We are a design agency who use Opencart for our clients. We have several servers with a dozen or so installations on each. They are pretty much all under attack.
We have also tested the code against an installation in the wild ourselves with weak passwords. The code checks for the login cookie and outputs the user/pass combination that has worked. Google it. The codes everywhere online.
Opencart gives a HTTP/1.1" 200 on a failed login attempt. The user-agent is always different and the IP's are being cycled. We have also seen an attack from a CloudFlare range of IPs. The attack is slow so it isn't affecting the server load in any way and it's not fast enough to be picked up by ModSecurity's standard rules.
I think there may be several variations of the attack script as there are two styles showing up in the logs.
Code: Select all
163.172.22.148 - - [21/Sep/2017:15:49:06 +0100] "POST /admin/index.php HTTP/1.1" 200 3826 "-" "python-requests/2.11.1"
Code: Select all
45.77.89.33 - - [22/Sep/2017:01:51:29 +0100] "POST /admin/index.php?route=common/login HTTP/1.1" 200 3926 "xxx/admin/index.php" "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/534.16.69 (KHTML, like Gecko) Version/4.6.2 Safari/533.24"
The other one is rotating real useragents on each connection so I cant work out what to do.
I was hoping the Devs could assist in editing this Joomla password attack rule for Modsecurity which in turn everyone can use.
Code: Select all
<Location /admin/index.php>
SecDefaultAction phase:2,deny,status:403,log,auditlog
SecRule IP:bf_counter "@eq 5" "id:1000002,phase:2,log,block,expirevar:IP.bf_counter=3600,msg:'IP address blocked because of a suspected brute force attack on the Joomla website'"
SecRule ARGS:option "@streq com_login" "id:1000000,phase:2,chain,t:none,log,pass,msg:'Multiple Joomla authentication failures from IP address', setvar:IP.bf_counter=+1"
</Location>
Code: Select all
SecRule ARGS:option "@streq com_login" "id:1000000,phase:2,chain,t:none,log,pass,msg:'Multiple Joomla authentication failures from IP address', setvar:IP.bf_counter=+1
Does Opencart post something similar and can this be modified?
Thanks