cancel
Showing results for 
Search instead for 
Did you mean: 

Brute Force

SOLVED

Brute Force

Hey All,

 

This one is for the hosting companies.

 

IP 46.19.141.238 was being used to simultaneously try and access multiple Magento servers at the same time via bruteforce attacks. Going through Alphabetically a list of usernames and passwords.

 

I think I was more disturbed by the fact that it was hitting just about every Magento installation under our roof and trying to find admin URL and if found, trying brute force.

 

What's a bit strange is, fully patched stores with custom admin urls were being brute forced on their admin login urls.

 

5 REPLIES

Re: Brute Force

On the custom admin URL? or on Magento's stock /admin/ URL?

 

If it's on the custom admin URL, I'm guessing the problem that Magento had of leaking the SBO custom link is still there.

 

Looks like some log analysis is in order to find the initial contact that gets Magento to disclose the custom admin URL in that case.

 

Also, the ability to find the custom admin URL is likely possible if the Admin Routing Compatibility mode introduced by SUPEE-6788 isn't disabled.

Re: Brute Force

Been getting hit with these which try to expose the admin log-in.

 

/downloader/?return=http://www.example.com/index.php/admin/

Re: Brute Force

Copy of access logs

 

46.19.141.238 - Kenneth [09/Apr/2016:03:16:50 +0100] "GET /rss/catalog/review/ HTTP/1.1" 401 36 "-" "-" "-"
46.19.141.238 - Kenny [09/Apr/2016:03:20:56 +0100] "GET /rss/catalog/review/ HTTP/1.1" 302 5 "-" "-" "-"
46.19.141.238 - Kenny [09/Apr/2016:03:24:31 +0100] "GET /rss/catalog/review/ HTTP/1.1" 302 5 "-" "-" "-"
46.19.141.238 - Kensley [09/Apr/2016:03:28:12 +0100] "GET /rss/catalog/review/ HTTP/1.1" 401 36 "-" "-" "-"
46.19.141.238 - Kensley [09/Apr/2016:03:31:54 +0100] "GET /rss/catalog/review/ HTTP/1.1" 302 5 "-" "-" "-"

 

 

 

Re: Brute Force

ok, so it appears to have gotten a bit more interesting in how to try usernames and passwords out without being detected.

 

209.222.96.250 - CardGate [13/Apr/2016:12:14:06 +0100] "GET /rss/catalog/notifystock/ HTTP/1.1" 401 36 "-" "-" "-"

 

The RSS notify stock requires authentication to view. So you can keep trying your luck at getting a positive response back from logging in. RSS feeds were also disabled on the installation, however it was still giving the auth login page, rather than redirecting back to the homepage.

Re: Brute Force

Hi,

 

Incalsula software provide security ,load balancing,many ,Enterprise Grade Website Security ,DDoS Protection and many feature.

 

Kindly have a look it might be useful solution. Link is here

-Thanks & Regards,Shahab