#30741 – XAttacker

Posted in ‘Akeeba Admin Tools for Joomla!’
This is a public ticket. Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Sunday, 06 January 2019 08:52 CST
i saw in my system logs some traces from XAttacker script. i use joomla 3.9 with the last version of akeeba admintools for joomla.
is akeeba admintools resistant to attacks from XAttacker script ?
Custom Fields
Joomla! version (in x.y.z format) 3.9.1
PHP version (in x.y.z format) 7.2.0
Admin Tools version (x.y.z format) 5.2.0
Monday, 07 January 2019 02:08 CST
The short answer is yes.

The long answer is more nuanced as it depends on the versions of the software you are using, which features of Admin Tools you are using and how you've configured them.

XAttacker launches automated scans for known vulnerable versions of some popular extensions (if you search for XAttacker you will see a list of them). These are mostly old versions so if you keep your site up to date you are safe by definition.

In the off chance that you have a vulnerable version -- which would be a surprise since vulnerable versions of nearly all of the affected extensions don't run on Joomla! 3.9 -- there are two classes of attacks.

The first class is attacks to the component or plugin proper, going through Joomla itself to access it. You are thoroughly protected against them using the default settings of the Web Application Firewall with one exception: attacks which simulate legitimate traffic and use a legitimate feature but due to a bug in the extension they cause an unexpected result. The only such attack in the last five years was with VirtueMart not filtering the user groups for newly created customer records which could lead to Super User accounts being created. Even that is something Admin Tools can and does protect you from, as long as you have the Monitor Super User Accounts feature turned on.

The second class of attacks is when the attacker is trying to access a vulnerable .php file of the extension over the web. By default, the .htaccess Maker's Frontend and Backend Protection features block these attacks. You'd have to manually allow these files to be accessed, using the exceptions in the .htaccess Maker configuration. If you have not done that; or if you have done that BUT also keep everything up to date: you are perfectly safe.

Moreover, the Frontend and Backend Protection features in Admin Tools prevent direct access to non-code resources which can be used to identify vulnerable versions of extensions. This means that the extensions' XML manifest files and their INI language strings are not accessible over the web. As a result most attacks are abandoned at the discovery stage. If the attacker tries to "spray shoot" you (run the attacks regardless of whether the discovery stage tells them you have a vulnerable version of the extension installed) then you are still protected by Admin Tools as explained above.

So, as long as you keep all features enabled, are aware of the holes you are punching through the firewall with exemptions (in .htaccess Maker, in Web Application Firewall, with the IP White List and with the WAF Exceptions features) and keep everything reasonably up-to-date you are safe. Remember that hacking is not magic. It's not like the movies where a white, black hoodie-donning kid on a laptop in a basement hacks the Pentagon in 10 seconds flat with a semi-excited, semi-bored expression on his face. In the real world people are prodding your site for potential bugs and security issues and try to worm their way through your defenses. As long as you apply security best practices such as keeping everything up to date, using very long random passwords managed by a secure password manager and keep the attack surface small by using security tools you are pretty safe. You are making the real world hacker's job much more difficult and it's all too likely that they'll stop bothering with your high-cost-to-penetrate, low-potential-profit target for someone with much less protection and security issues ripe for exploitation.

Nicholas K. Dionysopoulos

Lead Developer and Director

Greek: native

English: excellent

French: basic

Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 06 February 2019 17:17 CST
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
This ticket is closed, therefore read-only. You can no longer reply to it. If you need to provide more information, please open a new ticket and mention this ticket's number.

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!

Cookies Notification - Action required

This website uses cookies to provide user authentication and improve your user experience. Please indicate whether you consent to our site placing these cookies on your device. You can change your preference later, from the controls which will be made available to you at the bottom of every page of our site.