Support

Admin Tools

#27785 Strange IP addresses in Exception Log

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by PTWD on Friday, 09 June 2017 19:44 CDT

Wednesday, 17 May 2017 18:25 CDT

PTWD
Lately I've had some weird exceptions in the Admin Tools log. Instead of the IP address there is only a character string. Perhaps a segment of code?. The exception reason is always MUA Shield, and the character string is always:

}__test|O:21:"JDatabaseDriverMysqli

The frequency has been every few/several days since mid-April (might have been before that too but my log only goes back that far).

Since this is not an actual IP address, I can't block whoever is behind it and I have no way of knowing if they're up to no good in other ways while they're there. Have you heard of this before? Any ideas what it means, what's causing it and what I can do about it?

Many thanks!

Thursday, 18 May 2017 02:36 CDT

tampe125
Hello,

yes, this is an old Joomla exploit affecting older versions of Joomla.
Joomla was using some data from the visitor (for example User-Agent, IP etc etc) without filtering it, resulting in a site compromise.
In this case we can't ban the IP since it's not a "real" one, however you shouldn't be worried, since your site is not vulnerable and Admin Tools is blocking the requests.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 07 June 2017 12:00 CDT

PTWD
Hi Davide. I'm still getting these weird strings in place if IP addresses in the Exceptions Log. You also said this is due to an old version of Joomla, but it was at 3.6.x when I initiated the ticket, so not a seriously old version. I have since updated to Joomla 3.7.2 (previously 3.6.x) and to Admin Tools 4.2.0, and had hoped that would resolve these weird exceptions, but apparently not. You say the site isn't vulnerable since Admin Tools is blocking the requests. However, the requests look normal, not threatening or "up to no good," so I'm concerned that this anomaly could be creating problems for legitimate visitors.

Is there a way to resolve these exceptions?

Thank you.

Thursday, 08 June 2017 02:22 CDT

tampe125
You have to live with that.
The problem is not your Joomla version, it's the attackers that are trying to exploit your site with an old and useless vulnerability. It's like when you see in the logs people trying WordPress exploits: you simply have to ignore them.
However, the requests look normal, not threatening or "up to no good," so I'm concerned that this anomaly could be creating problems for legitimate visitors.
There are any chances that a regular user could create such a request. In order to manipulate the IP, they have to use some special scripts. So don't worry, you're not blocking any regular user.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 09 June 2017 19:44 CDT

PTWD
Okay, thanks Davide. I guess I misunderstood how the strings were being logged. Thanks for your help.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!