Hello,
After I updated to Admin Tools Professional 7.4.2 Released on 26 September 2023, I started receiving emails with the title "Security exception on Cornelia Skin-Care" in text format / no HTML. The email originated from [email protected]. I changed all the site emails to pinpoint the problem and also restored the backup a few times in the hope that the problem go away. So, the emails continue to come saying the same thing.
AS A NOTE ..........
A. - cornelia-skincare,com is Joomla! 4.4.0 Stable | PHP Version : 8.0.30 | Web Server : LiteSpeed.
B. - [email protected] email was changed with another email address in Global Configuration and in Akeeba Firewall component.
C. - ( Akeeba Firewall component ) Admin Tools Professional 7.4.4 was updated yesterday.
D. - The Cash and Global Check-in was clear ( a few times ) in cornelia-skincare.com Backend / Maintenance.
E. - Here below is the email sample received.
Return-Path: <[email protected]>
Received: from txpro2.fcomet.com
by txpro2.fcomet.com with LMTP
id WPWCB8oOLGUx/TQA75wvsg
(envelope-from <[email protected]>); Sun, 15 Oct 2023 11:09:46 -0500
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Sun, 15 Oct 2023 11:09:46 -0500
Received: from mcitcgro by txpro2.fcomet.com with local (Exim 4.96.1)
(envelope-from <[email protected]>)
id 1qs3gY-00EZgv-09
for [email protected];
Sun, 15 Oct 2023 11:09:46 -0500
To: [email protected]
Subject: Security exception on Cornelia Skin-Care
Date: Sun, 15 Oct 2023 11:09:45 -0500
From: Cornelia Skin-Care <[email protected]>
Message-ID: <[email protected]>
X-Priority: 3
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Message-Id: <[email protected]>
From: [email protected]
<html>
<head>
<title>Security exception on Cornelia Skin-Care</title>
</head>
<body><div style="background-color: #e0e0e0; padding: 10px 20px;">
<div style="background-color: #f9f9f9; border-radius: 10px; padding: 5px 10px;">
<p>Hello,</p>
<p>We would like to notify you that a security exception was detected on your site, Cornelia Skin-Care, with the following details:</p>
<p>IP Address: 146.70.170.3 (IP Lookup: <a href="http://ip-lookup.net/index.php?ip=146.70.170.3>IP" Lookup</a>)<br />Reason: Admin directory</p><p>If you are the administrator of this site and have blocked your own IP address on accident please visit https://www.cornelia-skincare.com/administrator/[email protected] where [email protected] is the email address of your (Super User) account. This URL will only send you an email if the IP address from which you are accessing it is being blocked by Admin Tools. If you are not blocked no email will be sent; you don't need an email with instructions to unblock your IP if your IP is not blocked.</p>
<p>If this kind of security exception repeats itself, please log in to your site's back-end and add this IP address to your Admin Tools's Web Application Firewall feature in order to completely block the misbehaving user.</p>
<p>Best regards,</p>
<p>The Cornelia Skin-Care team</p>
</div>
<p style="font-size: x-small; color: #667;">You are receiving this automatic email message because you are an administrator in <em>Cornelia Skin-Care</em>. <span style="line-height: 1.3em;">Do not reply to this email, it's sent from an unmonitored email address.</span></p>
</div></body>
</html>
F. - Notice from Dimithur Punkoff / FastComet Staff on 15th Oct 2023, 19:55
Hello Marius
I have been able to find the emails in the EXIM LOGS, and judging by the following example email log, it looks as if the email is a notification/system email, however I wasn't actually able to find it in your Webmail.
2023-10-15 14:32:37 1qs6qr-00Fz9v-0b <= [email protected] U=mcitcgro P=local S=2266 T="Security exception on Cornelia Skin-Care" for [email protected]
2023-10-15 14:32:37 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1qs6qr-00Fz9v-0b
2023-10-15 14:32:37 1qs6qr-00Fz9v-0b => system R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 AKL8EFU+LGX9FToA75wvsg Saved"
2023-10-15 14:32:37 1qs6qr-00Fz9v-0b -> cservice ([email protected]) R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 AKL8EFU+LGX9FToA75wvsg:R2 Saved"
2023-10-15 14:32:37 1qs6qr-00Fz9v-0b Completed
Could you perhaps let us know how we can recreate the sending of this email? Are you able to point us to where we can view it or try sending it ourselves? We'll be glad to further investigate this for you.
G. - Notice from Dimithur Punkoff / FastComet Staff on 15th Oct 2023, 21:05
Hello Marius
After some research I found that the "Security exception" emails or notifications seem to be generated by the third party service Akeeba Admin Tools and not Joomla itself.
Are you able to provide us with your website's backend logins so we can look into the configurations and try stopping this?
Website Admin URL:
Username:
Password:
We'd also appreciate it if you let us know where we can spot the notifications in all practice, so we can confirm when they've stopped coming in.
We remain at your disposal.
H. - Notice from Dimithur Punkoff / FastComet Staff on 17th Oct 2023, 23:29
Hello Marius
I would like to start off on the note that we've done some extensive research and found that the emails come from the WAF Security Firewall on your Joomla's backend. However, we're not sure which exact configurations are causing this and I would like to advise you to contact a web developer to reconfigure it for you.
I found the following article that may help you with this:
> https://www.akeeba.com/documentation/troubleshooter/atwafissues.html
It's all due to an Admin Block that may have happened on your IP by logging into your backend. It could also be a false-positive though, coming from your website's configurations.
As this requires development knowledge, I'm afraid our support towards the matter is limited.
We remain at your disposal.
So, As you see at this point in time we do not know how this error was created and how to solve it.
Your time and support will be greatly appreciated.
Thanks
Marius
