Support

Admin Tools for WordPress

#32641 – DFIShield attack blocked website

Posted in ‘Akeeba Admin Tools for WordPress’
This is a public ticket. Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Tuesday, 10 March 2020 12:11 CDT
WorthyImage
Hi,
My site blocked itself. There are DFIShield attacks on non existent Target URLs from my own server IP address.
What is the cause and remedy?

Thanks,
Dennis
 
Tuesday, 10 March 2020 12:30 CDT
dlb
First, we need to disable Admin Tools. You can use the instructions here to do that, look at the "Using FTP to regain access to your site's administrator" instruction.

Now you can log in. You need to unblock the server's IP address. There may be a large "Unblock my IP" button at the top of the Admin Tools screen. If it's there, that will do it.

Then go to Web Application Firewall, Configure WAF, on the first tab, flip the value in "Enable IP workarounds", if it is Yes, make it No or vice versa.

Now you can rename the main.php file that you renamed above to enable Admin Tools again.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Tuesday, 10 March 2020 13:28 CDT
WorthyImage
Thank you. Can you please tell me why this occurred? How can the attacks come from my IP address?
I’d like to give my client a reasonable explanation.

Thanks,
Dennis
 
Tuesday, 10 March 2020 15:56 CDT
dlb
Dennis,

You have another server in front of your web server. It may be a CDN, Cloudflare, load balancer, etc. That server gets traffic first, then forwards it to the web server. It also forwards both its own IP and the "source" IP, the visitor's actual IP. There is a standard for which order these IPs are supposed to be sent, but there is a LOT of variety in how hosts actually set them up. If the IPs are backwards, Admin Tools thinks all of your traffic - and all your security exceptions - are coming from the first server, not from the actual visitor's IP. IP Workarounds switches the order of the two forwarded IP addresses. It is a very common problem.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Wednesday, 11 March 2020 12:41 CDT
WorthyImage
Dale,
Thank you for the explanation. I greatly appreciate your time and patients.
 
Wednesday, 11 March 2020 12:44 CDT
dlb
You're welcome!


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Friday, 10 April 2020 17:17 CDT
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
This ticket is closed, therefore read-only. You can no longer reply to it. If you need to provide more information, please open a new ticket and mention this ticket's number.