Community mailing list archives

community@mail.odoo.com

Re: Seems Odoo just got hacked

by
Ludovic Fénelon
- 09/25/2015 03:55:57
Hi,

@David: IMHO, I don't see in these logs anything related with a
compromised instance.

As suggested, you may consider a Nginx server in front of this Odoo
instance.

If you notice that the same IP is attacking quite often, maybe adding a
fail2ban server is a good option too. I got that kind of entries in my
Nginx logs quite often, and fail2ban helped me reduce these.

Regards,

Ludovic Fenelon
Directeur Général et co-fondateur

Dalea Solutions
12 Rue Edouard Vaillant 92300 Levallois-Perret
www.dalea-solutions.com

On 09/24/2015 11:58 PM, David Arnold wrote:
> Thanks for all the support and comments.
> Actually, the instance was indeed compromised and did not function. curl
> on localhost odoo server did not return.
> Actually also the docker daemon was out of function and, to me seemed
> compromised as well. Restart of the services was not possible.
>
> The actual usage pattern supports that just after the last legal user
> log in two days ago, the instance stopped working (in between, the
> strange logs arose)
>
> This is indicating, yet not proving, that the attacker got onto the
> server and compromised it. The only exposed port was 8069 being mapped
> to 80 by the docker network layer.
>
> This is indicating, yet not proving, that the attacker exploited the
> Odoo website surface by some means. Cloudflare is used and was seemingly
> not configured/unable to block this specific attack.
>
> stat -c%s filename of suspect session file gives 100, so it seems to be
> empty sessions, the valid sessions among empty ones is.
>
> Well, to conclude, I know that I know nothing, except something was
> compromised. It corresponds to more knowledgeable people to judge upon
> what really happend. If I can provide additional useful information, I'm
> happy to do so. If anyone can help me ascertain any type hypothesis to
> narrow down probable investigation, I'm glad either.
>
> Thanks a lot. Best, David
>
>
>
> El jue., 24 sept. 2015 a las 16:03, Jared Kipe (<jared@jaredkipe.com
> <mailto:jared@jaredkipe.com>>) escribió:
>
>     First of all, anything ending in 404 is probably not an issue. That
>     means the HTTP server (werkzeug/odoo) correctly determined that the
>     url was not something it could deliver.
>
>
>     Having a session does NOT mean you were hacked. You will get a new
>     session generated simply by visiting the login page and not passing
>     a current valid session_id.  (at least on v9)
>     Experimentally, in v9 and ubuntu14.04:
>       * a 'fresh' empty session is 92 bytes. (will depend on browser
>     header for language accept)
>       * looking in the sessions after trying various things have taught
>     me the user name is for sure in the session, and there is some
>     component of the password (hash?) in the session if you POST to
>     /web/login
>
>     Keep in mind that Odoo is going to make a session regardless on if
>     the client on the other side actually stores the cookie and re-uses
>     it in the next request.  Thus you will have a lot of sessions when
>     people are attacking like this or DoS'ing.
>
>     With a reverse proxy like NGINX or Cloudflare or something you
>     should be able to rate-limit or block this sort of thing completely.
>
>     Jared
>
>
>>     On Sep 24, 2015, at 12:13 PM, David Arnold <dar@devco.co
>>     <mailto:dar@devco.co>> wrote:
>>
>>     Thanks Nhomar
>>
>>     I've updated the gist:
>>     https://gist.github.com/blaggacao/4504a3194b3ad265efa6
>>
>>     Can the following statement be asserted?
>>     The modifying date of the sessions coinciding with the following
>>     line of the supposed attack procedure is a string indication of a
>>     hacked password. werkzeug: 66.71.247.94 - - [23/Sep/2015 06:13:23]
>>     "GET /pma/scripts/setup.php HTTP/1.0"404 -
>>
>>     Best, David
>>
>>     El jue., 24 sept. 2015 a las 13:28, Nhomar Hernández
>>     () escribió:
>>
>>
>>         2015-09-24 13:19 GMT-05:00 Nhomar Hernández <nhomar@gmail.com
>>         <mailto:nhomar@gmail.com>>:
>>
>>             Trace your password.
>>
>>
>>         Sorry sent before re read... here I tried to say: Encrypt your
>>         connection with ssl to avoid somebody read or trace your
>>         passwords.
>>
>>         --
>>         --------------------
>>         Saludos Cordiales
>>
>>         CEO at Vauxoo  Odoo's Gold Partner.
>>         
>>         --
>>         Nhomar Hernandez
>>         http://about.me/nhomar 
>>
>>         _______________________________________________
>>         Mailing-List: https://www.odoo.com/groups/community-59
>>         Post to: mailto:community@mail.odoo.com
>>         <mailto:community@mail.odoo.com>
>>         Unsubscribe: https://www.odoo.com/groups?unsubscribe
>>
>>     _______________________________________________
>>     Mailing-List: https://www.odoo.com/groups/community-59
>>     Post to: mailto:community@mail.odoo.com
>>     Unsubscribe: https://www.odoo.com/groups?unsubscribe
>>
>     _______________________________________________
>     Mailing-List: https://www.odoo.com/groups/community-59
>     Post to: mailto:community@mail.odoo.com <mailto:community@mail.odoo.com>
>     Unsubscribe: https://www.odoo.com/groups?unsubscribe
>
> _______________________________________________
> Mailing-List: https://www.odoo.com/groups/community-59
> Post to: mailto:community@mail.odoo.com
> Unsubscribe: https://www.odoo.com/groups?unsubscribe
>