User Login Notifications

The users of our website have recently - within the past 10 days - begun receiving auto-generated emails notifying them of the fact that they have logged into their user accounts on our website.

The email header shows that the sending source IP is that of our website. The reported IP address of the user is linked to a third party website, ipinfo.io. However, the IP address provided is incorrect and the browser type cited runs the gamut, from Windows to Chrome to Firefox, despite the actual browser used by the user (okay, that's a Department of Redundancy Department statement...).

What's really puzzling is that accounts that are prohibited from logging in to the front end (AdminTools is set to prevent Super Users from logging in to the front end) also receive these notifications. Website users who have not logged into their accounts for weeks or months have also been notified that their accounts have been accessed.

That latter is not a bad thing. Not unless it's indicative of something far graver, such as compromise of the user account database, for which we use CB.

I've worked with Rochen, our web host, but no malware has been found following virus scanning of their server software.

Any suggestions? Thanks.

I know of no configuration setting I've made (yes, I'm the webmaster) that would cause the website to notify users of their login activity.

It's not a bug. It's a new feature implemented in CB AntiSpam. It informs them of when a new ip address accesses their account or informs moderators if a new ip address accesses a users account. The browser check is entirely based off the User Agent their browser reports so it's accurate based off of that. The IP Address sent is the IP Address that logged into their account as seen by your server. The link to ipinfo, which is a safe functional site that also provides an API endpoint, can be used to verify ip location information and can be changed to a different site if you like using the necessary language string.

This feature is not enabled by default. It can be disabled within CB AntiSpam > Parameters > Login > Log where it would've been enabled. Review the parameters carefully as there is one to notify all moderators when a new ip address accesses a users account and I suspect that is the one your users are seeing, which if they are not supposed to be moderators you need to immediately ensure Moderator View Access Level is set correctly in CB > Configuration > Moderation.

Thank you. However, the problem is exacerbated by the fact that, for instance, Super Users (Super Admins) cannot login to the front end of the website. I set this through Akeeba AdminTools and, after setting it, attempted to login to my account through the front end. That and subsequent attempts by me were rejected.

It stands to reason that, if my credentials have been compromised, even after changing my password/pass phrase, no one and no bot attempting to login to the Super Admin account from any IP address would succeed. Therefore, no notification of a successful signin would result.

I'm not criticizing the software; I am looking for ways to conduct good forensic research to correct the problem. Only a few others amongst our 1500 users have been similarly affected and I've found no unauthorized files inserted through any means into our Joomla home folder.

Sincerely,

Don White
Webmaster

Your login blocking you've added via Akeeba AdminTools likely is not blocking and interrupting CBs login, but is blocking Joomlas. This means CBs triggers will likely still fire, but the login will fail which could result in an ip address logging as well. You can test this your self by emptying the log then attempt to login on frontend. It should log your ip address and send a notification since Akeeba AdminTools is not interrupting CB.