Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Password attack help

Discussion in 'Security' started by wrongersine, Sep 22, 2017.

  1. wrongersine

    wrongersine Registered

    Joined:
    Sep 22, 2017
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    I was hoping someone can assist us mitigating an ongoing attack. We are a design agency who use Opencart for our clients. We have several servers with a dozen or so installations on each.

    Recently there was a Python script released that can password attack the Opencart admin. It hits the admin page directly and from what I can work out from the code it recognizes it has been successful by checking for a cookie. Most of our domains are being hit.

    Opencart gives a HTTP/1.1" 200 on a failed login. The user-agent is always different and the IP's are being cycled. We have also seen an attack from a CloudFlare range of IPs. The attack is slow so it isn't effecting the server load in any way.

    cphulkd isnt picking it up. We have CSF installed, I'm not sure if this could help in some way.

    I have tried various Mod Security rules but I'm not having any luck as I don't really know what I am doing. I have tried to modify the widely used Wordpress password attack rule but that didn't work either

    I think there may be several variations of the attack script as there are two styles of logs
    Code:
    163.172.22.148 - - [21/Sep/2017:15:49:06 +0100] "POST /admin/index.php HTTP/1.1" 200 3826 "-" "python-requests/2.11.1"
    
    and
    Code:
    45.77.89.33 - - [22/Sep/2017:01:51:29 +0100] "POST /admin/index.php?route=common/login HTTP/1.1" 200 3926 "http://www.example.co.uk/admin/index.php" "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/534.16.69 (KHTML, like Gecko) Version/4.6.2 Safari/533.24"
    This is what I have so far for Mod Security but they are not catching anything so they are clearly not quite right.
    Code:
    SecRule REQUEST_HEADERS:User-Agent "python-requests/2.9.1" "id:10000002,rev:1,severity:2,nolog,msg:'Python'"
    
    <LocationMatch "/admin/index.php">
        SecAction "phase:2,chain,log,id:5001022"
        SecRule REQUEST_METHOD "^POST$" "chain"
        SecRule ARGS_POST_NAMES "^username$" "chain"
        SecRule ARGS_POST_NAMES "^password$" "chain"
        SecAction "setvar:ip.request_count=+1,expirevar:ip.request_count=%{TX.requests_ttl}"
    
        SecRule IP:request_count "@ge %{TX.max_requests}" "phase:2,drop,setvar:ip.blocked=1,expirevar:ip.blocked=%{TX.block_ttl},log,msg:'Blocked for %{TX.block_ttl} sec',id:5001023"
    
    </LocationMatch>
    
    SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /usr/local/apache/conf/badbots.txt" "id:350001,rev:1,severity:2,nolog,msg:'BAD BOT - Detected and Blocked. '"
    
    SecRule REQUEST_HEADERS:User-Agent "python-requests/2.11.1" "nolog,drop,id:2002002"
    
    If anyone has some ideas it would be appreciated

    Thanks in advance
     
    #1 wrongersine, Sep 22, 2017
    Last edited by a moderator: Sep 22, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I'll leave this thread open for feedback from other users who might also use OpenCart, however you may find more feedback to this type of question on a website where more security related discussions occur (e.g. WebHostingTalk, StackOverflow), or even from OpenCart's support. Additionally, we provide a list of companies offering system administration services on the following URL should you decide to seek help from a professional:

    System Administration Services | cPanel Forums

    That said, I did want to respond to the following quote:

    cPHulk is not designed to block brute force attempts to websites over the Apache service.

    Thank you.
     
    wrongersine likes this.
Loading...

Share This Page