Post by mgermaine8 » Sun Jan 23, 2022 12:48 pm

Around 5:30 this afternoon my CPU usage shot up from 40% to 100% and memory went from 100 MB to 2 GB (the limit). Now pages either load slowly or not at all, or more often a "service unavailable" 503 error. Turns out /admin/index.php is running dozens of times per minute even when I'm not logged in as admin. I can kill them from the linux command line, but they come right back. Does this sound like some kind of brute-force or DDOS attack? I asked my hosting tech support, and he suggested I look into Cloudflare DNS. In the mean time, I've put the site in maintenance mode and changed my admin password. Does anyone know what might be going on?

Newbie

Posts

Joined
Sat May 02, 2020 3:43 pm

Post by by mona » Sun Jan 23, 2022 1:58 pm


DISCLAIMER:
You should not modify core files .. if you would like to donate a cup of coffee I will write it in a modification for you.


https://www.youtube.com/watch?v=zXIxDoCRc84


User avatar
Expert Member

Posts

Joined
Mon Jun 10, 2019 9:31 am

Post by mgermaine8 » Sun Jan 23, 2022 3:21 pm

Thank you Mona. I was freaking out too much to do a proper search. I temporarily stopped the attack by changing the name of the index file, then made the recommended code change and password protected the admin directory before changing the name back. I plan to make some other security upgrades on the server as well.

Newbie

Posts

Joined
Sat May 02, 2020 3:43 pm

Post by JNeuhoff » Mon Jan 24, 2022 6:20 pm

What's in your server's raw access log?

As by mona pointed out, it could be the well know bruteforce attacker, in which case you might want to add this to the beginning of your admin/index.php file:

Code: Select all

if ($_SERVER['HTTP_USER_AGENT'] == 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0') {
	header('HTTP/1.0 403 Forbidden');
	exit;
}
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
	if (empty($_GET)) {
		header('HTTP/1.0 403 Forbidden');
		exit;
	}
}

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by paulfeakins » Mon Jan 24, 2022 7:58 pm

We're seeing this DDoS on a lot of OC sites today: viewtopic.php?f=179&t=225771

We'll soon be posting a vQmod fix on the thread above.

UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk


User avatar
Guru Member
Online

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - London Gatwick, United Kingdom
Who is online

Users browsing this forum: sidclel and 86 guests