[SOLVED] Possible attack detected. This action has been logged.

Discussion in 'Installation/Configuration' started by AxelssonDesign, Mar 16, 2018.

Thread Status:
Not open for further replies.
  1. zyzzza

    zyzzza Member

    Guys,
    ver 3.2.1 just showed me this message . Any way i can overcome this ?
     
  2. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Go through this thread and try some of the suggestions/previous solutions and suggestions. If still stuck, post what you have done and the exact log messages you see.
     
    Last edited: Apr 24, 2021
  3. ajajaj2

    ajajaj2 New Member

    Hi. I have seen this and had this issue in the past. I have solved it.

    It turns out that if your browser runs a lot of addons/extensions that modify the page you are visiting, it will trigger.

    Try disabling all your extensions, ie: lastpass, 1password, rakuten, ublock etc - one or more of them is causing you to get blocked
     
  4. onastvar

    onastvar Member

    I see "Possible attack detected. This action has been logged." in Safari browser, not in Firefox. I cleared cookies & cache, still an issue in Safari, anyone knows why?
     
  5. onastvar

    onastvar Member

    [Solved] I had to enable DEVELOP menu in Safari. After i went to DEVELOP > EMPTY CACHES, that fixed it. Message no longer exist.
     
  6. RalphGL

    RalphGL New Member

    Does it make sense to integrate a feature which produces more false positives than correct warnings?
    In my actual firefox and my chrome, login is only possible in a private session since update to 3.2.6 yesterday.
    If the settings as described in the discussion above are irrelevant for security and can be changed to whatever you want - what does this mean for the relevance of ISP-config security settings?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The wrong question, the right one would be: "Does it make sense to integrate a feature which produces more false positives than correct warnings on a correctly installed system?". The answer would be no, and this feature would not exist if it would make false positives warnings on a correctly installed system. And the good thing is, it makes no false warnings at all when your system is set up in the right way. I have this feature active on all systems and never had false-positive warnings.

    Ok, so you know now, that there is something wrong with your setup and neither with ISPConfig nor the IDS system. Things like that happen e.g. when you install other software on the exact same subdomain that you use for ISPConfig and this software tries to inject cookies into ISPConfig. Such a security violation will of course be blocked and is not a false positive. That using private mode works shows exactly that the issue is your browser that tries to inject third party cookies into ISPconfig. As mentioned above, empty browser cache to stop your browser sending invalid data to ISPConfig and then find out which other software you are running on the exact same (sub) domain that injects these cookies and remove that software or change the (sub) domain of that software to one that does not collide with the ISPConfig UI.

    These settings are relevant for security of course. I just reread the thread and found no place where an ISPConfig code dev said that they are not relevant for security. So please don't post such nonsense.
     
  8. RalphGL

    RalphGL New Member

    Hi Till,
    thank you for your reply. I am sorry if my questions and concern upset you.
    The ISPConfig webfrontend is accessible on my subdomain via port 8080. This is as far as I can remember the defaults during the installation. Other services run on port 443, 80 etc. under this subdomain. I am not aware that it is not allowed to run other services on other ports of the subdomain of ISPConfig. Have I overlooked this in the installation instructions or the documentation?
    Maybe we should discuss this in a new thread?

    Meanwhile i have deactivated all plugins in firefox - and the ispconfig login page is loaded correctly. Soi I activated each addon step by step and still after activating all addons the login does work without any warning.
    In Chrome it doesn't help to remove or deactivate all extensions. With all extensions deactivated the problem remains. The problem was solved after removing all cookies (set by other content of the subdomain) of the subdomain which is used for my ispconfig-installation.
     
    Last edited: Sep 10, 2021
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so one of your plugins must have sent data or injected cookies and disabling them has cleared a cache in the plugin.
     
  10. kameleon1er

    kameleon1er Member

    Hi till again, I have the same warning. I can access to my admin panel only if I use "private window" in Brave. Logs show something wrong or suspicious about webmail ? Thanks :)
    Code:
    [INTERFACE]: PHP IDS Alert.Total impact: 56<br/> Affected tags: xss, csrf, id, rfe, lfi<br/> <br/> Variable: COOKIE.sbjs_current_add | Value: fd=2024-02-11 19:21:44|||ep=https://democrasite.com/webmail|||rf=(none)<br/> Impact: 17 | Tags: xss, csrf, id, rfe, lfi<br/> Description: Detects JavaScript location/document property access and window access obfuscation | Tags: xss, csrf | ID 23<br/> Description: Detects obfuscated JavaScript script injections | Tags: xss, csrf | ID 25<br/> Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID 67<br/> <br/> Variable: COOKIE.sbjs_first_add | Value: fd=2024-02-11 19:21:44|||ep=https://democrasite.com/webmail|||rf=(none)<br/> Impact: 17 | Tags: xss, csrf, id, rfe, lfi<br/> Description: Detects JavaScript location/document property access and window access obfuscation | Tags: xss, csrf | ID 23<br/> Description: Detects obfuscated JavaScript script injections | Tags: xss, csrf | ID 25<br/> Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID 67<br/> <br/> Variable: COOKIE.sbjs_current | Value: typ=typein|||src=(direct)|||mdm=(none)|||cmp=(none)|||cnt=(none)|||trm=(none)|||id=(none)<br/> Impact: 5 | Tags: xss, csrf<br/> Description: Detects obfuscated JavaScript script injections | Tags: xss, csrf | ID 25<br/> <br/> Variable: COOKIE.sbjs_first | Value: typ=typein|||src=(direct)|||mdm=(none)|||cmp=(none)|||cnt=(none)|||trm=(none)|||id=(none)<br/> Impact: 5 | Tags: xss, csrf<br/> Description: Detects obfuscated JavaScript script injections | Tags: xss, csrf | ID 25<br/> <br/> Variable: COOKIE.sbjs_udata | Value: vst=10|||uip=(none)|||uag=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36<br/> Impact: 12 | Tags: xss, csrf, id, rfe, lfi<br/> Description: Detects obfuscated JavaScript script injections | Tags: xss, csrf | ID 25<br/> Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID 67<br/> <br/>
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    It's all explained in this thread. There is nothing to add on this topic. An application on the domain has set a cookie, which is now sent to ISPConfig and triggers the IDS system. Clear cookies for the domain you access ISPConfig on in the browser and for the future, ensure to not use apps on the same domain that try to inject cookies into ISPConfig and/ or configure these apps to not set cookies for all subdomains, incl. the one you use ISPconfig or disable the IDS if you don't care that other apps inject cookies in ISPconfig.

    This is an old thread which you re-opened and this thread contains everything that is to say on this topic already. So, I'll close the thread now.
     
    kameleon1er likes this.
Thread Status:
Not open for further replies.

Share This Page