Post by Cue4cheap » Fri Jan 12, 2024 9:36 pm

Hello All,

Looks like someone has decided to try and attempt sql injections though all different aspects on my site this time. Namely yesterday we received hundreds of return requests, and contact form emails with stuff like this in it:

Code: Select all

Customer: ikgzMOBX if(now()=sysdate(),sleep(15),0)
Email: testing@example.com
Phone: 555-666-0606

Order ID: 1
Date Ordered: 01/01/1967
Product: ikgzMOBX
Product Model: 94102

Return Reason: Order Error
Comment: 555
or

Code: Select all

-1; waitfor delay '0:0:15' -- 
I also see some "non well formed numeric" log entries for pagination at the same timeframe.

Oh! and Google analytics 'real time' tab didn't show anyone on the site. Shouldn't it have shown 100s?

I've saw other posts with the same thing and replies that they should add google reCaptcha. Well I have reCaptcha version 3 on those forms but it appears it didn't stop them. I thought google's reCaptcha was almost the gold standard.
So of course now looking for inputs on google reCaptcha and what else we can do to secure the site better.
Thanks!
Mike

cue4cheap not cheap quality


Expert Member

Posts

Joined
Fri Sep 20, 2013 4:45 am

Post by ADD Creative » Sat Jan 13, 2024 12:03 am

You won't see them on Google analytics because they will not be executing the JavaScript in the responses of their injection attempts. You should see something in you web access log and therefore any reports that you have in your hosting.

There does seem to be ways to bypass Google reCaptcha. There is also a flaw in the one built into OpenCart in that it only has to be passed once per session.

It looks like the are trying to find an SQL injection vulnerability by using timing. There are no known SQL injection vulnerabilities in recent version of OpenCart. Extension are a different matter entirely.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by Cue4cheap » Sat Jan 13, 2024 3:40 am

Thank you for the feedback, it is informative.
The problem I have now I guess they are overloading my store. AKA "MySQL server has gone away".
My webhost isn't helpful and for some reason adding the deny from with the IP address in the htaccess doesn't seem to stop it either.
Oh what fun - just as I was rebuilding my site I am frozen out at times.
Mike

cue4cheap not cheap quality


Expert Member

Posts

Joined
Fri Sep 20, 2013 4:45 am

Post by ADD Creative » Sat Jan 13, 2024 6:14 am

It's not unusual for there attacks to come from multiple IP addresses. Sometimes there are other options for blocking bots. This topic has some suggestions.
viewtopic.php?t=225771&start=40#p837105

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by Cue4cheap » Sat Jan 13, 2024 2:41 pm

ADD Creative wrote:
Sat Jan 13, 2024 6:14 am
It's not unusual for there attacks to come from multiple IP addresses. Sometimes there are other options for blocking bots. This topic has some suggestions.
viewtopic.php?t=225771&start=40#p837105
Wow what a day with my webhost.... This is stunning... Along with the sql injection attempts I also kept having "Uncaught Exception: Error: MySQL server has gone away".
To try and stop this I tried to block a couple of IPs then finally blocked Netherlands since that was the IP addresses were coming from (and I don't ship there anyway).
I also put in ninja firewall.
I tried to open a ticket with my webhost and they IMMEDIATELY said "your site has too many redirects and is confusing the server" then "your site is infected and we need to scan it before anything else we can look into"
So after too long they FINALLY showed me what they based those two statements on....
1) Is the lines in the htaccess file for the multi-store setup (i.e. the different domains for the different stores)
2) the different deny statements in the htaccess file as "proof" the site it infected. See attached image of that statement.

I asked for a transcript of the chat and they said I would get one emailed to me but nope! I am sure they didn't want the floating around. The statements they made it chat were "you don't know what you are doing" "your site is infected" "The server isn't the issue" "Server going away is because your configuration" etc.
Note: I didn't make any changes until the first few emails with the sql injection attempts. Then I adjusted the htaccess file to try and block IPs. Everything was static for 8 months prior.
Mike

Attachments

bh clueless Screenshot 2024-01-12 230927.png

bh clueless Screenshot 2024-01-12 230927.png (89.58 KiB) Viewed 3124 times


cue4cheap not cheap quality


Expert Member

Posts

Joined
Fri Sep 20, 2013 4:45 am

Post by ADD Creative » Sat Jan 13, 2024 8:06 pm

That is bad support. It might be worth the hassle for changing hosts, one you have everything stable again.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by Cue4cheap » Sat Jan 13, 2024 10:11 pm

ADD Creative wrote:
Sat Jan 13, 2024 8:06 pm
That is bad support. It might be worth the hassle for changing hosts, one you have everything stable again.
I agree but the issues are... I am paid up until 2026 and, as you wrote, the hassle of moving hosts.
As a "funny" ... I changed ninja firewall's setting to block the main IP that was trying sql injections and the "server has gone away" entries in the log stopped about 45 seconds later. It appears the htaccess entries were not blocking them.
Mike

cue4cheap not cheap quality


Expert Member

Posts

Joined
Fri Sep 20, 2013 4:45 am

Post by ADD Creative » Sat Jan 13, 2024 10:57 pm

A bit hard to see from your screenshot. But it could be the order "Order Deny,Allow", but you have a "Allow from all", which will override the deny entries.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by Cue4cheap » Sun Jan 14, 2024 12:58 am

ADD Creative wrote:
Sat Jan 13, 2024 10:57 pm
A bit hard to see from your screenshot. But it could be the order "Order Deny,Allow", but you have a "Allow from all", which will override the deny entries.
You are right. In my frustration I put that in there... I'm too used to cisco ACLs with implicit deny all at the end.
Thank you,
Mike

cue4cheap not cheap quality


Expert Member

Posts

Joined
Fri Sep 20, 2013 4:45 am
Who is online

Users browsing this forum: No registered users and 4 guests