Runtime exception

[Sadler]

Hello All,

got a couple of notifications from a site running Fabrik, the site has been running for a while with no issues but within a couple of days I had two mails from it with runtime exception notices. Messages as follows:

/home/sites/foobar.co.uk/public_html/components/com_fabrik/views/import/view.html.php
Line: 48

#0 /home/sites/foobar.co.uk/public_html/components/com_fabrik/controllers/import.php(54): FabrikViewImport->display()
#1 /home/sites/foobar.co.uk/public_html/libraries/src/MVC/Controller/BaseController.php(710): FabrikControllerImport->display()
#2 /home/sites/foobar.co.uk/public_html/components/com_fabrik/fabrik.php(181): Joomla\CMS\MVC\Controller\BaseController->execute('')
#3 /home/sites/foobar.co.uk/public_html/libraries/src/Component/ComponentHelper.php(382): require_once('/home/sites/bow...')
#4 /home/sites/foobar.co.uk/public_html/libraries/src/Component/ComponentHelper.php(357): Joomla\CMS\Component\ComponentHelper::executeComponent('/home/sites/bow...')
#5 /home/sites/foobar.co.uk/public_html/libraries/src/Application/SiteApplication.php(194): Joomla\CMS\Component\ComponentHelper::renderComponent('com_fabrik')
#6 /home/sites/foobar.co.uk/public_html/libraries/src/Application/SiteApplication.php(233): Joomla\CMS\Application\SiteApplication->dispatch()
#7 /home/sites/foobar.co.uk/public_html/libraries/src/Application/CMSApplication.php(204): Joomla\CMS\Application\SiteApplication->doExecute()
#8 /home/sites/foobar.co.uk/public_html/index.php(49): Joomla\CMS\Application\CMSApplication->execute()
#9 {main}

The site in question is running J! 3.8.6, Fabrik 3.8.1, PHP 7.0.27, Apache 2.4.29

Has anyone else seen this behaviour?
I have checked the form in use on the site and it works without any issues that I can detect.

Cheers

Burnsy

 

[troester]

It seems a hacker is trying to spoof via import and Fabrik is catching this by throwing
throw new RuntimeException('Naughty naughty!', 400);

 

[Sadler]

Hello Troester,

thanks for the prompt response, I am tracking back through the log files to see if I can find an IP address to link to this.

Burnsy

 

[Sadler]

Hello Troester,

I can see multiple attempts in the logs before and after that time frame, the attempts come from a range of IP addresses and cover a whole range of things from probes for Python, WordPress, attempts related to Windows servers and a range of other things.
I have checked the file monitor for the site and can't see any file changes being made during that time frame and the core files correspond with those of the standard J! files. In terms of folders/files I can't see anything that I don't immediately recognise in the space.

Not sure what else I can do, if you or Hugh require access to examine the log files then let me know and I will send them over.

Burnsy

 

[cheesegrits]

That's just Fabrik doing exactly what it's supposed to, and preventing hackers from importing data into your site through the CSV import feature.

It's important that you make sure that all your lists are configured to only allow credentialed users to import.

Bu default we only allow "Special" users (admins) to CSV import, but anyone who has changed their standard J! access level setup, or manually changed it to "Publilc", needs to be aware that this opens them up to malicious activity.

-- hugh

 

[Sadler]

Hello Hugh,

thanks for that, I have double checked and the site still has the standard settings and I have blocked traffic from that range of addresses at the FW.

Burnsy