I was hoping someone can assist us mitigating an ongoing attack. We use Opencart. We have several servers with a dozen or so installations on each.
Recently there was a Python script released that can password attack the Opencart admin. It hits the admin page directly and from what I can work out from the code it recognizes it has been successful by checking for a cookie. Most of our domains are being hit.
Opencart gives a HTTP/1.1" 200 on a failed login. The user-agent is always different and the IP's are being cycled. We have also seen an attack from a CloudFlare range of IPs. The attack is slow so it isn't effecting the server load in any way.
I have tried various Mod Security rules but I'm not having any luck as I don't really know what I am doing. I have tried to modify the widely used Wordpress password attack rule but that didn't work either
I think there may be several variations of the attack script as there are two styles of logs
I was hoping someone can assist us mitigating an ongoing attack. We use Opencart. We have several servers with a dozen or so installations on each.
Recently there was a Python script released that can password attack the Opencart admin. It hits the admin page directly and from what I can work out from the code it recognizes it has been successful by checking for a cookie. Most of our domains are being hit.
Opencart gives a HTTP/1.1" 200 on a failed login. The user-agent is always different and the IP's are being cycled. We have also seen an attack from a CloudFlare range of IPs. The attack is slow so it isn't effecting the server load in any way.
I have tried various Mod Security rules but I'm not having any luck as I don't really know what I am doing. I have tried to modify the widely used Wordpress password attack rule but that didn't work either
I think there may be several variations of the attack script as there are two styles of logs
163.172.22.148 - - [21/Sep/2017:15:49:06 +0100] "POST /admin/index.php HTTP/1.1" 200 3826 "-" "python-requests/2.11.1"
and
45.77.89.33 - - [22/Sep/2017:01:51:29 +0100] "POST /admin/index.php?route=common/login HTTP/1.1" 200 3926 "http://www.example.co.uk/admin/index.php" "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/534.16.69 (KHTML, like Gecko) Version/4.6.2 Safari/533.24"
This is what I have so far for Mod Security but they are not catching anything so they are clearly not quite right.
SecRule REQUEST_HEADERS:User-Agent "python-requests/2.9.1" "id:10000002,rev:1,severity:2,nolog,msg:'Python'"
<LocationMatch "="" admin="" index.php"="">
SecAction "phase:2,chain,log,id:5001022"
SecRule REQUEST_METHOD "^POST$" "chain"
SecRule ARGS_POST_NAMES "^username$" "chain"
SecRule ARGS_POST_NAMES "^password$" "chain"
SecAction "setvar:ip.request_count=+1,expirevar:ip.request_count=%{TX.requests_ttl}"
SecRule IP:request_count "@ge %{TX.max_requests}" "phase:2,drop,setvar:ip.blocked=1,expirevar:ip.blocked=%{TX.block_ttl},log,msg:'Blocked for %{TX.block_ttl} sec',id:5001023"</LocationMatch>
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /usr/local/apache/conf/badbots.txt" "id:350001,rev:1,severity:2,nolog,msg:'BAD BOT - Detected and Blocked. '"
SecRule REQUEST_HEADERS:User-Agent "python-requests/2.11.1" "nolog,drop,id:2002002"
If anyone has some ideas it would be appreciated
Thanks in advance
Please open such issues on github to get assistance https://github.com/SpiderLabs/owasp-modsecurity-crs