Could Not Login as Admin - Possible attack detected....

Discussion in 'General' started by rbartz, Mar 22, 2023.

  1. rbartz

    rbartz Member HowtoForge Supporter

    I could not login today as admin to ispconfig. I only got "Possible attack detected. This action has been logged.". After clearing cookies, it started login but on submit, same problem.

    After searching out the forum, I found the way to whitelist the cookies in another thread and was then able to login to ispconfig again as admin afterward but am concerned that there is some problem with "mixpanel" as in the log below.

    Do I need to do anything else to make sure that this is not going to keep happening? Thank you guys for your help. It seems like this is a cookie set by ispconfig in something called mixpanel whatever that is...

    Richard

    a few of the LOG ENTRIES from /usr/local/ispconfig/interface/temp/ids.log
    ----------------
    any:/index.php:COOKIE.mp_26433277a36e1c21e20a91a7c2bb8f55_mixpanel
    any:/index.php:COOKIE.mp_26433277a36e1c21e20a91a7c2bb8f55_mixpanel
    any:/index.php:COOKIE.mp_26433277a36e1c21e20a91a7c2bb8f55_mixpanel
     
  2. rbartz

    rbartz Member HowtoForge Supporter

    Okay! Apparently this is a bigger problem than I thought! It now affected both my servers, same problem and same log entries!

    In addition, when I tried logging out and back in afterwards it had a similar problem and added the login/index URL to the ids.log:
    any:/login/index.php:COOKIE.mp_26433277a36e1c21e20a91a7c2bb8f55_mixpanel

    It does login without the /login/ in the URL so the whitelisting does work for now.
    Richard
     
  3. Alex Mamatuik

    Alex Mamatuik Member

    I wish i would try to help you, Sir, but do not know, what the mixpanel is and why cookies o_O are envolved.

    Some fool proofing: maybe to disable this somewhat 'mixpanel'?!
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    This mixpanel software seems to set cookies that your browser sends to ISPConfig, and that's what the ISPConfig IDS is complaining about. The best is to not run other software on the same subdomain then ISPConfig or you must whitelist the cookies of that software in ISPConfig IDS or turn of ISPConfig IDS.
     
  5. Alex Mamatuik

    Alex Mamatuik Member

    What also entered my mind:
    • namely about possible attacks -
    • (recommended by vulture hosting co)
      == Portmapper servers ==
      firewall rules to block port 111 on both UDP and TCP:
    • change your ISPConfig 3 port from default 8080 to desired one
     

Share This Page