#30750 – SQLi protection

Posted in ‘Akeeba Admin Tools for Joomla!’
This is a public ticket. Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Monday, 07 January 2019 12:45 CST
First, thank you for providing a great product in AdminTools.
I've been getting SQLi block notifications for the past couple months, about once daily, and they always come in pairs and they always come from a fresh IP address. Who (or what) is doing this thus avoids auto-blacklisting. (currently set to block after 3 attacks in 1 day, and block for 40 days, permanently blacklist after 3 IP blocks)
The url strings look like:



They change just a little bit incrementally with each attack, again same basic pattern with a new IP address each time.
So, to me, this looks like a fairly deliberate attempt to either get in to - or just get information from - the website. It looks like this site is being targeted, albeit patiently.

Are there any additional things I could be doing to prevent these attacks from eventually someday working?
Is it, for example, safe to auto-ban after a single SQLi match in AdminTools?

Thank you for any advice, and thanks again for supplying a great product.

Custom Fields
Joomla! version (in x.y.z format) 3.9.1
PHP version (in x.y.z format) 7.1.25
Admin Tools version (x.y.z format) 5.2.0
Monday, 07 January 2019 22:05 CST
What you see is the result of a fuzzying script, i.e. a script designed to deliberately probe for the existence of an array of vulnerabilities in software. Think of it as spray shooting in the hopes that you hit someone.

The payload is rather innocuous at first glance. It merely tries (AND FAILS because Admin Tools kicks its sorry miscreant ass to the curb every single time) to get the MySQL server version.

Moreover, it seems to be run by a newbie. They run the same ineffective probe millions and millions of times over as if anything would change (spoiler alert: it won't). If they had a shred of common sense they'd have stopped these attempts by now.

There is a way to block this very specific attack at the .htaccess level so that your server doesn't waste resources on this attack. It won't even start PHP, let alone run Joomla! and Admin Tools. It simply denies access with a 403. The code which will do that is:
RewriteCond %{QUERY_STRING} id=\S*[\.0-9]*\S*union\S*select\S*unhex\S*\(\S*hex\S*\( [NC]
RewriteRule .* - [F]

and should be put right after the RewriteBase line in your .htaccess file. If you are using .htaccess Maker put this in the "Custom .htaccess rules at the top of the file" and regenerate the .htaccess file.

Nicholas K. Dionysopoulos

Lead Developer and Director

Greek: native

English: excellent

French: basic

Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 14 January 2019 13:43 CST
OK, I have done that and will see how it goes.

Thanks for the assist.
Thursday, 14 February 2019 17:17 CST
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
This ticket is closed, therefore read-only. You can no longer reply to it. If you need to provide more information, please open a new ticket and mention this ticket's number.

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!

Cookies Notification - Action required

This website uses cookies to provide user authentication and improve your user experience. Please indicate whether you consent to our site placing these cookies on your device. You can change your preference later, from the controls which will be made available to you at the bottom of every page of our site.