#30750 – SQLi protection

Posted in ‘Akeeba Admin Tools for Joomla!’
This is a public ticket. Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Monday, 07 January 2019 12:45 CST
Hi,
First, thank you for providing a great product in AdminTools.
I've been getting SQLi block notifications for the past couple months, about once daily, and they always come in pairs and they always come from a fresh IP address. Who (or what) is doing this thus avoids auto-blacklisting. (currently set to block after 3 attacks in 1 day, and block for 40 days, permanently blacklist after 3 IP blocks)
The url strings look like:
https://mysite.com/mysite-info?catid=0&id=4699999%22%20union%20select%20unhex(hex(version()))%20--%20%22x%22=%22x

and

https://mysite.com/mysite-info?catid=0&id=46999999.1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1

They change just a little bit incrementally with each attack, again same basic pattern with a new IP address each time.
So, to me, this looks like a fairly deliberate attempt to either get in to - or just get information from - the website. It looks like this site is being targeted, albeit patiently.

Are there any additional things I could be doing to prevent these attacks from eventually someday working?
Is it, for example, safe to auto-ban after a single SQLi match in AdminTools?

Thank you for any advice, and thanks again for supplying a great product.

Ari
Custom Fields
Joomla! version (in x.y.z format)
3.9.1
PHP version (in x.y.z format)
7.1.25
Admin Tools version (x.y.z format)
5.2.0
Edited by adoucette on 2019-01-07 18:45
Monday, 07 January 2019 22:05 CST
What you see is the result of a fuzzying script, i.e. a script designed to deliberately probe for the existence of an array of vulnerabilities in software. Think of it as spray shooting in the hopes that you hit someone.

The payload is rather innocuous at first glance. It merely tries (AND FAILS because Admin Tools kicks its sorry miscreant ass to the curb every single time) to get the MySQL server version.

Moreover, it seems to be run by a newbie. They run the same ineffective probe millions and millions of times over as if anything would change (spoiler alert: it won't). If they had a shred of common sense they'd have stopped these attempts by now.

There is a way to block this very specific attack at the .htaccess level so that your server doesn't waste resources on this attack. It won't even start PHP, let alone run Joomla! and Admin Tools. It simply denies access with a 403. The code which will do that is:
RewriteCond %{QUERY_STRING} id=\S*[\.0-9]*\S*union\S*select\S*unhex\S*\(\S*hex\S*\( [NC]
RewriteRule .* - [F]

and should be put right after the RewriteBase line in your .htaccess file. If you are using .htaccess Maker put this in the "Custom .htaccess rules at the top of the file" and regenerate the .htaccess file.




Nicholas K. Dionysopoulos


Lead Developer and Director






Greek: native


English: excellent


French: basic






Please keep in mind my timezone and cultural differences when reading my replies. Thank you!






Monday, 14 January 2019 13:43 CST
OK, I have done that and will see how it goes.

Thanks for the assist.
Edited by nicholas on 2019-01-15 06:35

Please rate this ticket

Help us improve our support services by rating this ticket from one to five stars, according to how much you are satisfied from the handling of this ticket, one being not satisfied and five being very satisfied.

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: Read the complete support policy which is part of our Terms of Service. We kindly remind our subscribers that they have already explicitly and unconditionally accepted the Terms of Service.

Cookies Notification - Action required

This website uses cookies to provide user authentication and improve your user experience. Please indicate whether you consent to our site placing these cookies on your device. You can change your preference later, from the controls which will be made available to you at the bottom of every page of our site.