Post by ahostking.com » Mon Oct 11, 2021 1:43 pm

we are facing high bandwidth usage since last week as all the websites using normal bandwidth but websites having script /cms opencart consuming too much bandwidth 10 gbs a day.

Following are the example logs for your reference.

===========
178.33.123.234 - - [08/Oct/2021:05:05:47 -0700] "POST /admin/ HTTP/1.1" 500 7309 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.158.154.12 - - [08/Oct/2021:05:05:48 -0700] "POST /admin/ HTTP/1.1" 500 7309 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
216.55.177.28 - - [08/Oct/2021:05:05:48 -0700] "POST /admin/ HTTP/1.1" 500 7309 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
193.87.79.102 - - [08/Oct/2021:05:05:49 -0700] "POST /admin/ HTTP/1.1" 500 7309 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
185.117.82.66 - - [08/Oct/2021:05:05:50 -0700] "POST /admin/ HTTP/1.1" 500 7309 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
45.79.239.73 - - [08/Oct/2021:05:05:57 -0700] "POST /admin/ HTTP/1.1" 500 7309 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.254.22.101 - - [08/Oct/2021:05:06:00 -0700] "POST /admin/ HTTP/1.1" 500 7309 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
108.175.2.242 - - [08/Oct/2021:05:06:04 -0700] "POST /admin/ HTTP/1.1" 500 7309 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
84.34.147.54 - - [08/Oct/2021:05:06:09 -0700] "POST /admin/ HTTP/1.1" 500 7309 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
84.34.147.54 - - [08/Oct/2021:05:06:11 -0700] "POST /admin/ HTTP/1.1" 500 7309 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
51.178.39.31 - - [08/Oct/2021:05:06:12 -0700] "POST /admin/ HTTP/1.1" 500 7309 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
--------------------------

Furthermore, even we upgrade the script but still facing same error already check all firewall and modsec settings on the server but no gains.

Newbie

Posts

Joined
Mon Oct 11, 2021 1:39 pm

Post by JNeuhoff » Mon Oct 11, 2021 5:22 pm

We had the same issue with several of our client's websites, see this forum thread for a solution.

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member
Online

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by ADD Creative » Mon Oct 11, 2021 5:36 pm

Looks like a brute-force attack on your admin, which is causing a server error. You need to prevent access to admin. Use an allow list if your can. Otherwise, password protecting, renaming or blocking by user agent, ect.

Then you need to look in your server / PHP error log to see what is causing the 500 error.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by JNeuhoff » Mon Oct 11, 2021 5:45 pm

It's actually a combined DDoS and bruteforce attack. The Internal Server 500 error is most likely caused by the MySQL server where the 'oc_session' DB table will have a few hundred thousand entries by now. The other forum thread explains how to solve it.

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member
Online

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by paulfeakins » Mon Oct 11, 2021 7:00 pm

Interesting one. CloudFlare may help too.

UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk


User avatar
Guru Member
Online

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - London Gatwick, United Kingdom

Post by JNeuhoff » Mon Oct 11, 2021 7:27 pm

paulfeakins wrote:
Mon Oct 11, 2021 7:00 pm
Interesting one. CloudFlare may help too.
It might, but in our experience CloudFlare makes websites slower. A better tool is Bitninja with an enabled browser integrity check on the admin URL of the domain.

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member
Online

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by paulfeakins » Mon Oct 11, 2021 7:30 pm

JNeuhoff wrote:
Mon Oct 11, 2021 7:27 pm
A better tool is Bitninja with an enabled browser integrity check on the admin URL of the domain.
We'll have a look, thanks!

UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk


User avatar
Guru Member
Online

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - London Gatwick, United Kingdom

Post by JNeuhoff » Mon Oct 11, 2021 7:35 pm

And even with all these tools installed, this particular attacker will probably run his bruteforce campaign for several weeks before giving up!

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member
Online

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by by mona » Tue Oct 12, 2021 2:07 am

Code: Select all

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
	if (empty($_GET)) {
		header('HTTP/1.0 403 Forbidden');
		exit;
	}
}
this might still send an error document which will still count.
Better define an errorDocument for a 405 Method Not Allowed and add to your server config:

Code: Select all

# method not allowed
ErrorDocument 405 %{unescape:%00}
This will make sure that zero bytes are returned.

Then use this as JNeuhoff suggested.

Code: Select all

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
	if (empty($_GET)) {
		header($_SERVER['SERVER_PROTOCOL'] . " 405 Method Not Allowed", true);
		exit;
	}
}

DISCLAIMER:
You should not modify core files .. if you would like to donate a cup of coffee I will write it in a modification for you.


https://www.youtube.com/watch?v=zXIxDoCRc84


User avatar
Expert Member

Posts

Joined
Mon Jun 10, 2019 9:31 am

Post by fea1845 » Tue Nov 30, 2021 12:59 pm

and add this to your .htaccess file:

Code: Select all

deny from 1.179.146.156   
deny from 103.1.185.227   
deny from 103.100.209.63  
deny from 103.100.210.26  
deny from 103.103.244.108  
deny from 103.103.244.11  
deny from 103.103.244.119  
deny from 103.103.244.141  
deny from 103.103.244.203  
deny from 103.103.244.211  
deny from 103.103.244.66  
deny from 103.103.244.75  
deny from 103.103.244.85  
deny from 103.103.244.90  
deny from 103.117.120.120  
deny from 103.117.122.155  
deny from 103.120.154.105  
deny from 103.122.5.242   
deny from 103.122.65.21   
deny from 103.143.10.172  
deny from 103.144.197.119  
deny from 103.147.251.2   
deny from 103.147.92.12   
deny from 103.148.49.70   
deny from 103.149.27.155  
deny from 103.151.4.62    
deny from 103.151.4.83    
deny from 103.153.37.235  
deny from 103.162.55.2    
deny from 103.198.172.2   
deny from 103.211.49.135  
deny from 103.215.83.203   
deny from 103.226.124.76  
deny from 103.228.66.139  
deny from 103.235.17.136  
deny from 103.235.17.149  
deny from 103.235.17.159  
deny from 103.235.17.160  
deny from 103.235.17.187  
deny from 103.235.17.194  
deny from 103.235.17.213  
deny from 103.235.17.238  
deny from 103.243.24.126  
deny from 103.243.25.44   
deny from 103.253.107.198  
deny from 103.28.121.40   
deny from 103.29.249.222  
deny from 103.41.204.29   
deny from 103.41.34.162   
deny from 103.44.21.4     
deny from 103.45.106.147  
deny from 103.45.128.31   
deny from 103.48.168.101  
deny from 103.48.168.119  
deny from 103.48.168.120  
deny from 103.48.168.126  
deny from 103.48.168.133  
deny from 103.48.168.29   
deny from 103.48.168.48   
deny from 103.48.168.56   
deny from 103.48.168.58   
deny from 103.55.24.213   
deny from 103.7.1.131     
deny from 103.72.165.2    
deny from 103.92.200.13   
deny from 104.131.244.55  
deny from 104.168.137.238  
deny from 104.238.131.158  
deny from 104.248.178.118  
deny from 104.248.90.111  
deny from 104.37.186.115  
deny from 104.37.188.55   
deny from 106.13.149.231  
deny from 106.13.28.133   
deny from 106.13.7.190    
deny from 106.14.150.161  
deny from 106.3.97.104    
deny from 106.75.189.62   
deny from 106.75.215.148  
deny from 106.75.230.98   
deny from 106.75.52.94    
deny from 106.75.98.199   
deny from 107.148.164.7   
deny from 109.206.247.51  
deny from 109.206.247.53  
deny from 109.228.52.77   
deny from 109.68.161.37   
deny from 109.98.25.96    
deny from 110.10.129.60   
deny from 110.137.30.209  
deny from 110.44.114.110  
deny from 110.88.160.161  
deny from 111.173.115.34  
deny from 111.6.45.220    
deny from 111.67.196.148  
deny from 111.8.127.133   
deny from 113.121.47.31   
deny from 113.125.165.193  
deny from 113.161.44.124  
deny from 113.161.44.227  
deny from 114.143.159.102  
deny from 114.34.52.230   
deny from 115.239.211.101  
deny from 116.213.42.50   
deny from 117.119.81.41   
deny from 117.139.126.166  
deny from 117.251.90.69   
deny from 117.50.118.93   
deny from 117.50.175.16   
deny from 118.179.87.3    
deny from 118.193.40.130  
deny from 118.67.133.72   
deny from 12.12.141.226   
deny from 120.194.157.165 0 
deny from 120.25.225.216  
deny from 120.76.133.140  
deny from 120.78.185.159  
deny from 121.199.160.197  
deny from 121.225.64.88   
deny from 121.37.90.195   
deny from 121.4.194.166   
deny from 121.40.144.79   
deny from 121.62.60.108   
deny from 122.129.203.163  
deny from 122.248.239.176  
deny from 123.178.159.38  
deny from 123.231.252.10  
deny from 124.232.138.163  
deny from 124.239.180.160  
deny from 125.160.115.94  
deny from 125.65.40.219   
deny from 128.116.220.244  
deny from 128.199.235.245  
deny from 128.199.241.20  
deny from 13.80.7.122     
deny from 131.0.88.14     
deny from 133.167.77.163  
deny from 134.122.132.11  
deny from 134.209.21.252  
deny from 134.209.28.137  
deny from 137.74.46.32    
deny from 138.121.91.136  
deny from 138.97.220.166  
deny from 139.162.101.111  
deny from 139.198.117.116  
deny from 139.198.30.138  
deny from 139.59.1.123    
deny from 139.59.29.88    
deny from 139.59.44.107   
deny from 139.59.60.153   
deny from 139.59.61.4     
deny from 139.59.64.195   
deny from 139.59.68.46    
deny from 14.139.174.4    
deny from 14.241.253.121  
deny from 14.241.253.164  
deny from 14.99.28.242    
deny from 141.95.0.102    
deny from 142.4.124.45    
deny from 142.93.170.98   
deny from 142.93.214.203  
deny from 143.110.181.114  
deny from 143.110.241.142  
deny from 143.92.42.125   
deny from 144.202.100.20  
deny from 144.48.242.107  
deny from 144.48.242.196  
deny from 144.48.242.199  
deny from 144.48.243.100  
deny from 144.48.243.76   
deny from 144.48.243.97   
deny from 144.76.162.241  
deny from 144.76.85.240   
deny from 144.91.64.100   
deny from 146.56.164.99   
deny from 147.135.103.201  
deny from 147.135.201.16  
deny from 147.135.6.46    
deny from 147.139.74.129  
deny from 148.214.35.118  
deny from 148.240.238.90  
deny from 148.251.232.14  
deny from 149.156.115.209  
deny from 149.202.188.93  
deny from 15.206.59.32    
deny from 150.129.43.194  
deny from 150.138.73.153  
deny from 150.238.79.77   
deny from 152.228.128.247  
deny from 152.32.150.226  
deny from 153.92.5.159    
deny from 154.118.154.38  
deny from 154.31.29.128   
deny from 154.31.29.129   
deny from 154.92.108.127  
deny from 156.225.3.39    
deny from 156.234.193.211  
deny from 156.236.114.225  
deny from 156.67.220.186  
deny from 157.245.107.198  
deny from 157.245.108.215  
deny from 157.52.230.13   
deny from 158.51.126.239  
deny from 158.69.146.25   
deny from 159.203.220.233  
deny from 159.203.42.182  
deny from 159.65.149.142  
deny from 159.65.3.147    
deny from 159.89.134.228  
deny from 159.89.161.138  
deny from 159.89.200.135  
deny from 160.116.118.229  
deny from 160.16.239.246  
deny from 160.99.191.7    
deny from 161.53.49.3     
deny from 161.97.104.199  
deny from 161.97.121.12   
deny from 161.97.132.54   
deny from 161.97.139.209  
deny from 162.244.81.202  
deny from 162.250.188.170  
deny from 163.172.213.69  
deny from 164.155.90.31   
deny from 164.155.91.200  
deny from 165.154.64.199  
deny from 165.22.119.226  
deny from 165.22.213.208  
deny from 165.22.218.82   
deny from 165.227.51.239  
deny from 167.114.153.198  
deny from 167.172.90.254  
deny from 167.71.225.155  
deny from 167.86.68.78    
deny from 167.86.97.135   
deny from 167.99.73.68    
deny from 169.62.141.74   
deny from 170.75.162.86   
deny from 172.104.58.76   
deny from 172.105.132.4   
deny from 172.107.178.46  
deny from 172.93.49.254   
deny from 173.212.194.74  
deny from 173.249.52.150  
deny from 173.255.203.177  
deny from 173.255.211.88  
deny from 175.126.176.79  
deny from 175.196.212.17  
deny from 176.31.252.201  
deny from 177.36.44.69    
deny from 178.128.126.41  
deny from 178.128.155.255  
deny from 178.128.243.180  
deny from 178.23.162.190  
deny from 178.254.34.26   
deny from 178.32.139.3    
deny from 178.32.202.97   
deny from 178.62.213.36   
deny from 180.102.128.188  
deny from 180.215.194.168  
deny from 180.215.20.247  
deny from 180.76.244.195  
deny from 181.193.108.242  
deny from 182.151.7.90    
deny from 182.42.122.13   
deny from 182.42.122.71   
deny from 182.42.126.36   
deny from 182.42.126.90   
deny from 182.42.132.4    
deny from 182.42.133.192  
deny from 182.90.118.252  
deny from 182.90.224.143  
deny from 182.90.224.176  
deny from 182.90.224.226  
deny from 182.90.224.241  
deny from 183.134.218.120  
deny from 183.66.241.30   
deny from 184.104.207.3   
deny from 185.158.29.14   
deny from 185.191.34.215  
deny from 185.21.216.147  
deny from 185.21.217.57   
deny from 185.22.172.197  
deny from 185.23.200.152  
deny from 185.23.201.186  
deny from 185.234.114.43  
deny from 185.247.182.1   
deny from 185.247.182.2   
deny from 185.251.45.83   
deny from 185.27.20.65    
deny from 185.47.62.230   
deny from 185.56.91.22    
deny from 185.56.91.24    
deny from 185.62.87.93    
deny from 185.78.164.180   
deny from 185.95.31.222   
deny from 186.120.251.229  
deny from 186.202.123.166  
deny from 186.202.188.153  
deny from 187.63.222.13   
deny from 188.9.128.108   
deny from 190.213.107.159  
deny from 191.252.186.60  
deny from 192.100.170.1   
deny from 192.116.113.246  
deny from 192.129.162.2   
deny from 192.227.71.79   
deny from 193.124.146.33  
deny from 193.136.60.35   
deny from 193.137.7.33    
deny from 193.168.146.231  
deny from 193.93.255.132  
deny from 194.57.186.11   
deny from 195.210.28.115  
deny from 196.25.129.26   
deny from 196.43.180.12   
deny from 198.199.66.162  
deny from 199.247.4.92    
deny from 2.228.71.238    
deny from 2.229.19.145    
deny from 2.56.155.249    
deny from 20.195.57.39    
deny from 202.120.58.253  
deny from 202.28.32.20    
deny from 202.29.148.67   
deny from 202.72.247.163  
deny from 202.90.199.132  
deny from 202.95.15.193   
deny from 203.189.120.150  
deny from 203.190.115.3   
deny from 203.210.87.64   
deny from 206.189.132.22  
deny from 206.189.46.218  
deny from 207.148.74.137  
deny from 207.244.248.154  
deny from 209.126.11.127  
deny from 209.59.146.87   
deny from 210.211.109.65  
deny from 210.22.129.182  
deny from 210.223.132.75  
deny from 212.193.54.52   
deny from 212.53.165.161  
deny from 212.83.132.28   
deny from 213.136.86.94   
deny from 213.146.152.197  
deny from 213.187.10.198  
deny from 213.187.11.93   
deny from 217.61.126.228  
deny from 218.108.30.166  
deny from 218.253.67.246  
deny from 218.61.193.6    
deny from 219.153.110.7   
deny from 222.134.243.11  
deny from 222.213.124.137  
deny from 223.240.71.147  
deny from 223.244.87.6    
deny from 27.124.47.28    
deny from 27.24.215.149   
deny from 27.254.174.94   
deny from 3.122.215.97    
deny from 3.126.221.191   
deny from 3.132.95.64     
deny from 3.143.85.26     
deny from 3.17.240.209    
deny from 3.35.198.128    
deny from 3.37.225.59     
deny from 3.37.74.210     
deny from 31.125.223.54   
deny from 31.173.68.7     
deny from 31.206.41.114   
deny from 31.42.188.148   
deny from 35.158.25.136   
deny from 36.134.149.254  
deny from 36.159.22.238   
deny from 36.159.3.238    
deny from 36.7.152.209    
deny from 36.72.219.74    
deny from 37.48.111.169   
deny from 37.48.89.216    
deny from 39.103.136.88   
deny from 39.109.122.5    
deny from 39.165.81.228   
deny from 40.121.129.182  
deny from 41.65.124.37    
deny from 42.248.78.75    
deny from 43.229.134.22   
deny from 43.229.77.90    
deny from 43.251.17.156   
deny from 45.118.135.203  
deny from 45.131.187.33   
deny from 45.138.172.157  
deny from 45.152.64.103   
deny from 45.152.64.126   
deny from 45.152.64.150   
deny from 45.152.64.172   
deny from 45.152.64.234   
deny from 45.152.65.10    
deny from 45.152.65.170   
deny from 45.152.65.176   
deny from 45.152.65.178   
deny from 45.152.65.209   
deny from 45.152.65.71    
deny from 45.152.67.22    
deny from 45.153.131.50   
deny from 45.200.135.44   
deny from 45.249.95.128   
deny from 45.32.247.19    
deny from 45.32.34.92     
deny from 45.43.61.167    
deny from 45.64.1.40      
deny from 45.64.1.74      
deny from 45.76.220.20    
deny from 45.77.152.172   
deny from 45.79.14.202    
deny from 45.79.17.25     
deny from 45.79.80.198    
deny from 45.87.43.135    
deny from 46.101.175.170  
deny from 46.101.188.174  
deny from 46.101.194.79   
deny from 46.105.254.177  
deny from 46.243.143.165  
deny from 46.8.179.206    
deny from 47.102.134.104  
deny from 47.119.152.224  
deny from 47.91.24.204    
deny from 5.135.167.231   
deny from 5.182.26.72     
deny from 5.188.168.130   
deny from 5.189.146.109   
deny from 5.196.108.188   
deny from 5.206.197.46    
deny from 5.79.98.219     
deny from 51.15.181.17    
deny from 51.15.181.37    
deny from 51.15.96.44     
deny from 51.158.144.42   
deny from 51.178.136.52   
deny from 51.178.185.66   
deny from 51.195.5.221    
deny from 51.195.91.111   
deny from 51.210.148.139  
deny from 51.210.208.23   
deny from 51.38.32.156    
deny from 51.77.244.236   
deny from 51.79.71.247    
deny from 52.130.84.167   
deny from 52.14.3.58      
deny from 52.172.161.32   
deny from 52.60.72.9      
deny from 52.73.70.149    
deny from 54.153.12.190   
deny from 54.153.18.64    
deny from 54.200.149.214  
deny from 54.38.178.221   
deny from 58.222.181.141  
deny from 58.223.177.170  
deny from 59.126.80.209   
deny from 59.3.87.41      
deny from 60.13.45.115    
deny from 61.164.49.126   
deny from 61.7.231.226    
deny from 62.210.113.33   
deny from 62.220.136.99   
deny from 62.221.253.72   
deny from 65.0.23.14      
deny from 66.152.179.116  
deny from 66.158.134.98   
deny from 66.42.79.29     
deny from 66.90.73.50     
deny from 67.79.105.174   
deny from 68.183.80.194   
deny from 68.183.92.54    
deny from 69.61.28.79     
deny from 73.116.224.119  
deny from 73.225.200.133  
deny from 76.245.195.148  
deny from 78.155.47.136   
deny from 79.11.22.198    
deny from 79.143.183.66   
deny from 79.3.135.162    
deny from 8.208.76.246    
deny from 8.209.207.0     
deny from 8.209.216.211   
deny from 8.211.137.15    
deny from 8.214.0.180     
deny from 8.214.18.119    
deny from 8.214.40.51     
deny from 8.214.47.190    
deny from 8.214.99.25     
deny from 8.217.27.233    
deny from 80.210.66.248   
deny from 80.245.104.186  
deny from 80.60.84.76     
deny from 81.171.17.64    
deny from 81.223.127.86   
deny from 82.223.43.198   
deny from 83.81.160.145   
deny from 85.10.211.21    
deny from 85.152.53.130   
deny from 85.214.87.55    
deny from 85.236.55.85    
deny from 87.64.60.242    
deny from 88.200.53.185   
deny from 89.43.33.117    
deny from 90.84.189.10    
deny from 91.102.164.170  
deny from 91.134.224.1    
deny from 91.202.132.195  
deny from 91.228.197.79   
deny from 92.243.25.142   
deny from 93.90.202.171   
deny from 94.103.147.130  
deny from 94.23.211.198   
deny from 94.23.24.82     
deny from 95.211.186.223  
deny from 95.217.81.180   
deny from 95.48.168.250   
deny from 96.126.96.33    
deny from 96.43.97.180    
deny from 96.89.156.209   
deny from 97.76.140.174   
deny from 98.159.99.212   
deny from 98.194.226.207

Newbie

Posts

Joined
Tue Nov 30, 2021 12:54 pm
Who is online

Users browsing this forum: Google [Bot], jagall, SohBH and 263 guests