Well, your tests confirm what I told you (I actually did the same test). The only way what you reported can occur is if something or someone explicitly empties or deletes either the cparams database row or the entire table. I can only tell you that it's not us.
When this happens is the security of the site damaged and how much?
The answer is yes and very much so.
The cparams row contains the entire Admin Tools configuration. When it's deleted you go back to the unconfigured state, as if you just installed Admin Tools. By default, the protection features enabled are
minimal on purpose.
Could this be a malicious attack on the site?
In theory? Yes. If your site is already compromised by an at least semi-sophisticated attacker they could be routinely emptying the configuration of security extensions. However, there are several reasons I would suspect incompetence over malice.
First of all, emptying the configuration is pointless. As I said, a modicum of defenses is still enabled even when the configuration is nuked. Moreover, it doesn't address a .htaccess file potentially generated by the .htaccess Maker. From an attacker's perspective this state does NOT give them uninhibited access to your site
and alerts you to their presence. It's the equivalent of cutting off power to an alarmed building, meaning that the doors remain locked and the alarm system starts blaring its horn. Not quite the subtle approach an attacker wants.
Moreover, you said that it happens to all of your sites
on a specific host even if there are no third party extensions in common. Most hosts would forbid one site reading another site's files which is the minimum requirement for being able to retrieve their database connection details so you can pull off that kind of misguided and useless attack.
On the same tune, when I see database contents disappearing randomly from the database my suspicions are more focused on what could possibly write to the database. Typically this is host software which may be running a misguided "security check", screwing up your site. Or it could be an automated partial database restoration. Or it could be an extension doing an automated import which unfortunately screws up your database. I honestly don't know. I would back up one of the sites and restore it on a development server on a different host and see if this issue can be reproduced. If the alternate host version doesn't break I will rule out a third party extension and start thinking that it's either a site administrator doing something funky or a hosting issue.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!