Community mailing list archives
Re: Seems Odoo just got hackedby
First of all, anything ending in 404 is probably not an issue. That means the HTTP server (werkzeug/odoo) correctly determined that the url was not something it could deliver.
Having a session does NOT mean you were hacked. You will get a new session generated simply by visiting the login page and not passing a current valid session_id. (at least on v9)
Experimentally, in v9 and ubuntu14.04:
* a 'fresh' empty session is 92 bytes. (will depend on browser header for language accept)
* looking in the sessions after trying various things have taught me the user name is for sure in the session, and there is some component of the password (hash?) in the session if you POST to /web/login
Keep in mind that Odoo is going to make a session regardless on if the client on the other side actually stores the cookie and re-uses it in the next request. Thus you will have a lot of sessions when people are attacking like this or DoS'ing.
With a reverse proxy like NGINX or Cloudflare or something you should be able to rate-limit or block this sort of thing completely.
On Sep 24, 2015, at 12:13 PM, David Arnold <firstname.lastname@example.org> wrote:Thanks NhomarI've updated the gist:Can the following statement be asserted?The modifying date of the sessions coinciding with the following line of the supposed attack procedure is a string indication of a hacked password. werkzeug: 188.8.131.52 - - [23/Sep/2015 06:13:23] GET /pma/scripts/setup.php HTTP/1.0 404 -Best, DavidEl jue., 24 sept. 2015 a las 13:28, Nhomar Hernández (<email@example.com>) escribió:2015-09-24 13:19 GMT-05:00 Nhomar Hernández <firstname.lastname@example.org>:Trace your password.Sorry sent before re read... here I tried to say: Encrypt your connection with ssl to avoid somebody read or trace your passwords.