Support

Admin Tools

#28638 Security log invalid IP

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by n3t.cz on Thursday, 19 October 2017 08:47 CDT

Wednesday, 18 October 2017 17:32 CDT

n3t.cz
Hello,

I found in security exceptions log strange record, showing additional code in buttons column. I checked this record in database and found that in IP address column of this record is value 
}__test|O:21:"JDatabase DriverMysqli":3:{

(space added to bypass issue tracker protection)
The request was blocked by muashield.

Seems nothing happened on website, however maybe this could be hacked attempt targeting directly Akeeba Admin Tools?

In Apache Access Log I see following
5.254.97.102 - - [17/Oct/2017:05:37:18 +0200] "GET / HTTP/1.1" 403 2298 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0"


best regards

Pavel
Edited by n3t.cz on 2017-10-18 17:34 CDT

Wednesday, 18 October 2017 22:15 CDT

dlb
Pavel,

It is indeed a hack attempt. It targets Joomla! versions 3.4 and prior by putting executable code in the from IP address field. You can sleep easy, your up to date version of Joomla! is not vulnerable to this attack and even if it was, Admin Tools stopped it. We have seen a LOT of these attacks all week.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Thursday, 19 October 2017 06:39 CDT

n3t.cz
Hello,

I understand it was hack attempt, which was blocked. What surprised me, is, that instead of correct IP address Admin Tools logged this pseudeocode. Seems to me, that maybe with special code, even the hack attempt is blocked by Admin Tools, SQL injection could be done directly to Admin Tools logging SQL query, or if such pseudocode is javascript it could contain some script executed in the admin interface
when watching the log.

Pavel

Thursday, 19 October 2017 08:45 CDT

tampe125
Hello,

I'm taking this ticket from Dale since me and Nicholas fixed this security vulnerability in Joomla two years ago.
First of all, even if it's a very dangerous vulnerability, it's a very specific one: it only works on specific version of PHP combined with specific versions of MySQL.
Joomla was vulnerable because it was using the IP address without escaping it, resulting in a Remote Command Execution vulnerability. Admin Tools takes extra care on dealing with external input, since we know that we're handling malicious data, all the time. So you don't have to worry about being affected by that string.

Speaking of which: why you see that string, and not the correct IP address? Because the attacker spoofed it, so we can't get the correct IP. The email used for this security exception is the generic one, so that's why you see that strange IP.

Long story short: don't worry, Admin Tools is watching your back.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 19 October 2017 08:47 CDT

n3t.cz
Hello,

ok, thanks for explanation and your great work.

best regards

Pavel

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!