For two weeks, I tried installing OpenCart 3.0.2 on different operating systems - CentOs 7.5, Debian 9.5, Ubuntu 16.04/18.04, I tried different control panels - Vesta, Webmin, Cyberpanel, Plesk, I tried using different PHP versions and server settings, and every time I had the same problem:
Within a few hours after a clean installation of Opencart, I discovered adding a new customer to the Default group. This client has no registration information - all required fields are empty. I can see only the IP address that was used to add the client.
Access to the database is allowed only for local users. On the registration page used Google captcha.
The speed of navigation indicates that the bot is being used for the injection.
The typical path in a log file looks like this:
Code: Select all
2018-11-13 09:59:20 Access 31.173.120.139 200 GET /index.php HTTP/1.0 208 K nginx SSL/TLS access
2018-11-13 09:59:22 Access 31.173.120.139 200 GET /index.php?route=account/register HTTP/1.0 78.7 K nginx SSL/TLS access
2018-11-13 09:59:24 Access 31.173.120.139 200 GET /index.php?route=account/login HTTP/1.0 74.1 K nginx SSL/TLS access
2018-11-13 09:59:26 Access 31.173.120.139 200 GET /index.php?route=account/login HTTP/1.0 74.1 K nginx SSL/TLS access
2018-11-13 09:59:28 Access 31.173.120.139 200 GET /index.php?route=account/register HTTP/1.0 78.7 K nginx SSL/TLS access
2018-11-13 09:59:30 Access 31.173.120.139 200 GET /index.php?route=extension/module/so_sociallogin/TwitterLogin HTTP/1.0 27 nginx SSL/TLS access
2018-11-13 09:59:31 Access 31.173.120.139 302 GET /index.php?route=extension/module/so_sociallogin/LinkedinLogin HTTP/1.0 330 nginx SSL/TLS access
2018-11-13 09:59:33 Access 31.173.120.139 302 GET /index.php?route=account/register HTTP/1.0 0 nginx SSL/TLS access
2018-11-13 09:59:34 Access 31.173.120.139 302 GET /index.php?route=account/register HTTP/1.0 0 nginx SSL/TLS access
2018-11-13 09:59:35 Access 31.173.120.139 302 GET /index.php?route=account/login HTTP/1.0 0 nginx SSL/TLS access
2018-11-13 09:59:36 Access 31.173.120.139 302 GET /index.php?route=affiliate/login HTTP/1.0 0 nginx SSL/TLS access
2018-11-13 09:59:38 Access 31.173.120.139 302 GET /index.php?route=affiliate/login HTTP/1.0 0 nginx SSL/TLS access
2018-11-13 09:59:41 Access 31.173.120.139 200 GET / HTTP/1.0 63.7 K nginx SSL/TLS access
Site scan (https://www.tinfoilsecurity.com) for vulnerabilities revealed vulnerabilities - Cross-Site Request Forgery (CSRF).
I added tokens to the forms on the site using this module - CSRF Protection Form (VQMod), that added the tokens to the forms, however this did not solve the problem (a post-site scan showed that there was no problem with the CSRF, but the possibility of user injection remained). Today I once again found that the bot has added a new customer... This 'music' can be eternal ...
Is there any way to block this?