Jump to content

Case #5083 - Notify admins upon detection of admin directory configuration issue


clopezi

Recommended Posts

  • Replies 65
  • Created
  • Last Reply

Top Posters In This Topic

Hi Duran, while your suggestion is a good one I think it is kind of a fatal issue. especially since there seems there wont be a fix.

the next passage is from the current changelog, seems like this is done on purpose

I think it's safe to assume that it was done on purpose - just not thought through or tested enough before release... not the first time that's occurred and I doubt it will be the last.

Link to comment
Share on other sites

If you change your admin directory to something nobody knows, what is the point in having the "fake" admin login? Change the admin directory to something obscure and hard to guess, and your admin area will be "hidden". To me the fake admin stuff is just a way to taunt potential hackers, and not really a true security tool. If they are worth their salt, by any means, they will be able to tell it is fake in a matter of seconds.

Link to comment
Share on other sites

You are correct, it is a taunt, and honestly a way to track who where from how often and you get to have some fun as well with a BIG nasty gram,

If you change your admin directory to something nobody knows, what is the point in having the "fake" admin login? Change the admin directory to something obscure and hard to guess, and your admin area will be "hidden". To me the fake admin stuff is just a way to taunt potential hackers, and not really a true security tool. If they are worth their salt, by any means, they will be able to tell it is fake in a matter of seconds.
Link to comment
Share on other sites

If you change your admin directory to something nobody knows, what is the point in having the "fake" admin login? Change the admin directory to something obscure and hard to guess, and your admin area will be "hidden". To me the fake admin stuff is just a way to taunt potential hackers, and not really a true security tool. If they are worth their salt, by any means, they will be able to tell it is fake in a matter of seconds.

 

Perma ban the IP's logged by the fake admin.

Link to comment
Share on other sites

Perma ban the IP's logged by the fake admin.

 

Do you do this automatically? If not, can't you just check your web server logs to see which IPs attempted access to /admin? You wouldn't need the actual fake admin pages in place for that. I would think this could be done via a daily cron job.

Link to comment
Share on other sites

Its actually much easier to track from the fake admin interface, you can also track failed login attempts, I personally get an email with all the information ( browser, country IP what they typed in for username and password etc )

 

I see... I guess you can capture more granular information, from the hack attempt, with the fake admin.

Link to comment
Share on other sites

  • 2 weeks later...
I upgraded rather quickly after the 5.3.10 release was made.

 

I use $customadminpath to set a custom path for my admin directory. I have done this for years.

 

I renamed the admin directory in the patch to my custom directory name. Now, when I try to view my admin site I am getting a message stating I am trying to access the admin area via a directory that is different from the one configured. But there's the rub, I'm not trying to access it via a directory different than the configured directory. I am trying to access it via the configured directory. The default 'admin' directory doesn't exist on my server, only my custom one.

 

Please help.

 

Thanks,

Joe

 

- - - Updated - - -

 

Okay, I managed to get in to the login page by setting the $customadminpath to a full relative path. My WHMCS is setup in a sub-directory so my path is /clients/mycustomadmindir. Never needed the /clients/ part before upgrading to 5.3.10.

 

Not entirely out of the woods yet because now I get "Language Folder Not Found" after logging in. I guess the full relative path doesn't work throughout WHMCS, just for the check to see if I'm using the right directory or not before allowing me to login. I'm glad this isn't supposed to be a stable release or anything.

 

Absolutely agreed - after replacing the init.php for the one of the version 5.3.9 we do get a stupid error in the support are, like we got it before the update to 5.3.10

 

2.jpg

 

- - - Updated - - -

 

someone else find a fix rather than the old init.php file, seems like the issue related to the folder path, check:

 

http://forum.whmcs.com/showthread.php?93362-5-3-10-and-customadminpath

 

The link/therad doesn't work anymore - WHY???

Link to comment
Share on other sites

  • 2 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated