You do not have access to the administrator section of this

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
ncat
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Sun Aug 12, 2007 12:28 pm

You do not have access to the administrator section of this

Post by ncat » Fri Oct 31, 2008 5:39 pm

Hi. I have tried every option in this forum and I still seem to be locked out.

I have changed user name, password, added new users and changed the gid back and forth all through PHP my admin.

I am hoping that someone has an answer. It does not appear to be a password or user name problem, but rather JUST an access issue. Is there a way to get in that has been found?

feeling hopeless. Thank you in advance if anyone can help.

kili
Joomla! Explorer
Joomla! Explorer
Posts: 415
Joined: Sun Oct 23, 2005 5:17 pm

Re: You do not have access to the administrator section of this

Post by kili » Fri Oct 31, 2008 5:48 pm

How did you change the password?
To change the password you need to use an MD5 password. To generate this password you need something like hashcalc. View the screen shot below

http://3d2f.com/screenshot/22-623-hashc ... shot.shtml

get hashcalc here http://3d2f.com/programs/22-623-hashcalc-download.shtml

For instance using hashcalc I generated the password hello into MD5 format which translates to 5d41402abc4b2a76b9719d911017c592 then you would copy and paste this into your password field in PHPMYadmin

Not sure if this is your issue but thought this might help as you cant simply paste any old password in.

Kili

ncat
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Sun Aug 12, 2007 12:28 pm

Re: You do not have access to the administrator section of this

Post by ncat » Fri Oct 31, 2008 6:03 pm

yeah. I used the one for "admin" which was in the docs.joomla.org site.

It worked correctly, for instance- I don't get a bad user name or password error, I just get the "You do not have access to the administrator section of this site" message.

..which leads me to believe it has something to do with access rights.
Thank you for the try though...

any more ideas?

User avatar
thecancerus
Joomla! Intern
Joomla! Intern
Posts: 51
Joined: Wed Nov 21, 2007 7:31 pm
Location: Pune
Contact:

Re: You do not have access to the administrator section of this

Post by thecancerus » Fri Oct 31, 2008 6:15 pm

For super admin user, is value of gid in db 25 ?
Do Something. Prioritize and focus

Have you checked out my blog today?.... No, do it now http://amiworks.co.in/talk/category/joomla

Join Joomla User Group Pune discussion group http://groups.google.com/group/jugpune

kili
Joomla! Explorer
Joomla! Explorer
Posts: 415
Joined: Sun Oct 23, 2005 5:17 pm

Re: You do not have access to the administrator section of this

Post by kili » Fri Oct 31, 2008 7:01 pm

ncat wrote:yeah. I used the one for "admin" which was in the docs.joomla.org site.

It worked correctly, for instance- I don't get a bad user name or password error, I just get the "You do not have access to the administrator section of this site" message.

..which leads me to believe it has something to do with access rights.
Thank you for the try though...

any more ideas?
fTP in to the site and check / chmod the permissions on the administrator folder

Kili

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: You do not have access to the administrator section of this

Post by ircmaxell » Sat Nov 01, 2008 1:23 am

Restore your site from a backup...
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

ncat
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Sun Aug 12, 2007 12:28 pm

Re: You do not have access to the administrator section of this

Post by ncat » Sat Nov 01, 2008 12:27 pm

yep. the gid is set to 25. I also tried it at 26 and then set it back. I also changed the permissions on the admin folder, but nothing.

Is restoring from a back up the only solution? I will lose everything I have added if I do that.

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: You do not have access to the administrator section of this

Post by ircmaxell » Sat Nov 01, 2008 1:04 pm

ncat wrote:Is restoring from a back up the only solution? I will lose everything I have added if I do that.
That's why it's imperative to backup early and often...
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

kili
Joomla! Explorer
Joomla! Explorer
Posts: 415
Joined: Sun Oct 23, 2005 5:17 pm

Re: You do not have access to the administrator section of this

Post by kili » Sat Nov 01, 2008 1:05 pm

ircmaxell wrote:
ncat wrote:Is restoring from a back up the only solution? I will lose everything I have added if I do that.
That's why it's imperative to backup early and often...

No it's not. Restoring from a backup is your last resort. Keep looking for a soloution

User avatar
fw116
Joomla! Ace
Joomla! Ace
Posts: 1368
Joined: Tue Sep 06, 2005 11:18 am
Location: Germany

Re: You do not have access to the administrator section of this

Post by fw116 » Sat Nov 01, 2008 1:26 pm

kili wrote:
ircmaxell wrote:
ncat wrote:Is restoring from a back up the only solution? I will lose everything I have added if I do that.
That's why it's imperative to backup early and often...

No it's not. Restoring from a backup is your last resort. Keep looking for a soloution
well, for the most peolpe here looking for help , this IS the only way.

cause they dont have the knowlegde about webserver and security (tools and stuff) or php to find compromised files , backdoors or anything like that..

so to say the backup is that last resort... very impressive... :pop

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: You do not have access to the administrator section of this

Post by ircmaxell » Sat Nov 01, 2008 2:01 pm

kili wrote:No it's not. Restoring from a backup is your last resort. Keep looking for a soloution
If you backup properly, it should be the FIRST resort... It's only a last resort if you don't do it often enough, or properly...
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

User avatar
thecancerus
Joomla! Intern
Joomla! Intern
Posts: 51
Joined: Wed Nov 21, 2007 7:31 pm
Location: Pune
Contact:

Re: You do not have access to the administrator section of this

Post by thecancerus » Sat Nov 01, 2008 2:25 pm

ncat can you explain what caused the problem in first place, as Joomla users relation is saved in around 6 tables.
Do Something. Prioritize and focus

Have you checked out my blog today?.... No, do it now http://amiworks.co.in/talk/category/joomla

Join Joomla User Group Pune discussion group http://groups.google.com/group/jugpune

kili
Joomla! Explorer
Joomla! Explorer
Posts: 415
Joined: Sun Oct 23, 2005 5:17 pm

Re: You do not have access to the administrator section of this

Post by kili » Sat Nov 01, 2008 3:37 pm

well, for the most peolpe here looking for help , this IS the only way.

cause they dont have the knowlegde about webserver and security (tools and stuff) or php to find compromised files , backdoors or anything like that..

so to say the backup is that last resort... very impressive... :pop

Not as impressive as your inability to help your self.You don't have the knowledge because your not prepared to try and find a solution to the problem restoring from a backup does not solve the problem only avoid it until it happens the next time.

Now that's impressive

kili
Joomla! Explorer
Joomla! Explorer
Posts: 415
Joined: Sun Oct 23, 2005 5:17 pm

Re: You do not have access to the administrator section of this

Post by kili » Sat Nov 01, 2008 3:40 pm

ircmaxell wrote:
kili wrote:No it's not. Restoring from a backup is your last resort. Keep looking for a soloution
If you backup properly, it should be the FIRST resort... It's only a last resort if you don't do it often enough, or properly...
That response teaches nothing to anyone. The whole point of these forums is to help people to help themselves simply restoring from a backup avoids the issue that caused the problem in the first place they will learn nothing from your approach and still be left with no knowledge of what caused the issue or how to resolve it in the future.

User avatar
fw116
Joomla! Ace
Joomla! Ace
Posts: 1368
Joined: Tue Sep 06, 2005 11:18 am
Location: Germany

Re: You do not have access to the administrator section of this

Post by fw116 » Sat Nov 01, 2008 4:46 pm

kili wrote:
ircmaxell wrote:
kili wrote:No it's not. Restoring from a backup is your last resort. Keep looking for a soloution
If you backup properly, it should be the FIRST resort... It's only a last resort if you don't do it often enough, or properly...
That response teaches nothing to anyone. The whole point of these forums is to help people to help themselves simply restoring from a backup avoids the issue that caused the problem in the first place they will learn nothing from your approach and still be left with no knowledge of what caused the issue or how to resolve it in the future.
yeah , we can see every day how much people care about to learn something about joomla, webserver, security and so on...

it would be awsome IF people would act like you wrote ... but they simply dont care about...

OR

they would like to care.. but are not able to do so, because they miss the basic, so that it is a hard unknown way. and because its that kind of hard they just top walking.
regardless if they get help or not...

ncat
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Sun Aug 12, 2007 12:28 pm

Re: You do not have access to the administrator section of this

Post by ncat » Sat Nov 01, 2008 5:56 pm

I like that this thread is getting so much attention, but I hope that we are able to solve it in the long run! Thanks for everyone's help!

I had installed the new version of Community Builder, and I beleive that thinigs were still running smoothly. However- I hadn't logged out yet. I was also in the process of trying to import my users with CB Juice, and was in the forums trying to figure out why the imported members showed on the front but not the back. During my tim in the forums searching for a solution to that, I had timed-out on my session. This is when I coudl not log in again.
So... it could also be something with the newer CB version, or the import of the new members.

JNewton
Joomla! Apprentice
Joomla! Apprentice
Posts: 14
Joined: Wed Mar 21, 2007 7:53 pm

Re: You do not have access to the administrator section of this

Post by JNewton » Sat Nov 01, 2008 8:36 pm

I'm having the exact same problem and I've done exactly the same steps to recover and I'm still unable to log in.

I was working on the CSS files in the Template manager when I got booted from the page and was unable to log back in. Since this site is still under development I had not done a back up.

I'm hoping that with the info on what I was working on when it decide to kick me out , someone will be able to get me pointed in the right direction. I'd hate to have to start all over and do another 12+ hour day rebuilding a site. I'd rather learn more about how the site works so that I can better able manage and develop sites and even avoid pitfalls in the future.

Note: I'm not using CB

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: You do not have access to the administrator section of this

Post by ircmaxell » Sat Nov 01, 2008 9:12 pm

ncat wrote:I had installed the new version of Community Builder, and I beleive that thinigs were still running smoothly. However- I hadn't logged out yet. I was also in the process of trying to import my users with CB Juice, and was in the forums trying to figure out why the imported members showed on the front but not the back. During my tim in the forums searching for a solution to that, I had timed-out on my session. This is when I coudl not log in again.
So... it could also be something with the newer CB version, or the import of the new members.
Well, that changes things... Why didn't you say that in your first post?
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: You do not have access to the administrator section of this

Post by rliskey » Sat Nov 01, 2008 9:50 pm

Two forms of recovery are being argued here. They each have pros and cons. Which solution is best for you depends on your situation.

Solution 1: Pick through the site repairing each problem as you find it, learning as you go. Continue until you've found every last Trojan Horse, corrupted or missing file, bogus registration, tweaked db entry, etc.

This is an excellent solution if you are 100% sure you can find and fix everything before you are attacked again. Note that there's no reason to assume you are not being actively monitored and attacked from one Trojan Horse while you valiantly fix others.

This includes being able to verify that your personal computer is not compromised (think keystroke loggers). Not saying this is happening, but how do you verify it one way or the other? If you can't answer that question, you probably are not ready to try this solution on your own.

Solution 2: Always maintain a recent backup that enables you to recover fast no matter what happens. Incremental daily backups are the typical method. The main advantages are:
  1. A single recover method works for any problem no matter what the cause.
  2. It very quickly wipes your site clean of every new vulnerability whether you know about it or not.
  3. It immediately resets your site to the most recent known stable condition which is officially defined as "a nice place to be."
  4. It immediately puts you back in business, which is officially defined as, "a smart place to be."
  5. Best of all, once this is done, you can relax a little as you investigate what in your original configuration allowed the original attack. That is the real issue, after all. Note that this separates analysis of the original attack from after-the-fact cleanup of post attack site modifications, which are only additional symptoms of an already compromised site.
Although I prefer method 2, I have used method 1 with success. The key point is that you want to set yourself up for success by being able to choose between the two methods.

I suggest ignoring anyone who says using backups is only a last resort. Done correctly, backups are your first, last, AND best resort.

Thickening the Plot

If you didn't set up a backup process then there's good news and bad news:
  1. :D The good news is that you now have more than two choices!
  2. :'( The bad news is that all of them are worse than method two.
Here are the most popular:
  1. ??? Pray to the gods of your choice, and do your best with method one.
  2. :geek: Start over with brand new installs and a real backup process. This is often the best choice for the recently (but no longer) foolish.

    (Editorial Note: This is the method that worked for me many moons ago, when I was even more foolish than I am today.)
  3. ;) Forget it all. Keeping a dynamic site secure is an ongoing task, and it may not be worth your effort. A valid choice if your site was just for fun.
  4. :eek: Hire an expert. Often the best choice for those who, for perfectly valid reasons, focus their time and energy on other skills. This is akin to hiring an auto mechanic to fix a major auto malfunction--usually a very smart idea.
  5. >:( Find someone or something to hate, and blame them. I know, it sounds crazy, but political processes around the world seem to confirm the popularity of this stance. Although not recommended, it is included here for completeness. This stance does feel good for a while, so why not indulge your lesser self?

    BTW: If this solution is your style, I have land for sale in Florida that you might like. It comes with a free fleet of very nice cars. The first $10,000 buys the whole thing. Check it out here!
Hope that helps. All humor was intentional. All insults were unintentional.

JNewton
Joomla! Apprentice
Joomla! Apprentice
Posts: 14
Joined: Wed Mar 21, 2007 7:53 pm

Re: You do not have access to the administrator section of this

Post by JNewton » Sun Nov 02, 2008 1:15 am

A lot of sage advice there and I like the humor mixed in. I was in the mist of setting up a brand new site and there is no access to it short of knowing the IPS and what the name of the domain will be. Kind of rules out the being hacked theory, for the moment. All bets are off once the site goes live.

Looks like I'm back to option 2. Although I keep hoping someone will say "Oh, I know what that is...". The symptoms are just kind of strange. Its like I've logged in but the control panel will not come up. I say this because it timed out while I was looking around here. It flashed up a blue bar telling me my session had timed out and that I needed to log back it. So I tried. It just flashed the screen and left me at the admin log in. I had thought that perhaps something corrupted the session, but I think we can rule that out now.

As for hiring a tech savvy person, well, that would be me, or I hope will be me in the not too distant future. It looks like this is just one of many lessons I'll be learning on Joomla. My IT experience is in areas other than PHP and Joomla, but I figure at 60 I can still learn. I appreciate any assistance I can get.

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: You do not have access to the administrator section of this

Post by rliskey » Sun Nov 02, 2008 2:45 am

@JNewton

You should build your site locally first. Google 'xammp', 'wamp', or 'mamp' to get started if unsure about this.

To recover from whatever you might have done last (or just before last), you should set up a version control system, such as CVS or SVN. Or, quick and dirty method is to always make a backup copy of any file you are actively editing.

Once the site is configured, you can use PHPMyAdmin to upload the database to your production server, an FTP program to copy your files to the production server, then tweak the configuration.php file.

Besides being safer and faster than developing remotely, this gives you a great initial backup of your whole site.

kili
Joomla! Explorer
Joomla! Explorer
Posts: 415
Joined: Sun Oct 23, 2005 5:17 pm

Re: You do not have access to the administrator section of this

Post by kili » Sun Nov 02, 2008 12:00 pm

rliskey wrote: I suggest ignoring anyone who says using backups is only a last resort. Done correctly, backups are your first, last, AND best resort.
NO, NO AND NO

ncat
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Sun Aug 12, 2007 12:28 pm

Re: You do not have access to the administrator section of this

Post by ncat » Sun Nov 02, 2008 1:35 pm

"Well, that changes things... Why didn't you say that in your first post?"

sorry... I probably shoudl have. Can you tell me why you think this changes everything? It looks like I may have to start from scratch, and I am wondering if I can avoid this again.

For the record- I would still like to try to fix this. Mine also is a new site, so I didn't have any backup started, and all that I have lost will be based on the time i have spent in two days setting it up. Live and learn I guess.

And so I don't seem like ssomeone simply searching for someone to fix my problem, I have spent time on CB forums as well as trying to google outside resources. I find that with all of the different components, you spend a fair amount of time in the various forums. I am able to help myself most of the time. I am stumped here.

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: You do not have access to the administrator section of this

Post by ircmaxell » Sun Nov 02, 2008 1:48 pm

It's because your user permissions tables weren't updated properly.

http://www.joomlaspan.com/general/recov ... joomla.php

Follow the 1.0 instructions...
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

kili
Joomla! Explorer
Joomla! Explorer
Posts: 415
Joined: Sun Oct 23, 2005 5:17 pm

Re: You do not have access to the administrator section of this

Post by kili » Sun Nov 02, 2008 2:20 pm

ircmaxell wrote:It's because your user permissions tables weren't updated properly.

http://www.joomlaspan.com/general/recov ... joomla.php

Follow the 1.0 instructions...
Well spotted :laugh:

ncat
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Sun Aug 12, 2007 12:28 pm

Re: You do not have access to the administrator section of this

Post by ncat » Sun Nov 02, 2008 2:51 pm

THANK YOU! I am in.. You have saved me hours of rebuilding. I will backup right away. Much appreciated!

However... I still cannot access any of my users on the backend. While I am in MySql admin. Do you happen to know of a way that I can make them all show there? From my previous research, it sounded like the user ID needed to match up with a value from another table, but that was not clear.

I'll figure it out if not, but thought I would ask.

Thanks again for all of your help. Much appreciated. I will bookmark that article in case it happens again.

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: You do not have access to the administrator section of this

Post by ircmaxell » Sun Nov 02, 2008 3:01 pm

Those 3 tables need to be in sync. The importer that you used, I suspect, did not update the other 2...
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

flnative08
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Mon Oct 06, 2008 6:45 pm

Re: You do not have access to the administrator section of this

Post by flnative08 » Sun Nov 02, 2008 3:21 pm

Thank kili

You solved my issue. I have been trying to figure out how to log back in after I got hacked. It appears only my index file was updated, so I fixed that but had the ongoing issue of not being able to log in. I looked for a solution and tried all the various hash strings that were posted in the Joomla FAQ. But they did not work, Kili, the MD5 hash you posted worked! "hello"

This is very cool, that a separate topic helped me! I also saved the GUI to 26 initially on jos_users but changed it back to 25 after all the other group ids did match 25. So not sure if re-saving this number also helped.

kili
Joomla! Explorer
Joomla! Explorer
Posts: 415
Joined: Sun Oct 23, 2005 5:17 pm

Re: You do not have access to the administrator section of this

Post by kili » Sun Nov 02, 2008 6:17 pm

flnative08 wrote:Thank kili

You solved my issue. I have been trying to figure out how to log back in after I got hacked. It appears only my index file was updated, so I fixed that but had the ongoing issue of not being able to log in. I looked for a solution and tried all the various hash strings that were posted in the Joomla FAQ. But they did not work, Kili, the MD5 hash you posted worked! "hello"

This is very cool, that a separate topic helped me! I also saved the GUI to 26 initially on jos_users but changed it back to 25 after all the other group ids did match 25. So not sure if re-saving this number also helped.
Lol.. that's great between us all in this thread we've managed to solve two issues. That's team work for you.

Now don't forget to change that password to something more difficult there are plenty of password generators out there. I have so many passwords now that I use roboform to store them securely which also has a password generator

Well done everyone :D

JNewton
Joomla! Apprentice
Joomla! Apprentice
Posts: 14
Joined: Wed Mar 21, 2007 7:53 pm

Re: You do not have access to the administrator section of this

Post by JNewton » Sun Nov 02, 2008 9:18 pm

ircmaxell Nice call! I'm back in. And I too an doing a back up right away.

As to using XAMPP for doing the local development, I had done that on another site but had a dickens of a time getting it properly installed on the hosting server. That was why I foolishly decided to do it remotely. Lesson learned.

Interestingly, I do all of my PHP project on my home system using XAMPP and love it. Looks like I'll be Importing the site and finishing it up locally then exporting it.

Again, Thnak you all for the assist.


Locked

Return to “Security in Joomla! 1.5”