Support

Admin Tools

#10161 Admin IP Whitelist

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Sunday, 18 December 2011 14:00 CST

Saturday, 17 December 2011 22:42 CST

user40634
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? yes
Have I searched the forum before posting? yes
Have I read the documentation before posting (which pages?)? yes
Joomla! version: (1.7.3)
PHP version: (unknown)
MySQL version: (unknown)
Host: (optional, but it helps us help you)
Admin Tools version: (2.1.5 pro)


Description of my issue:

I am getting many Security Exception alerts by email with the reason: Admin IP Whitelist. What do these mean? These IP addresses are not on the admin whitelist. Most of them are in Japan.

This is very weird, because I logged into one of my customer's websites to block an IP address. Immediately, I got a security alert for this IP: 150.70.64.198. It was accessing a URL in the admin panel (the exact URL where I was). Then I blacklisted it and immeditely got another one from 150.70.172.207. It also accessed the same URL in the admin panel that I just accessed. And then I got another one, 150.70.172.106. It did the same thing.

What is going on here?

Sunday, 18 December 2011 03:02 CST

nicholas
This security exceptions means that someone whose IP is not in the Administrator IP White List is trying to access your site's administrator directory. Admin Tools has blocked them, so they do not see the back-end login page of Joomla!. As soon as it blocks them it sends out an email to you to let you know of this security exception.

Regarding the latter incident you're describing, it sounds like someone has a large botnet of computer in Japan and tries to attack sites. A botnet is a collection of computers at the disposal of the attacker, usually unsuspecting people whose PCs are infected by malware. The attacker seems to have been trying to access your site repeatedly. At this point, I would also recommend doing a scan on your computer for malware. It is very suspicious that the attacker was trying to access the same URL as the one you just visited in your browser. Telepathy aside, this is a strong indication that your machine may be infected with malware.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 18 December 2011 12:56 CST

user40634
I had scanned my computer with Trend Micro one day prior to this happening. The results returned with zero infections. Is there a better program out there for detecting malware? I'm using Mac OS.

Also, one of my websites experienced about 20+ CSRF Shield attacks last night. What does this mean?

Sunday, 18 December 2011 13:01 CST

nicholas
I prefer ESET's NOD32 and McAffee's antivirus software. They have the highest detection ration. NOD32 is also blazing fast. In fact, so fast that I could install it without hesitation to my mom's EeePC 901 (the darn thing has got a Celeron M at 900-something MHz, absolutely dead slow!).

Regarding the CSRF attacks, these could be either false positives or a bot trying to brute force your password. In the latter case, Admin Tools saved you because it blocks such bots' activity. If you post a couple of the URLs throwing the CSRFShield security exception warning I might be able to guess if it's a false positive.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 18 December 2011 13:43 CST

user40634
Here is the repeated attack target URL:

http://www...com/?controller=comment&task=save

Thank you for helping me understand this. Your extension is truly a work of art.

Sunday, 18 December 2011 13:45 CST

nicholas
Most likely it is a genuine spam attack. Quick way to test it: try leaving a comment on one of your articles which have comments turned on. If you can, the security exceptions were thrown by a spambot. If you can't comment on your articles, let me know so that I can give you a workaround.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 18 December 2011 13:56 CST

user40634
I am able to leave a comment without problem. Thank you.

Sunday, 18 December 2011 14:00 CST

nicholas
You're welcome :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!