have a good accuracy against false positives.

For me that's a clear indication that your host doesn't know how to properly secure their server and chooses the easy solution of offloading the burden to its clients. The only course of action I recommend is moving away from that host, fast.

How about an option or setting in Admin Tools, that if enabled, would cause it to write these logs slightly differently


Partial logging: That's effectively turning off logging. This is a terrible idea from a security standpoint. It renders you blind. If you remove the actual part of the request which triggered the protection (which is exactly what triggers the attack) your log cannot help you a. understand the difference between legitimate and malicious request; b. understand if you are looking at a false positive and c. give you any insight on the attack vector the attacker is trying to leverage. That's about as useful as a book with blank pages.

Signatures: I can write the same simple SQL injection attack in 15 different ways which yield a different hash. Therefore a hash in this context is a useless piece of trash. It will only tell you that something triggered the protection, but not what or if it's a legitimate threat. That's about as useful as a book with its page content replaced by the count of words in each one.

CVEs: Admin Tools is a web application firewall, not an external web application vulnerability assessment tool. It doesn't probe your site with known attacks published in CVEs. And of course it doesn't naively rely on CVEs to classify the request. That would be catastrophic for the security. I'll let you think about it; it's pretty obvious why. Oh, well, it's the same reason "bath salts" drugs that kill people were legal for so long despite the raging war on drugs: when you implement an exact match blacklist the attacker will modify their attack ever so slightly to avoid detection (or discover a whole new class of attacks your narrow, nearsighted blacklist doesn't try to block).

I can think of more solutions which are equally bad. Trying to base64-encode the log will trigger the scanner in BOTH the PHP file that handles logging and the log file itself (large chunks of base64 encoded data are considered suspicious). Even reversible encryption would make no sense because the binary data in an otherwise text file would trigger all sorts of red flags.

The fact remains that this is a stupid host issue. They don't know how to implement security on their server and they put the burden on you. As I said there is exactly one way to solve this problem: use a good host with actual engineers who understand how to set up a server.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 08 February 2017 06:58 CST

gbe
Hi Nicholas,

Thanks for your reply.

such an IDIOTIC measure as automatically cutting all inbound traffic
Just to be clear, I was saying they block outbound ports, not inbound. Blocking inbound would kill the website. That would be crazy for a host to do, and you'd be right in everything you said. Blocking outbound however, can help to slow the spread of infection. That is not so crazy, and I understand the use of such a measure (under the right conditions).

The only course of action I recommend is moving away from that host, fast.
Funny thing, I originally changed hosts for this exact reason... to my current host. *sigh*

Many thanks for taking the time to consider this issue.

Cheers

Geoff.

Thursday, 09 February 2017 01:23 CST

nicholas
Blocking inbound would kill the website. That would be crazy for a host to do, and you'd be right in everything you said


I know it's hard to believe, but we've seen hosts do even worse things. Three and a half years ago some hosts started deleting files they considered "suspicious" without asking the client. Of course that brought down websites.

Blocking outbound ports based on the results of an automatic scanning with a very high chance of false positives due to the nature of the content being scanned is equally idiotic. Modern websites are not isolated islands of information like they were twenty years ago. They communicate with external services for diverse things like payments, spam mitigation, secure authentication, file and data storage and so on and so forth. Blocking outbound ports is, therefore, just as idiotic as blocking inbound ports.

A real network engineer monitors the outbound traffic of the server for signs of anomalous traffic. A paranoid network engineer has a blanket firewall for outbound connections and only opens traffic to ports and hosts explicitly requested by the client, once the client explains why they need that traffic to go through. Only an idiot who's not a network engineer and doesn't know anything about security will block all traffic on a site which might, maybe have a small chance of possibly being potentially infected with some unconfirmed malware which has a distant chance of creating outbound traffic. To give you an example, it's like having a house alarm which saturates the house with halon gas if it thinks someone has possibly violated the perimeter. Yes, that would kill all occupants in case a window gets shattered. That's the kind of "security" offered by your host...

To make matters worse, they don't even secure their server against real hackers. If I were to attack a server I'd upload non-obfuscated code, disguised by means of inconspicuous filenames inside either Joomla's libraries or a popular component's folder. Being a really sneaky bastard I would even try to mimic their coding style and conventions to further throw humans off the scent (humans look for anomalous patterns, they can't go through all the code in Joomla). The only subtle change I'd do is an otherwise innocent abstract or helper class that I know gets called on every page load to load my code. This attack will not be detected by any security software. You know the worst bit? What I described is not a theoretical attack, it's something that I've seen in the real world.

Funny thing, I originally changed hosts for this exact reason... to my current host. *sigh*


I have used different hosts which are generally very good in keeping a secure enough server without getting in your way - and when they do you can discuss with an actual engineer to make sure this doesn't happen again. In no particular order these are SiteGround (we're currently hosted with them), Rochen (my blog is still hosted with them, they were the previous host of our business site), CloudAccess.net and EuroVPS.com. I don't include links to prove that we don't do affiliate links and we make no money from referrals. These hosts are just my personal pick. I'm pretty sure there must be other good hosts out there.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 11 March 2017 17:17 CST

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2017-03-11 17:17 CST

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!