Support

Admin Tools

#32307 Admin tools not protecting site error

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Sunday, 08 March 2020 18:17 CDT

joomladienst
Hi, this is a continuation of this ticket: #32022

I created a test where I uninstalled admin tools on a test site and added just the #_admintools_storage table. A month has passed and nothing happened.

On one site this issue happens a lot more often. I am sending you the value of cparams field from this site. I can't find anything wrong with it. Maybe you can spot something.

What could cause admin tools to remove these settings? What normal admin tools action would trigger this?

On all our sites we install admin tools, akeeba backup and logman. Can you confirm that these 3 are working
simultaneously without issues? Are you aware of some extension that does not get along with admin tools?

This problem is still happening on my sites. Any help would be appreciated.

nicholas
Akeeba Staff
Manager
The value of cparams is perfectly valid and decodes correctly. It's not cut off, it's not corrupt, it does not contain illegal values. The quickstart flag is set to 1 which tells Admin Tools not to show that message.

At this point I can tell you that this problem does not come from the database data and does not come from our software. The only logical explanation is that our software is not being provided the data stored in the database, hence the reported issue. We do go through the Joomla database to retrieve this information but it's possible for third party extensions (and site integrators) to override it with their custom driver implementation.

Regarding your question, yes, Admin Tools, Akeeba Backup and LOGman work just fine with each other. The former two are both ours and we make a point of making sure that our software works together (otherwise what the heck are we doing anyway). We explicitly added support for LOGman (and other Koowa-based software) in the one feature in Admin Tools that could get in the way since early 2015. Before that LOGman would simply not work unless you made a change in Admin Tools. Nothing of what you say you have installed can cause the problem you are experiencing.

Barring an issue at the database server level which randomly causes queries to return corrupt or no data there's no explanation of your issue. It is very clear to me now that your problem has nothing to do with our software, what you do with it or what kind of data is in the database. It is a problem at either the site or the server level. Since it's happening at multiple sites I am more inclined to think that there is a systematic problem at the server level. Unfortunately I cannot help you pinpoint it since, well, I didn't set up your servers.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

joomladienst
Thank you for your response as It's useful for narrowing possible causes for this issue.

However, we are still scratching our heads as we are not able to detect any possible users actions or site settings that could cause this.
On one of the websites, the issue accrued over the weekend and there weren't any backend interactions there.

Regarding the websites:
  • Issue affects 8 sites.
  • Almost of them are on different servers.
  • One site is stored on the server where we have another Joomla sites with the Admin tools and same settings but without the issue.


Affected sites do not share critical extensions/plugins or some custom setups.
We have Admin tools installed on another 20 sites on various servers without any issues there.
As we couldn't find any obvious connection between the sites we wonder what could cause/trigger Admin tools settings to break.

"We do go through the Joomla database to retrieve this information but it's possible for third party extensions (and site integrators) to override it with their custom driver implementation."
Could you please provide more info regarding this one?

Thank you for your time and patience.

nicholas
Akeeba Staff
Manager
On one of the websites, the issue accrued over the weekend and there weren't any backend interactions there


When that happened did the #_admintools_storage table have a cparams with a value that included "quickstart":1 in it? This is how Admin Tools knows if it's been configured or not. If that's still 1 and you get a warning then the problem is on the database or database driver side of things. If that value does not appear at all or is 0 then the problem is that something screws up your database contents.

Could you please provide more info regarding this one?


Falang, for example, ships its own database driver to handle translated content.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

joomladienst
Thank you for the quick response.

This is the data in the #_admintools_storage -> cparams after this issue appears:
{"ipworkarounds":1,"filescanner":{"memory":null,"timestamp":0}}

What would change the data to this?

nicholas
Akeeba Staff
Manager
Please go to Admin Tools, Web Application Firewall, Configure WAF and set Enable IP workarounds to Yes (instead of Auto). Does that solve your problem (you have to give it a week).

Also, I was wondering about something else. Do you have anything related to Admin Tools scheduled over the weekend, e.g. the PHP file change scanner?

Moreover, do you have any kind of backup / restoration going on automatically over the weekend?

What I think is most likely to have happened is the following. Something third party removed the the cparams row from the database. At this point the automatic IP workarounds code in the system plugin kicks in and determines the IP workarounds must be enabled. It sets ipworkarounds to 1 and saves the (otherwise empty) configuration back to the database. The only thing that worries me is that it happened over the weekend which seems to be a pattern in your sites. I assume that you are running automations over the weekend so I'm trying to figure out if there's an errant automation at play here. Or if my assumption of what most likely happened is at odds with some other piece of information.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

nicholas
Akeeba Staff
Manager
BTW, seeing the cparams you sent me in your last reply means that your original post in this ticket was wrong and you can ignore my first reply. Clearly, Admin Tools complains that it's not configured because it is IN FACT not configured. It's not a database driver issue. We just have to figure out why the data in the database changed without you doing something obvious as far as we know.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

joomladienst
Thank you, I feel like we are making progress.

IP workarounds is already set to yes on all sites with the issue.
Both admin tools PHP scans and akeeba backups are being done every day. No automatic restoration.
The issue shows up on all days of the week, appears to be random.
I mentioned the weekend because I am sure that at that time no one was making changes to the site.

How would I go about testing this issue?

nicholas
Akeeba Staff
Manager
OK, you have ruled out all possibilities for a weird bug nobody else has reported and we can't reproduce. This leaves us with one possibility only: something is emptying the #__admintools_storage table or at least the cparams value. Unfortunately that's as far as I can possibly go into helping you. This is not something that comes from us and it's not something you can keep a log of. If I understand correctly this happens only to sites on a specific server which makes me think that it's something server specific. I just can't guess what would that be :(

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

joomladienst
Hi,

I did some tests. I found a way to reproduce the data in the cparans field.
First I deleted all data. After that Admin tools inserts this: {"ipworkarounds":1}
Second I run a external php scan. That changes the data to this: {"ipworkarounds":1,"filescanner":{"memory":null,"timestamp":0}}

So now I know that something deletes all data and these are the events that follow it. I still do not know what is deleting my data or why.

When this happens is the security of the site damaged and how much?
Could this be a malicious attack on the site?

nicholas
Akeeba Staff
Manager
Well, your tests confirm what I told you (I actually did the same test). The only way what you reported can occur is if something or someone explicitly empties or deletes either the cparams database row or the entire table. I can only tell you that it's not us.

When this happens is the security of the site damaged and how much?


The answer is yes and very much so.

The cparams row contains the entire Admin Tools configuration. When it's deleted you go back to the unconfigured state, as if you just installed Admin Tools. By default, the protection features enabled are minimal on purpose.

Could this be a malicious attack on the site?


In theory? Yes. If your site is already compromised by an at least semi-sophisticated attacker they could be routinely emptying the configuration of security extensions. However, there are several reasons I would suspect incompetence over malice.

First of all, emptying the configuration is pointless. As I said, a modicum of defenses is still enabled even when the configuration is nuked. Moreover, it doesn't address a .htaccess file potentially generated by the .htaccess Maker. From an attacker's perspective this state does NOT give them uninhibited access to your site and alerts you to their presence. It's the equivalent of cutting off power to an alarmed building, meaning that the doors remain locked and the alarm system starts blaring its horn. Not quite the subtle approach an attacker wants.

Moreover, you said that it happens to all of your sites on a specific host even if there are no third party extensions in common. Most hosts would forbid one site reading another site's files which is the minimum requirement for being able to retrieve their database connection details so you can pull off that kind of misguided and useless attack.

On the same tune, when I see database contents disappearing randomly from the database my suspicions are more focused on what could possibly write to the database. Typically this is host software which may be running a misguided "security check", screwing up your site. Or it could be an automated partial database restoration. Or it could be an extension doing an automated import which unfortunately screws up your database. I honestly don't know. I would back up one of the sites and restore it on a development server on a different host and see if this issue can be reproduced. If the alternate host version doesn't break I will rule out a third party extension and start thinking that it's either a site administrator doing something funky or a hosting issue.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!