Support

Admin Tools

#20536 under attack Admin Query Strings

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by arkofhope on Wednesday, 30 July 2014 13:29 CDT

Sunday, 20 July 2014 14:26 CDT

arkofhope
We are a nonprofit helping those victimized by various child abuses globally.

Starting on July 18 someone started trying to log-in to our site using IP address 127.0.0.1. This is NOT us who owns the site. I know that number refers to LocalHost normally. We are on a VPS with HostGator but we had been badly hacked before getting Akeeba Admin Tools.

Is it possible a hacker is doing something through a back door?
And if so can I block 127.0.0.1 without making the site inaccessible to me/us?

2014-07-18 01:34:23 Login Failure then 11 more times during that same day.

This was followed early the next day on the 19th by a series of 23 different IP’s attempting 4 to 8 simultaneous Admin Query Strings each resulting in well over 100 blocked attempts to access our admin area. That has finally stopped or taken a pause just today on the 20th and I have Black Listed every one of those IP’s just not 127.0.0.1 as of yet.

Monday, 21 July 2014 01:59 CDT

nicholas
There are two possible explanations:

1. Another site on the same server is compromised and it's trying to brute force the administrator password on your site. The idea is that attackers believe that localhost (127.0.0.1) is unlikely to be blocked and won't raise any red flags. Please note that 127.0.0.1 in the log means that the attack is coming from the server itself, NOT your computer. In any case, we anticipate their expectation and do treat localhost just like any other IP address: if it causes a security exception, we block it.

2. Something installed on your site, be it a module, plugin, component, template or a CRON job, is trying to access a URL in the administrator section of the site. This is a bad practice, discouraged by Joomla!'s best practices, nevertheless some inexperienced developers still use it. If this is the case then the Target URL would be telling. Unfortunately, since you didn't provide us with the Target URL of the suspected attack coming from 127.0.0.1 we can't tell you if this is the case.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 21 July 2014 09:32 CDT

arkofhope
Hi Nicholas,

Thank you. The target URL for all but one of the log-in failures was "http://removingchains.org/index.php"

In many of the cases the person is attempting to use a variety of three different log-in names and always the same password. Only one of those log-in names ever attempted to create a real username on our site but it was never approved.

Before we found your software hackers had achieved access to our site, including the JomSocial area and the AVChat chat rooms without ever creating registered log-ins. Admin Tools is now blocking them but perhaps that is how they have something inside the server and use 127.0.0.1?

Thank you,
Blair

Monday, 21 July 2014 11:05 CDT

nicholas
A ha! Then case #1 is the most likely culprit. I have seen it before.

Before we found your software hackers had achieved access to our site, including the JomSocial area and the AVChat chat rooms without ever creating registered log-ins. Admin Tools is now blocking them but perhaps that is how they have something inside the server and use 127.0.0.1?


It is a plausible explanation. The attacker could harvest the username of your administrator from your JomSocial installation. Then they could simply put their hacking bot to brute force your administrator password. Once they found it it was game over for your site. Incidentally, this kind of another hacked site on the same server hacking your site is one of the most common reasons sites (Joomla!, WordPress, Drupal, or just about anything) get hacked the past few years. That's why it always pays off to be paranoid with security and backups ;)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 29 July 2014 17:18 CDT

arkofhope
I understand and thank you. I have a backup problem I will ask in a new thread BUT am I ok to go ahead and black list the IP 127.0.0.1 on our site without causing myself any problems?

Wednesday, 30 July 2014 01:27 CDT

nicholas
Blacklisting localhost (127.0.0.1) is generally a bad idea which will come to bite you. It always comes back to bite you when you least expect it, e.g. trying to run a backup with the alt-backup.php script. I'd say don't blacklist it, it will be a bad idea.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 30 July 2014 13:29 CDT

arkofhope
OK cool. I was thinking that could happen.

Thank you Nicholas

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!