OpenCart Community

Hello All,

Looks like someone has decided to try and attempt sql injections though all different aspects on my site this time. Namely yesterday we received hundreds of return requests, and contact form emails with stuff like this in it: or I also see some "non well formed numeric" log entries for pagination at the same timeframe.

Oh! and Google analytics 'real time' tab didn't show anyone on the site. Shouldn't it have shown 100s?

I've saw other posts with the same thing and replies that they should add google reCaptcha. Well I have reCaptcha version 3 on those forms but it appears it didn't stop them. I thought google's reCaptcha was almost the gold standard.
So of course now looking for inputs on google reCaptcha and what else we can do to secure the site better.
Thanks!
Mike

You won't see them on Google analytics because they will not be executing the JavaScript in the responses of their injection attempts. You should see something in you web access log and therefore any reports that you have in your hosting.

There does seem to be ways to bypass Google reCaptcha. There is also a flaw in the one built into OpenCart in that it only has to be passed once per session.

It looks like the are trying to find an SQL injection vulnerability by using timing. There are no known SQL injection vulnerabilities in recent version of OpenCart. Extension are a different matter entirely.

Thank you for the feedback, it is informative.
The problem I have now I guess they are overloading my store. AKA "MySQL server has gone away".
My webhost isn't helpful and for some reason adding the deny from with the IP address in the htaccess doesn't seem to stop it either.
Oh what fun - just as I was rebuilding my site I am frozen out at times.
Mike

It's not unusual for there attacks to come from multiple IP addresses. Sometimes there are other options for blocking bots. This topic has some suggestions.
viewtopic.php?t=225771&start=40#p837105

ADD Creative wrote: ↑

Sat Jan 13, 2024 6:14 am

It's not unusual for there attacks to come from multiple IP addresses. Sometimes there are other options for blocking bots. This topic has some suggestions.
viewtopic.php?t=225771&start=40#p837105

Wow what a day with my webhost.... This is stunning... Along with the sql injection attempts I also kept having "Uncaught Exception: Error: MySQL server has gone away".
To try and stop this I tried to block a couple of IPs then finally blocked Netherlands since that was the IP addresses were coming from (and I don't ship there anyway).
I also put in ninja firewall.
I tried to open a ticket with my webhost and they IMMEDIATELY said "your site has too many redirects and is confusing the server" then "your site is infected and we need to scan it before anything else we can look into"
So after too long they FINALLY showed me what they based those two statements on....
1) Is the lines in the htaccess file for the multi-store setup (i.e. the different domains for the different stores)
2) the different deny statements in the htaccess file as "proof" the site it infected. See attached image of that statement.

I asked for a transcript of the chat and they said I would get one emailed to me but nope! I am sure they didn't want the floating around. The statements they made it chat were "you don't know what you are doing" "your site is infected" "The server isn't the issue" "Server going away is because your configuration" etc.
Note: I didn't make any changes until the first few emails with the sql injection attempts. Then I adjusted the htaccess file to try and block IPs. Everything was static for 8 months prior.
Mike

That is bad support. It might be worth the hassle for changing hosts, one you have everything stable again.

ADD Creative wrote: ↑

Sat Jan 13, 2024 8:06 pm

That is bad support. It might be worth the hassle for changing hosts, one you have everything stable again.

I agree but the issues are... I am paid up until 2026 and, as you wrote, the hassle of moving hosts.
As a "funny" ... I changed ninja firewall's setting to block the main IP that was trying sql injections and the "server has gone away" entries in the log stopped about 45 seconds later. It appears the htaccess entries were not blocking them.
Mike

A bit hard to see from your screenshot. But it could be the order "Order Deny,Allow", but you have a "Allow from all", which will override the deny entries.

ADD Creative wrote: ↑

Sat Jan 13, 2024 10:57 pm

A bit hard to see from your screenshot. But it could be the order "Order Deny,Allow", but you have a "Allow from all", which will override the deny entries.

You are right. In my frustration I put that in there... I'm too used to cisco ACLs with implicit deny all at the end.
Thank you,
Mike