Support

Admin Tools

#42124 Massive attacks

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
4.4.13 Stable
PHP version
8.2.29
Admin Tools version
current

Latest post by nicholas on Wednesday, 16 July 2025 02:20 CDT

Wednesday, 16 July 2025 00:34 CDT

marscom

Dear Nicolas,

currently, I fight daily massive attacks on most of my WP and Joomla sites. 

Last night around 10 p.m. there were several really strange attacks on the site mentioned above.

I had changed the password yesterday, so this is really, really strange: Someone broke in with my super admin credentials:

Username: abc (abc <[email protected]>)
IP address: 23.90.153.230 (https://whatismyipaddress.com/ip/23.90.153.230)
Browser User Agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0

Then, Admin Tools reported these modified files:

templates/cassiopeia/index.php

templates/cassiopeia/error.php

templates/marscom/index.php

 

I checked them and compared them with clean versions - there was no change at all.

What is going on that leaves me with sleepless nights?

Best regards,

Martin

 

Wednesday, 16 July 2025 00:49 CDT

nicholas

I believe that nobody "broke into" your site. The User-Agent points to someone using an up-to-date Firefox installation on Windows 10 or 11, and the IP address is a VPN server geographically close to you. It looks like it was you. Besides, no attacker would just log into as a Super User using their PC and just do nothing, not even attempt to change the Admin Tools configuration or modify your site's files. It would be like a burglar using a set of keys to get into your house, leave a sticky note "I was here", and leave. It makes no sense.

Regarding modified files, please remember that the files are reported not only if their contents change, but also if their last modified time changes. This could happen when updating Joomla, for example.

If you want to be extra sure that nobody will get into your site you can of course use the administrator password protection feature in Admin Tools, as well as the Administrator Secret URL Parameter. Moreover, you should enable multi-factor authentication on your user account. It used to be a product of mine, Akeeba LoginGuard, which I contributed to Joomla itself a few years ago.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 16 July 2025 01:06 CDT

marscom

Dear Nicholas,

thank you for your really, really fast and careful reply! 

Strange though, that the mentioned files were marked as "changed" in my CyberDuck FTP client (see attachment). I did not update Joomla nor any extension around this time.

Still - thanks again for caring!

Best regards

Martin

Wednesday, 16 July 2025 02:20 CDT

nicholas

I mean, at this point I would restore the site from a previous backup and enable the security measures I told you about. For WordPress, since it does not have MFA built into it, you can use a third party plugin such as Two-Factor.

As a precaution, I would also change the passwords for the CMS (Joomla, WordPress) user account, and the hosting user account. I would definitely be using a password manager which can generate secure, random passwords consisting of at least 32 alphanumeric characters.

Remember: if someone somehow has your username and password they cannot be stopped by a security extension/plugin. From the site's point of view their accessing the site is indistinguishable from an authorised user (you) accessing the site; the username and password are the proof. Adding MFA/2FA is the only way to prevent access as the nature of MFA/2FA means the unauthorised user won't be able to guess them or brute force them.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!