Password attack help
I was hoping someone can assist us mitigating an ongoing attack. We are a design agency who use Opencart for our clients. We have several servers with a dozen or so installations on each.
Recently there was a Python script released that can password attack the Opencart admin. It hits the admin page directly and from what I can work out from the code it recognizes it has been successful by checking for a cookie. Most of our domains are being hit.
Opencart gives a HTTP/1.1" 200 on a failed login. The user-agent is always different and the IP's are being cycled. We have also seen an attack from a CloudFlare range of IPs. The attack is slow so it isn't effecting the server load in any way.
cphulkd isnt picking it up. We have CSF installed, I'm not sure if this could help in some way.
I have tried various Mod Security rules but I'm not having any luck as I don't really know what I am doing. I have tried to modify the widely used Wordpress password attack rule but that didn't work either
I think there may be several variations of the attack script as there are two styles of logs
and
This is what I have so far for Mod Security but they are not catching anything so they are clearly not quite right.
If anyone has some ideas it would be appreciated Thanks in advance
163.172.22.148 - - [21/Sep/2017:15:49:06 +0100] "POST /admin/index.php HTTP/1.1" 200 3826 "-" "python-requests/2.11.1"
and
45.77.89.33 - - [22/Sep/2017:01:51:29 +0100] "POST /admin/index.php?route=common/login HTTP/1.1" 200 3926 "http://www.example.co.uk/admin/index.php" "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/534.16.69 (KHTML, like Gecko) Version/4.6.2 Safari/533.24"This is what I have so far for Mod Security but they are not catching anything so they are clearly not quite right.
SecRule REQUEST_HEADERS:User-Agent "python-requests/2.9.1" "id:10000002,rev:1,severity:2,nolog,msg:'Python'"
SecAction "phase:2,chain,log,id:5001022"
SecRule REQUEST_METHOD "^POST$" "chain"
SecRule ARGS_POST_NAMES "^username$" "chain"
SecRule ARGS_POST_NAMES "^password$" "chain"
SecAction "setvar:ip.request_count=+1,expirevar:ip.request_count=%{TX.requests_ttl}"
SecRule IP:request_count "@ge %{TX.max_requests}" "phase:2,drop,setvar:ip.blocked=1,expirevar:ip.blocked=%{TX.block_ttl},log,msg:'Blocked for %{TX.block_ttl} sec',id:5001023"
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /usr/local/apache/conf/badbots.txt" "id:350001,rev:1,severity:2,nolog,msg:'BAD BOT - Detected and Blocked. '"
SecRule REQUEST_HEADERS:User-Agent "python-requests/2.11.1" "nolog,drop,id:2002002"
If anyone has some ideas it would be appreciated Thanks in advance
-
Hello, I'll leave this thread open for feedback from other users who might also use OpenCart, however you may find more feedback to this type of question on a website where more security related discussions occur (e.g. WebHostingTalk, StackOverflow), or even from OpenCart's support. Additionally, we provide a list of companies offering system administration services on the following URL should you decide to seek help from a professional: System Administration Services | cPanel Forums That said, I did want to respond to the following quote: cphulkd isnt picking it up
cPHulk is not designed to block brute force attempts to websites over the Apache service. Thank you.0
Please sign in to leave a comment.
Comments
1 comment