Support

Admin Tools

#28410 IP adress WAF auto blocked, showing code not IP

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by cornwallkart on Monday, 11 September 2017 02:40 CDT

Sunday, 10 September 2017 08:33 CDT

cornwallkart
in the back end log, and notification email of blocked ip addresses, the ip address is not listed, but instead some of the attack code.

does this mean some code is getting through, or ip not been correctly blocked?

kind regards

craig
--------------
Hello,

We would like to notify you that a security exception was detected on your site, ************, with the following details:

IP Address: dirname(JFactory::getConfig()->get(base64_decode(bG9nX3BhdGg))).base64_decode(L3RtcC9zZngucGhw));exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}���� (IP Lookup: IP Lookup)
Reason: MUA Shield

Sunday, 10 September 2017 19:22 CDT

nicholas
You need to set "Enable IP Workarounds" to Off. It's not required on your server. Please note that this is not a problem, though.

This is a kind of attack which affects Joomla! versions prior to Joomla! 3.4.8 and with old, vulnerable versions of PHP (5.3 and 5.4). The attacker uses code instead of an IP address in the X-Forwarded-For HTTP header. These old versions of Joomla! on these old versions of PHP would result in arbitrary code execution. Your site is not at risk anyway since it's running on Joomla! 3.7 and PHP 7.1, both of which are not vulnerable. The attacker does not know this, hence their attempt against your site. Basically, they have zero chance of success.

Admin Tools will still catch and block that attack attempt. That's why you see a security exception record. Since the attack is based around the X-Forwarded-For HTTP header and you have "Enable IP Workarounds" (or your server is doing something to the same effect) the contents of that HTTP header are used as the visitor's IP address, therefore they are recorded as such. Again, nothing to worry about, it just means that Admin Tools is doing its job protecting you against major Joomla! threats.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 11 September 2017 02:40 CDT

cornwallkart
Thank you Nicholas.

Good to know, Admin Tools is doing it's thing.

kind regards

craig

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!