Defeating Magento Downloader Bruteforce

A large number of Magento sites have been attacked by a bot trying to bruteforce the admin username / password recently . The only standout identified for this bot is that it either usesĀ  no user agent (this behavior is seen in current requests) or uses a pre-specified user agent (this was the old behavior of this bot).

A sample HTTP access log entry can be seen here:

xxx.xxx.xxx.xxx – [07/Apr/2016:16:34:25 -0500] “GET /magento/ HTTP/1.1” 200 16420 “-” “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0”

The IP is, of course, the IP of either a compromised user or server; blocking the attacking IP provides little relief due to the vast number of different IPs on different providers available to make the request with.

How can these requests be mitigated in the most efficient manner? The way to do that is to review the source code to see how the bot actually works.

I found the source for one particular Magento bruteforcer here: https://github.com/AbhiKafle123/magento

The script works primarily as expected — it will keep trying different user / pass combinations until a valid login response is received. The easiest way to stop these requests is to ask the attacker to stop. Of course, that won’t happen.

However, if we make the attacker think they have successfully logged in, the script will automatically stop as there is no longer a reason for it to send further requests to the server.

From reviewing the source code of the script, we see if that if a page is returned containing the text ‘logout’ the script will then stop attacking and exit:

		data = urllib2.Request(domain, urllib.urlencode(post), headers=agent)
		neo = coder.open(data).read()
		if 'logout' in neo:
			t2 = time.time()
			print ""
			print "Domain Name: %s" % url
			print "UserNmae: %s" % usr
			print "Password Cracked: %s" % passwd 
			print "Time: %s" % str(t2-t1)
			_exit(1)

As the bot looks for the word ‘logout’ on the page to confirm a successful login, this bot can be defeated by simply adding the following line at the end of your main index.php file (or a different file that is receiving the attack such as downloader/index.php) :

echo ‘<script> function breakBotlogout(){}</script>’;

This line adds a Javascript function named breakBotlogout that is never used. Just the presence of the text ‘logout’ will cause the bot to fail.

Behavior of the Bruteforce script before our custom code is added; The script will keep trying thousands of times:

Magento Bruteforce

Trying … abcdef
Trying … epmx@UO37
Trying … c0vJRx9k’
Trying … t5jT0tHw’
Trying … mmLe^Q63x
Trying … xt!Tjb93G
Trying … v13r|aQYf
Trying … &f7jJCc6v
Trying … 08’raFwfA

Behavior of the script after this change has been made:

Magento Bruteforce

Domain Name: lgtest.dotheneedful.in/magento
UserNmae: admin
Password Cracked: abcdef
Time: 0.371110916138

 

The attack has been mitigated after one singular request has been sent to the server.