Jump to content

Ataques massivos sobre os Opencart


LucianoZ
 Share

Recommended Posts

Hoje fomos surpreendidos por um ataque decentralizado de Brute-force partindo de vários ASN diferentes, como principais partindo de 2 ASN da Amazon, com diversos ips diferentes.
Suspeito que haja alguma falha muito grave de algum proxy da Amazon que esteja permitindo que pessoas mal intencionadas possam centralizar o ataque para determinadas URL's.

Conversando com alguns amigos/conhecidos a maioria estava tendo problemas com o OpenCart, onde estavam recebendo ataques sobre o /admin do opencart.

Estes ataques já estão vindo formados em POST com exclusiva tentativa de brute-force ou até que seu servidor caia, caso não tenha isolamento de recursos para as contas, pois isso poderá gerar sobrecargas pela quantidade de requisições por segundo.

Em pouco mais de 24h de captura, foram mais de 700.00 mil requisições, sendo mais de 80% partidos da Amazon, este ataque pelo que notei começou de ontem e hoje se intensificou mais.

Uma alternativa que gostaria de deixar aos usuários é fazer uma regra de firewall via CDN para impedir que esteja taque te afete até que seja corrigido ou parados.
Você poderá fazer isso através do cloudflare com uma regra de firewall personalizada, deixo aqui a minha sugestão.

Em anexo ao post.

Vale salientar que os ataques partem dos seguintes ASN (AS14618, AS16509), ainda há outros tráfegos que veem de outros ASN, mas de baixa quantidade, sendo a maioria causadora da Amazon, então bloquear o ASN citados acima devem resolver temporariamente também, note apenas de testar se você não depende de receber nenhum callback de ips associados aos ASN citados acima.

Screenshot (37).png

Link to comment
Share on other sites

O mesmo ocorre na agência em que trabalho. Por sorte, só um site parece estar ter sido afetado, mas o resultado é esse aqui: 

image.png.09f03b3ace59dcaab371a1b72d5d769f.png

 

*Todas essas ocorrências de Firewall ocorreram dentro das últimas 5 horas, pelo modo de proteção contra BOTs

Edited by Guilherme Siqueira
Link to comment
Share on other sites

2 horas atrás, andre disse:

rapaz passei a madrugada toda com isso, achei que era só aqui kk. Coloquei o sites com cloudflare no modo sob ataque e resolveu. Porém quando desabilito volta a subir.

image.png.f25de68f295d3ad87ab264fdbbf056f6.png

Eita, já vou olhar, tenho um cliente que o servidor estava um pouco estranho, mas não sabia que era isso.

Link to comment
Share on other sites

Aqui esta igual...

127.0.0.1:80 172.68.50.43 - - [25/Jan/2022:15:07:35 -0300] "POST /admin/ HTTP/1.1" 200 1966 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 141.101.104.222 - - [25/Jan/2022:15:07:37 -0300] "POST /admin/ HTTP/1.1" 200 1964 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.68.177.137 - - [25/Jan/2022:15:07:38 -0300] "POST /admin/ HTTP/1.1" 200 1962 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.162.61 - - [25/Jan/2022:15:07:41 -0300] "POST /admin/ HTTP/1.1" 200 1966 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 108.162.229.225 - - [25/Jan/2022:15:07:42 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 162.158.91.148 - - [25/Jan/2022:15:07:42 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.122.251 - - [25/Jan/2022:15:07:43 -0300] "POST /admin/ HTTP/1.1" 200 1966 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 162.158.129.91 - - [25/Jan/2022:15:07:43 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 108.162.229.203 - - [25/Jan/2022:15:07:49 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 162.158.106.135 - - [25/Jan/2022:15:07:51 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 141.101.69.34 - - [25/Jan/2022:15:07:52 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.242.179 - - [25/Jan/2022:15:07:53 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.130.105 - - [25/Jan/2022:15:07:53 -0300] "POST /admin/ HTTP/1.1" 200 1969 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.68.110.121 - - [25/Jan/2022:15:07:54 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.162.49 - - [25/Jan/2022:15:07:59 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 141.101.104.160 - - [25/Jan/2022:15:08:04 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.246.119 - - [25/Jan/2022:15:08:05 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.210.171 - - [25/Jan/2022:15:08:05 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.246.179 - - [25/Jan/2022:15:08:07 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 141.101.105.93 - - [25/Jan/2022:15:08:13 -0300] "POST /admin/ HTTP/1.1" 200 1966 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 198.41.242.195 - - [25/Jan/2022:15:08:14 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 141.101.69.34 - - [25/Jan/2022:15:08:14 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.92.233 - - [25/Jan/2022:15:08:16 -0300] "POST /admin/ HTTP/1.1" 200 1966 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 162.158.50.80 - - [25/Jan/2022:15:08:16 -0300] "POST /admin/ HTTP/1.1" 200 1961 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.178.111 - - [25/Jan/2022:15:08:17 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 162.158.50.16 - - [25/Jan/2022:15:08:17 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.206.141 - - [25/Jan/2022:15:08:17 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.230.71 - - [25/Jan/2022:15:08:22 -0300] "POST /admin/ HTTP/1.1" 200 1961 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 162.158.50.16 - - [25/Jan/2022:15:08:22 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.147.101 - - [25/Jan/2022:15:08:22 -0300] "POST /admin/ HTTP/1.1" 200 1967 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

 

Não tem como bloquear estes IPS pq é do cloudflare.

Estou pensando em migrar para o cdn da amazon.

Edited by daemoncesar
Link to comment
Share on other sites

13 minutos atrás, daemoncesar disse:

Aqui esta igual...

127.0.0.1:80 172.68.50.43 - - [25/Jan/2022:15:07:35 -0300] "POST /admin/ HTTP/1.1" 200 1966 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 141.101.104.222 - - [25/Jan/2022:15:07:37 -0300] "POST /admin/ HTTP/1.1" 200 1964 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.68.177.137 - - [25/Jan/2022:15:07:38 -0300] "POST /admin/ HTTP/1.1" 200 1962 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.162.61 - - [25/Jan/2022:15:07:41 -0300] "POST /admin/ HTTP/1.1" 200 1966 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 108.162.229.225 - - [25/Jan/2022:15:07:42 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 162.158.91.148 - - [25/Jan/2022:15:07:42 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.122.251 - - [25/Jan/2022:15:07:43 -0300] "POST /admin/ HTTP/1.1" 200 1966 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 162.158.129.91 - - [25/Jan/2022:15:07:43 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 108.162.229.203 - - [25/Jan/2022:15:07:49 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 162.158.106.135 - - [25/Jan/2022:15:07:51 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 141.101.69.34 - - [25/Jan/2022:15:07:52 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.242.179 - - [25/Jan/2022:15:07:53 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.130.105 - - [25/Jan/2022:15:07:53 -0300] "POST /admin/ HTTP/1.1" 200 1969 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.68.110.121 - - [25/Jan/2022:15:07:54 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.162.49 - - [25/Jan/2022:15:07:59 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 141.101.104.160 - - [25/Jan/2022:15:08:04 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.246.119 - - [25/Jan/2022:15:08:05 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.210.171 - - [25/Jan/2022:15:08:05 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.246.179 - - [25/Jan/2022:15:08:07 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 141.101.105.93 - - [25/Jan/2022:15:08:13 -0300] "POST /admin/ HTTP/1.1" 200 1966 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 198.41.242.195 - - [25/Jan/2022:15:08:14 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 141.101.69.34 - - [25/Jan/2022:15:08:14 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.92.233 - - [25/Jan/2022:15:08:16 -0300] "POST /admin/ HTTP/1.1" 200 1966 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 162.158.50.80 - - [25/Jan/2022:15:08:16 -0300] "POST /admin/ HTTP/1.1" 200 1961 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.178.111 - - [25/Jan/2022:15:08:17 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 162.158.50.16 - - [25/Jan/2022:15:08:17 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.206.141 - - [25/Jan/2022:15:08:17 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.230.71 - - [25/Jan/2022:15:08:22 -0300] "POST /admin/ HTTP/1.1" 200 1961 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 162.158.50.16 - - [25/Jan/2022:15:08:22 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
127.0.0.1:80 172.70.147.101 - - [25/Jan/2022:15:08:22 -0300] "POST /admin/ HTTP/1.1" 200 1967 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

 

Não tem como bloquear estes IPS pq é do cloudflare.

Estou pensando em migrar para o cdn da amazon.

Eu consegui resolver com a dica do @LucianoZ, já verificou isso ? agora se for muitos sites fica complicado fazer 1 por 1

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...