Support

Admin Tools

#37775 Possible hacker entries in AdminTools tables

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
4.2.2
PHP version
8.0
Admin Tools version
7.1.10

Latest post by SITech on Monday, 26 September 2022 05:23 CDT

Sunday, 25 September 2022 22:44 CDT

SITech

Several of our admintools tables have entries with referrer http://sites.ru 

I have put the site into emergency off-line and changed site and cPanel passwords. ISP Scala has been notified and responded with, "This database injection was most likely processed through the site itself. You can find more information in the Apache requests logs of your site in cPanel -> Raw Access." No doubt good advice if I knew how to understand the logs.

I have backups. How does a non-tech person work out when the problem began, to select the immediately prior backup to restore?

Any other advice?

Monday, 26 September 2022 01:52 CDT

nicholas

If we are talking about database tables, the only table which stores anything called a referrer is the #__admintools_log which logs the blocked requests, i.e. what Admin Tools prevented reaching your site and why. It would stand to reason that since Admin Tools stops malicious requests the log will contain a trace of the malicious request which has been already stopped.

If you mean something different you will have to be more specific, especially since no other Admin Tools database table has anything called a referrer.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 26 September 2022 02:19 CDT

SITech

I got my references mixed, sorry. I had seen in the redirect links table that most referers were http://sites.ru, and that the associated url included fof (2nd attachment). Then I searched for fof and found all other references were in admintools tables (1st attachment). I put 2 and 2 together, perhaps came up with the wrong answer, and thought I'd better check.

The need to check was reinforced because at some point during this J4.2 upgrade I started receiving some puzzling 'critical file modified' emails, and a noticeable increase in blocked requests and auto ip blocking.

Thanks
David

 

Monday, 26 September 2022 03:30 CDT

nicholas

FOF is the framework used in our Joomla 3 components. Seeing that in the Admin Tools PHP File Change Scanner files (filescache and scanalerts) is normal. Seeing that in the akeeba_common and ak_profiles tables is also normal; the former tracks which extensions installed on your site use it, the latter is the Akeeba Backup profiles and I suspect you may have excluded this folder. The final entry in the _extensions table is also normal; the framework is a Library extension installed on your site and the 1 match means it's installed. So, nothing out of the ordinary in the first screenshot.

In the second screenshot... This is NOT the redirections table for Admin Tools. You sent me a screenshot of the core Joomla redirections table (#__redirect_links). Admin Tools table is #__admintools_redirects.

Joomla's URL redirections is a misleading feature.

When you enable Joomla's System - Redirection plugin it records all URLs which are not found (yes, URLs NOT found, 404s that is) in the #__redirect_links table with an empty new_url (as you can see it's NULL) and published set to 0. The idiotic idea Andrew Eddie had 12 years ago was that you'd collect the 404 errors and create redirections. I had warned against it as confusing but I was told I don't know what I'm saying.

Well, as I predicted 12 years ago, people like you who do not — and need not! — understand the inner workings of Joomla freak out because this table records every single bot scanning your site and told to take a hike because this URL is not meant to be directly accessible. Of course you see all those “evil Russians” in your database, in a table which is moronically called a redirect_links table (even though it does no redirections by default!), and think some evil Russian hacked you and has created hordes of malicious redirections on your site. Nope. This is just a record of URLs some stupid Russian teenager tried to access a few years ago (your records are from 2017 to 2020 as you can see) and failed.

Sigh. I did warn them... But I digress.

Here's what to do.

Go to System, Manage, Plugins. Find the “System - Redirect” plugin and unpublish it.

Empty the contents of the #__redirect_links table.

That's all there is to it.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 26 September 2022 05:23 CDT

SITech

Understood, Nicholas. Thank you for the explanation.

Now I need to chase down the other questions of recent "puzzling 'critical file modified' emails, and a noticeable increase in blocked requests and auto ip blocking."

I am the sole active administrator, yet at times when I am not logged in I am receiving advice of critical files modified. Oddly enough they seem to be from copies of the site, made while upgrading to J4.2, as beez3 and Shape5 templates have been removed from the live site.

Cheers
David

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!