Support

Admin Tools

#33202 has admintools a feature to block remote-attack?

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Monday, 15 June 2020 01:57 CDT

Friday, 12 June 2020 05:17 CDT

rincewind
hi, i search a possibilty to block attacks like that:
2020-06-12 10:58:39 USERNAME zRi4Nk-1jEkTm1xVh-0e6pX |< REMOTE=5.53.125.0 SCRIPT=/***/index.php -- /usr/sbin/sendmail -t -i -fno-reply@server
2020-06-12 10:58:39 p544881 zRi4Nk-1jEkTm1xVh-0e6pX <= S=no-reply@server SZ=2187 D=0 SID=13536726
2020-06-12 10:58:39 p544881 zRi4Nk-1jEkTm1xVh-0e6pX => gines@****172.19.35.7] 250 Requested mail action okay, completed: id=1Mpck-1jqqW1280E-008Jnk

Many spammails seems to be send through ftp account USERNAME, the index.php ist ok, unchanged standard joomla-index.php, can admintools forbid such a action? RFI shield is already enabled.

Thx

Friday, 12 June 2020 06:31 CDT

nicholas

I am not sure what I am looking at. FTP log? Something else? I cannot read your mind :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 12 June 2020 10:31 CDT

rincewind

sorry, thats from the mail.log from 1und1.de hosted webspace, the 1und1 team says that theres spam over /***/index.php, but thats clean, standard joomla startindex, attacker came from outside over an ftp user account so i look for an option to totally block remote email possibilities with admintools

Saturday, 13 June 2020 07:49 CDT

nicholas

I still don't have any usable context from that snippet. I don't know what zRi4Nk-1jEkTm1xVh-0e6pX represents.

If you believe that someone took over your FTP account and changed your files to send spam, no, you obviously cannot do anything with Admin Tools. You can clean up your site and reset all passwords, you can use Admin Tools' .htaccess Maker to prevent access to rogue scripts but that's about it.

If you believe that a third party component allows unsolicited emails to be sent from your site then, again, no, you cannot do anything with Admin Tools. You need to take this with the third party developer.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 13 June 2020 08:16 CDT

rincewind

Hi, the snippet is the complete action of sending 1 spam, nothing is changed on site, mails are sent with "< REMOTE=5.53.125.0 SCRIPT=/***/index.php -- /usr/sbin/sendmail..", normaly for such attack the target is an infected file, but this one is originaly joomla index.

p544881 zRi4Nk-1jEkTm1xVh-0e6pX: first part is the ftp-user, second one zRi.. is not the pw and changes often.

I had the hope admintools can forbid/block generally to send emails such a way.

Monday, 15 June 2020 01:57 CDT

nicholas

Still, this means absolutely nothing to me because I lack context. Is this a MAIL sever log or an FTP server log? It is definitely not a WEB server log.

Admin Tools runs inside Joomla which runs under PHP which runs under your web server. If you have a problem with your FTP or mail server setup I'm afraid it's outside the scope of our software and our support.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!