LucianoZ Posted January 24, 2022 Share Posted January 24, 2022 Hoje fomos surpreendidos por um ataque decentralizado de Brute-force partindo de vários ASN diferentes, como principais partindo de 2 ASN da Amazon, com diversos ips diferentes. Suspeito que haja alguma falha muito grave de algum proxy da Amazon que esteja permitindo que pessoas mal intencionadas possam centralizar o ataque para determinadas URL's. Conversando com alguns amigos/conhecidos a maioria estava tendo problemas com o OpenCart, onde estavam recebendo ataques sobre o /admin do opencart. Estes ataques já estão vindo formados em POST com exclusiva tentativa de brute-force ou até que seu servidor caia, caso não tenha isolamento de recursos para as contas, pois isso poderá gerar sobrecargas pela quantidade de requisições por segundo. Em pouco mais de 24h de captura, foram mais de 700.00 mil requisições, sendo mais de 80% partidos da Amazon, este ataque pelo que notei começou de ontem e hoje se intensificou mais. Uma alternativa que gostaria de deixar aos usuários é fazer uma regra de firewall via CDN para impedir que esteja taque te afete até que seja corrigido ou parados. Você poderá fazer isso através do cloudflare com uma regra de firewall personalizada, deixo aqui a minha sugestão. Em anexo ao post. Vale salientar que os ataques partem dos seguintes ASN (AS14618, AS16509), ainda há outros tráfegos que veem de outros ASN, mas de baixa quantidade, sendo a maioria causadora da Amazon, então bloquear o ASN citados acima devem resolver temporariamente também, note apenas de testar se você não depende de receber nenhum callback de ips associados aos ASN citados acima. 0 Quote Chamou? Estamos ai! Link to comment Share on other sites More sharing options...
Guilherme Siqueira Posted January 24, 2022 Share Posted January 24, 2022 (edited) O mesmo ocorre na agência em que trabalho. Por sorte, só um site parece estar ter sido afetado, mas o resultado é esse aqui: *Todas essas ocorrências de Firewall ocorreram dentro das últimas 5 horas, pelo modo de proteção contra BOTs Edited January 24, 2022 by Guilherme Siqueira 0 Quote Link to comment Share on other sites More sharing options...
andre Posted January 24, 2022 Share Posted January 24, 2022 rapaz passei a madrugada toda com isso, achei que era só aqui kk. Coloquei o sites com cloudflare no modo sob ataque e resolveu. Porém quando desabilito volta a subir. 0 Quote Link to comment Share on other sites More sharing options...
Marks Posted January 24, 2022 Share Posted January 24, 2022 2 horas atrás, andre disse: rapaz passei a madrugada toda com isso, achei que era só aqui kk. Coloquei o sites com cloudflare no modo sob ataque e resolveu. Porém quando desabilito volta a subir. Eita, já vou olhar, tenho um cliente que o servidor estava um pouco estranho, mas não sabia que era isso. 0 Quote <?= "Full Stack PHP Developer"; ?> Desde 2013 trabalhando com Desenvolvimento de Sites e Gestão de Servidores. Link to comment Share on other sites More sharing options...
DELTA SERVERS Posted January 25, 2022 Share Posted January 25, 2022 Ouve casos aqui também, ativa o Leech Protection, coloca limites de erros, e o url de direcionamento, coloca o do cloudflare, pronto. O Opencart tem alguma falha e estão tentando explorar isso. 0 Quote DELTA SERVERS SOLUÇÕES CORPORATIVAS! Link to comment Share on other sites More sharing options...
Fabio S Araujo Posted January 25, 2022 Share Posted January 25, 2022 Aqui uso o Cloudflare e o Malcare, depois que implementei isso, eles filtram tudo, o Malcare ajuda a evitar os bots que ficam tentando se logar, colocar comentários e etc. 0 Quote Suporte TI & Service Provider - Visite nosso novo site Link to comment Share on other sites More sharing options...
andre Posted January 25, 2022 Share Posted January 25, 2022 Eu desativei hoje pela manhã o modo sob ataque do cloudflare e parece que normalizou, até agora tá normal, vou ficar monitorando. 0 Quote Link to comment Share on other sites More sharing options...
daemoncesar Posted January 25, 2022 Share Posted January 25, 2022 (edited) Aqui esta igual... 127.0.0.1:80 172.68.50.43 - - [25/Jan/2022:15:07:35 -0300] "POST /admin/ HTTP/1.1" 200 1966 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 141.101.104.222 - - [25/Jan/2022:15:07:37 -0300] "POST /admin/ HTTP/1.1" 200 1964 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.68.177.137 - - [25/Jan/2022:15:07:38 -0300] "POST /admin/ HTTP/1.1" 200 1962 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.162.61 - - [25/Jan/2022:15:07:41 -0300] "POST /admin/ HTTP/1.1" 200 1966 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 108.162.229.225 - - [25/Jan/2022:15:07:42 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 162.158.91.148 - - [25/Jan/2022:15:07:42 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.122.251 - - [25/Jan/2022:15:07:43 -0300] "POST /admin/ HTTP/1.1" 200 1966 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 162.158.129.91 - - [25/Jan/2022:15:07:43 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 108.162.229.203 - - [25/Jan/2022:15:07:49 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 162.158.106.135 - - [25/Jan/2022:15:07:51 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 141.101.69.34 - - [25/Jan/2022:15:07:52 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.242.179 - - [25/Jan/2022:15:07:53 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.130.105 - - [25/Jan/2022:15:07:53 -0300] "POST /admin/ HTTP/1.1" 200 1969 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.68.110.121 - - [25/Jan/2022:15:07:54 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.162.49 - - [25/Jan/2022:15:07:59 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 141.101.104.160 - - [25/Jan/2022:15:08:04 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.246.119 - - [25/Jan/2022:15:08:05 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.210.171 - - [25/Jan/2022:15:08:05 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.246.179 - - [25/Jan/2022:15:08:07 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 141.101.105.93 - - [25/Jan/2022:15:08:13 -0300] "POST /admin/ HTTP/1.1" 200 1966 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 198.41.242.195 - - [25/Jan/2022:15:08:14 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 141.101.69.34 - - [25/Jan/2022:15:08:14 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.92.233 - - [25/Jan/2022:15:08:16 -0300] "POST /admin/ HTTP/1.1" 200 1966 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 162.158.50.80 - - [25/Jan/2022:15:08:16 -0300] "POST /admin/ HTTP/1.1" 200 1961 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.178.111 - - [25/Jan/2022:15:08:17 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 162.158.50.16 - - [25/Jan/2022:15:08:17 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.206.141 - - [25/Jan/2022:15:08:17 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.230.71 - - [25/Jan/2022:15:08:22 -0300] "POST /admin/ HTTP/1.1" 200 1961 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 162.158.50.16 - - [25/Jan/2022:15:08:22 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.147.101 - - [25/Jan/2022:15:08:22 -0300] "POST /admin/ HTTP/1.1" 200 1967 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" Não tem como bloquear estes IPS pq é do cloudflare. Estou pensando em migrar para o cdn da amazon. Edited January 25, 2022 by daemoncesar 0 Quote Link to comment Share on other sites More sharing options...
andre Posted January 25, 2022 Share Posted January 25, 2022 13 minutos atrás, daemoncesar disse: Aqui esta igual... 127.0.0.1:80 172.68.50.43 - - [25/Jan/2022:15:07:35 -0300] "POST /admin/ HTTP/1.1" 200 1966 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 141.101.104.222 - - [25/Jan/2022:15:07:37 -0300] "POST /admin/ HTTP/1.1" 200 1964 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.68.177.137 - - [25/Jan/2022:15:07:38 -0300] "POST /admin/ HTTP/1.1" 200 1962 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.162.61 - - [25/Jan/2022:15:07:41 -0300] "POST /admin/ HTTP/1.1" 200 1966 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 108.162.229.225 - - [25/Jan/2022:15:07:42 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 162.158.91.148 - - [25/Jan/2022:15:07:42 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.122.251 - - [25/Jan/2022:15:07:43 -0300] "POST /admin/ HTTP/1.1" 200 1966 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 162.158.129.91 - - [25/Jan/2022:15:07:43 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 108.162.229.203 - - [25/Jan/2022:15:07:49 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 162.158.106.135 - - [25/Jan/2022:15:07:51 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 141.101.69.34 - - [25/Jan/2022:15:07:52 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.242.179 - - [25/Jan/2022:15:07:53 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.130.105 - - [25/Jan/2022:15:07:53 -0300] "POST /admin/ HTTP/1.1" 200 1969 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.68.110.121 - - [25/Jan/2022:15:07:54 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.162.49 - - [25/Jan/2022:15:07:59 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 141.101.104.160 - - [25/Jan/2022:15:08:04 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.246.119 - - [25/Jan/2022:15:08:05 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.210.171 - - [25/Jan/2022:15:08:05 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.246.179 - - [25/Jan/2022:15:08:07 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 141.101.105.93 - - [25/Jan/2022:15:08:13 -0300] "POST /admin/ HTTP/1.1" 200 1966 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 198.41.242.195 - - [25/Jan/2022:15:08:14 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 141.101.69.34 - - [25/Jan/2022:15:08:14 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.92.233 - - [25/Jan/2022:15:08:16 -0300] "POST /admin/ HTTP/1.1" 200 1966 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 162.158.50.80 - - [25/Jan/2022:15:08:16 -0300] "POST /admin/ HTTP/1.1" 200 1961 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.178.111 - - [25/Jan/2022:15:08:17 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 162.158.50.16 - - [25/Jan/2022:15:08:17 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.206.141 - - [25/Jan/2022:15:08:17 -0300] "POST /admin/ HTTP/1.1" 200 1963 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.230.71 - - [25/Jan/2022:15:08:22 -0300] "POST /admin/ HTTP/1.1" 200 1961 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 162.158.50.16 - - [25/Jan/2022:15:08:22 -0300] "POST /admin/ HTTP/1.1" 200 1965 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 127.0.0.1:80 172.70.147.101 - - [25/Jan/2022:15:08:22 -0300] "POST /admin/ HTTP/1.1" 200 1967 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" Não tem como bloquear estes IPS pq é do cloudflare. Estou pensando em migrar para o cdn da amazon. Eu consegui resolver com a dica do @LucianoZ, já verificou isso ? agora se for muitos sites fica complicado fazer 1 por 1 0 Quote Link to comment Share on other sites More sharing options...
daemoncesar Posted January 25, 2022 Share Posted January 25, 2022 (edited) Criei a regra, o problema é que nem euconsigo acessar agora kkkk. Edited January 25, 2022 by daemoncesar 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.