Support

Admin Tools

#9972 Urgent Help is need. Some garbage groups are created by suspicious users

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Sunday, 24 July 2011 15:53 CDT

Sunday, 24 July 2011 04:14 CDT

user40848
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the forum before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: 1.23
PHP version: Latest
MySQL version: Latest
Host: hostgator, baby plan
Admin Tools version: Latest (updated today)


Description of my issue:

I am using your htaccess file which admin tools created. Using Bad behavioral enabled and Honeypot also

I have one problem which is very serious. someone had created hash like admin groups from frontend. I deleted them from PhpMyadmin. But for future, what should I do now??

my username is also admin should I change it??

Thanks in advance

Sunday, 24 July 2011 10:19 CDT

nicholas
Given that Joomla! 1.5 does not have an interface to create extra user groups, I suppose that this is a hacking attempt. Make sure that you have enabled all of Admin Tools' security features, especially SQLiShield and administrator query string protection to make sure that an attacker can not directly attempt to create rogue users and that even if they do they can not log in.

That said, I suggest immediately doing the following:
- Change your super administrator username and password
- Change your FTP and database username and password. Remember to update your configuration.PHP file with the new database credentials.
- Follow our unpacking your site guide.
- Disable the suspicious user accounts
- Make sure that ALL of your extensions, including your template, are up to date
- Check that these groups have not been created by some legitimate software, e.g. some social component

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 24 July 2011 10:55 CDT

user40848
Thankyou so much for your reply and alert. I am following now your step by step process to solve this problem. I told hostgator to backup my account.

Meanwhile I just want to ask one thing. I am getting so many email like this after I enabled Bad Behavior to "Yes" and Strict to "No":

"We would like to notify….…..

IP Address: 109.230.216.220
Reason: Bad Behaviour (IP address found on http:BL blacklist)

If this kind of security exception repeats itself,….….…"

I am getting about 10 emails per hour many times its rate get too high eg. 20 in one minute. Always IP address is different. I want to how can I should I deal with this?? I know this is very typical but as you are so much expert and experienced, so your kind suggestion would help me a lot. Thanks again for everything.

Sunday, 24 July 2011 15:53 CDT

nicholas
Well, it seems like you are being bombarded by known hackers, spammers or email harvesting bots. Nothing to worry too much about, the fact that you receive those emails means that Admin Tools dutifully does its job to protect you.

I would also suggest to enable the "IP blocking of repeat offenders" option. Recommended settings: "Block after" -> 3 attacks in 5 minutes; "Block this long" -> 30 minutes. This will automatically block repeat attempts to your site from known IPs to the HTTP:BL.

As I said in my earlier reply, it's paramount to have SQLiShield enabled and make sure that all extensions are up to date. Also check that none of your extensions are listed in the Vulnerable Extensions List in red (green items are extensions which have resolved any security issues in their latest versions and are safe to have installed and up-to-date on your site). If any extensions are listed as red, uninstall them at once! Extensions marked in red are vulnerable and, depending on how they work (that is, if they bypass Joomla!'s index.php files), may be used to compromise your site despite having Admin Tools installed and configured properly.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!