Backend wide open Topic is solved

This forum is for issues with installing Joomla! 3.x on IIS webservers.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10
dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Backend wide open

Post by dottedhippo » Fri Apr 13, 2018 6:10 pm

After installing a backup with akeeba, all seemed to work fine. But I got the scare of my life when I discovered the backend was open without a password! Also, no users were shown to be logged in, hower the backend was wide open! What is happening here???
Last edited by toivo on Fri Apr 20, 2018 9:41 pm, edited 1 time in total.

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17350
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: Backend wide open

Post by toivo » Fri Apr 13, 2018 6:17 pm

That sounds unusual. Which version of Joomla and Akeeba Backup?

Which method did you use to restore? Did you remove the old file system first?
Toivo Talikka, Global Moderator

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Fri Apr 13, 2018 6:25 pm

I used kickstart 5.4.2. It is the newest version of Joomla (I can't read off the version for I have no access to the back end in the broken version I use now).

I followed the defaults except for the database used.

It was a clean install, with only some basic files from my hosting provider, and the kickstart and archive files.

But the strange thing is: this should NEVER be possible, right?

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Fri Apr 13, 2018 6:46 pm

I am not kidding!!

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Fri Apr 13, 2018 7:12 pm

Could it be a hack attack?

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Backend wide open

Post by leolam » Sat Apr 14, 2018 4:52 am

can you send me in Private message you admin url?

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17350
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: Backend wide open

Post by toivo » Sat Apr 14, 2018 5:13 am

dottedhippo wrote: I have no access to the back end in the broken version I use now
What did you then mean by "the back end was wide open" if you cannot access the back end? Was the login prompt not presented after Kickstart finished?
dottedhippo wrote:It was a clean install, with only some basic files from my hosting provider
Which basic files?
Toivo Talikka, Global Moderator

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Backend wide open

Post by leolam » Sat Apr 14, 2018 5:40 am

@toivo "Godaddy files" uhhhhhhhhhhh

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17350
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: Backend wide open

Post by toivo » Sat Apr 14, 2018 6:08 am

Now I get it :)
Toivo Talikka, Global Moderator

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Sat Apr 14, 2018 8:59 am

leolam wrote:can you send me in Private message you admin url?

Leo 8)
I would like to, but I can't leave the site online in this state, you know.
toivo wrote:
dottedhippo wrote: I have no access to the back end in the broken version I use now
What did you then mean by "the back end was wide open" if you cannot access the back end? Was the login prompt not presented after Kickstart finished?
I was restoring a backup because the old site was broken, that is, I can't login the backend.
The restored backup had a different problem, namely that the backend stayed open for everyone!
toivo wrote:
dottedhippo wrote:It was a clean install, with only some basic files from my hosting provider
Which basic files?
.user.ini
web.config
App_data (folder)
(My provider hosts applications optionally - these files have never caused me problems)

I discovered yesterday that my browser (Chrome) was slow and faulty. So maybe something went wrong during installation.
Also, today I will try a different backup version.

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Sat Apr 14, 2018 9:49 am

There might be problems with my hosting provider (who are on vacation this weekend >:( ), and/or with my browser. Also, the .htaccess file I used during installation probably got overwritten, thereby exposing the website during installation.

Such things make me crazy! :-\

So how do I gain exclusive access rights to my webserver space for the purpose of installation?? ???

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Sat Apr 14, 2018 12:54 pm

Now the backend was also open on the old site.

I need to know how I can restore a backup with akeeba while no one else has public access to my site!

Does anyone know how to do this?

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Sat Apr 14, 2018 1:21 pm

I seems that the problem is local. Somehow, since I use SSL, something goes wrong with my cookies?

It seems that only my own PC had access to the backend, and it is not wide open. However, I can't seem to log out.

Except after time out, I stay logged out. Or when I use the logout-url twice.

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Sat Apr 14, 2018 4:42 pm

leolam wrote:@toivo "Godaddy files" uhhhhhhhhhhh

Leo 8)
I don't mind a joke. As long as my problem is taken seriously. :D

User avatar
AMurray
Joomla! Exemplar
Joomla! Exemplar
Posts: 9636
Joined: Sat Feb 13, 2010 7:35 am
Location: Australia

Re: Backend wide open

Post by AMurray » Sat Apr 14, 2018 10:46 pm

Just joining this conversation with my 2 cents.......
dottedhippo wrote:Now the backend was also open on the old site.

I need to know how I can restore a backup with akeeba while no one else has public access to my site!

Does anyone know how to do this?
When you do a backup and restore, you need to start with a clean slate so to speak (that is, nothing in the folder on your hosting space you are restoring to except the kickstart.php and the JPA archive files.

Assume this was done, but if not - you need to remove all previous site files. That would eliminate your concern about people seeing the site while you're restoring -there won't be a site for them to see, until restoration is done.

Have you tried to clear the sessions cookies from your browser.

Is this thing with the admin happening in all browsers?'

Can you restore the site, on your own PC (which would not permit the site access to the world) - use XAMPP or similar and get a copy of the site running and see if you have the same issues? Use the same JPA and Kickstart to do that.
Regards - A Murray
General Support Moderator

User avatar
AMurray
Joomla! Exemplar
Joomla! Exemplar
Posts: 9636
Joined: Sat Feb 13, 2010 7:35 am
Location: Australia

Re: Backend wide open

Post by AMurray » Sat Apr 14, 2018 10:50 pm

My comment about ".....nothing in the folder you're restoring to....." means any previous joomla files. Anything already there that's part of the hosting can stay since it doesn't have any direct connection with joomla.

(just to be clear).
Regards - A Murray
General Support Moderator

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Sun Apr 15, 2018 9:54 am

AMurray wrote:My comment about ".....nothing in the folder you're restoring to....." means any previous joomla files. Anything already there that's part of the hosting can stay since it doesn't have any direct connection with joomla.

(just to be clear).
I start with a brand new empty folder (except for the provider files).

If I put kickstart and the necessary files there, then kickstart is out in the open. Furthermore, the site is reachable during installation by any visitors, because I have to have acces from my computer at home, everyone has access. I don't want that, so I put a .htaccess file there to restrict access to my own IP only. However, this .htaccess file gets overwritten during installation. There must be a method that works, right? I wonder what it is!

By the way I managed to restore a backup and change my root password so everything should work. Futhermore my provider seems to have (had) some problems with their system.

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17350
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: Backend wide open

Post by toivo » Mon Apr 16, 2018 10:49 am

dottedhippo wrote:the site is reachable during installation by any visitors, because I have to have acces from my computer at home, everyone has access.
The backup archive can be password protected to block visitors from accessing your site while it is being restored. The password is set in the field 'ANGIE Password' under Advanced configuration of Akeeba Backup.
Toivo Talikka, Global Moderator

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Mon Apr 16, 2018 11:31 am

Thank you, toivo, I have to examine that.

I also got another possible solution from my hosting provider, and that is password protect the folder in which I want to install. :)

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Mon Apr 16, 2018 12:01 pm

BTW, Chrome behaves very strange sometimes. IE is not much better.

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Mon Apr 16, 2018 2:48 pm

dottedhippo wrote:
AMurray wrote:My comment about ".....nothing in the folder you're restoring to....." means any previous joomla files. Anything already there that's part of the hosting can stay since it doesn't have any direct connection with joomla.

(just to be clear).
I start with a brand new empty folder (except for the provider files).

If I put kickstart and the necessary files there, then kickstart is out in the open. Furthermore, the site is reachable during installation by any visitors, because I have to have acces from my computer at home, everyone has access. I don't want that, so I put a .htaccess file there to restrict access to my own IP only. However, this .htaccess file gets overwritten during installation. There must be a method that works, right? I wonder what it is!

By the way I managed to restore a backup and change my root password so everything should work. Futhermore my provider seems to have (had) some problems with their system.
I can make use of the folder-password-protect option of my hosting provider. I hope that solves it.

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Mon Apr 16, 2018 4:37 pm

Could it have anything to do with restoring the backup in a different folder?

I noticed the tmp directory in the Joomla Settings displayed the old directory. Also, the Akeeba output directory displayed the old value.

If I change the values to the correct ones, nothing changes. Joomla keeps using the old folders.

When I logout the backend, and reload about 5 times, the fifth time suddenly I have access again without logging in. It seems that this is local, so other users don't have access to the backend.

If I copy the logout url and enter it twice in my browser, so that I logout twice, then de logout seems to be definite.

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Tue Apr 17, 2018 10:19 am

I installed the backup in the original folder, and the system seems to work well now.

I noticed that during installation with kickstart there are a number of folders you can fill out. So I suspect that if I install the backup in a different folder, I have to submit this folder at some place(s) during installation.

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Tue Apr 17, 2018 5:26 pm

Turns out you have to check the box in ANGIE that copies the correct folder values in the appropriate inputboxes. Otherwise the values that came with the archive are used, that is: the old values.

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Tue Apr 17, 2018 6:11 pm

Nope. Problem is back again after having used .htaccess file.

Help?

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Tue Apr 17, 2018 6:55 pm

A local specific erase of the cookies of my site in my browser seems to work....

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Tue Apr 17, 2018 7:17 pm

Made a fifth restore. Clearing the cookies specifically and not messing with the .htaccess file seems to keep the terror out. If you make one wrong mistake in the .htaccess file you seem to get punished by having to reinstall everything!

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Tue Apr 17, 2018 7:19 pm

Having said that, the backend is wide open again. The only thing that works is copying the logout link and enter it twice in succession in my browser bar. I think I will switch to Wordpress.

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17350
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: Backend wide open

Post by toivo » Tue Apr 17, 2018 7:43 pm

The issues you describe are rather unusual and could be a combination of the hosting platform and unfamiliarity with tools like Akeeba Backup, which is a de facto standard for many Joomla webmasters.

Here are a couple of observations, which may unfortunately come too late. Many websites work perfectly all right with the standard .htaccess. Any mistakes causing a syntax error in the .htaccess file, then leading into an HTTP 500 error, can be solved by restoring just the .htaccess file from a copy, rather than having to restore the whole site.
Toivo Talikka, Global Moderator

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Wed Apr 18, 2018 10:35 am

Try this:
- Log in to your backend
- Log out immediately again
- Reload the blue login page ten times with the reload button of the browser.

I most cases, I gain access to the backend again without logging in. When I log out again, I can perform the trick again.

Only when I clear my cookies the leak gets stopped and I don't gain free access anymore.

I wonder if anyone can reproduce that, or else something is wrong with my site and I don't know what.

Thanks in advance.


Locked

Return to “Joomla! 3.x on IIS webserver”