Форум

You can also protect the admin area from unauthorized access using .htaccess. For flexibility, you can use DDNS names, for example. DDNS is useful because most users receive dynamic IP addresses from their Internet provider. This allows you to update the permitted IP address without having to constantly edit the .htaccess file.

In the example code, we use the address "[B]dyndnsname.dyndnshost.com[/B]". Simply [B][U]change it to your[/U][/B] own.

Place a file named "[B].htaccess[/B]" in the admin folder.

Like this:
[B]/www/bitrix/admin/.htaccess[/B]

The content:
[CODE]# Block access to everything in /bitrix/admin/*
# except /bitrix/admin/user_options.php
# Access is only allowed to the IP resolved by dyndnsname.dyndnshost.com

<IfModule mod_setenvif.c>
   SetEnvIf Request_URI "/bitrix/admin/user_options\.php$" ALLOW_USER_OPTIONS
   <FilesMatch ".*">
       Require forward-dns dyndnsname.dyndnshost.com
       Order   Deny,Allow
       Deny from  all
       Allow from env=ALLOW_USER_OPTIONS
       Satisfy any
   </FilesMatch>
</IfModule>[/CODE]
The code ensures that all files and subdirectories in [B]/bitrix/admin/*[/B] are only accessible from the IP address resolved using the DDNS name. The file [B]/bitrix/admin/user_options.php[/B] is defined as an exception to this restriction.

Cheers!

I've taken a look at the script. It's from Bitrix itself, yes. It's a   script that downloads and processes various rules from Bitrix servers.   To better understand the code, you can view the "unencrypted" version   here. I'm just wondering why the developers obfuscate the code if it's   not supposed to do anything malicious?

/bitrix/modules/main/lib/security/w/wwall.php
(deobfuscated): pastebin.com/LuE9EwXM

Cheers!
sToRm//

Hello forum members,

I also noticed attempted attacks today on the systems we monitor. What's particularly suspicious is that some of them were systems that aren't in productive use and, for example, aren't listed in Google search results. This means the attacker has no way of knowing that Bitrix is ​​installed on the target. I therefore suspect that the attacks are coming from an insider. Alternatively, it could also be that information about active installations of the provider's modules is being sent to a server somehow, and that this server was also the victim of an attack. We at CERT are currently tracing the attempted attacks and analyzing the incident. If I have more information, I'll share it with you.

Best regards to everyone!
sToRm//