Jump to content
Sign in to follow this  
keat

Potential Malicous Attack

Recommended Posts

New accounts are created daily, but about once per week I see a pattern, which I'm guessing is some form of malicous attack, but I've no idea what.

A new account will be created where the surname is identical to the christian name. In the most recent example LydiaTrucTSO LydiaTrucTSO.

There's never an address in the account, no order is ever placed, it usually has a russian TLD in the email, and the IP generally points to the Netherlands, although I've seen Russia, Belarus and Ukrane, which are now blocked on my server.

I've no idea what it is they are trying to do when creating an account, and as the pattern is always the same, I'm assuming it's a BOT of some sort.

 

any thoughts as to what might be going on ?

 

[04/Mar/2019:19:20:05 +0000] "GET /index.php?seo_path=lubrication-cleaning%2Fgrease%2Fcopper-thread-compound-500g HTTP/1.0" 200 27391 "https://www.mydomain.com/index.php?seo_path=lubrication-cleaning%2Fgrease%2Fcopper-thread-compound-500g" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 OPR/53.0.2907.99"


[04/Mar/2019:19:20:06 +0000] "GET /register.html?agreed=true HTTP/1.0" 200 21478 "https://www.mydomain.com/register.html?agreed=true" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 OPR/53.0.2907.99"


[04/Mar/2019:19:22:40 +0000] "POST /register.html?agreed=true HTTP/1.0" 302 - "https://www.mydomain.com/register.html?agreed=true" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 OPR/53.0.2907.99"


[04/Mar/2019:19:22:41 +0000] "GET /?_a=account HTTP/1.0" 200 20048 "https://www.mydomain.com/?_a=account" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 OPR/53.0.2907.99"


[04/Mar/2019:19:22:41 +0000] "GET /register.html?agreed=true HTTP/1.0" 302 - "https://www.mydomain.com/register.html?agreed=true" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 OPR/53.0.2907.99"


[04/Mar/2019:19:22:42 +0000] "GET /index.php?seo_path=lubrication-cleaning%2Fgrease%2Fcopper-thread-compound-500g HTTP/1.0" 200 27462 "https://www.mydomain.com/index.php?seo_path=lubrication-cleaning%2Fgrease%2Fcopper-thread-compound-500g" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 OPR/53.0.2907.99"
[04/Mar/2019:19:22:43 +0000] "GET /index.php HTTP/1.0" 200 30029 "https://www.mydomain.com/index.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 OPR/53.0.2907.99"

 

   

Share this post


Link to post
Share on other sites

It's just a bot spamming your store. Make sure Google reCaptcha is switched on. 

Share this post


Link to post
Share on other sites

Agreed that these are caused by a bot and reCaptcha will stop these and while you say it isnt happening very often at the moment, if you leave it, the numbers will increase until you have a flood 

Share this post


Link to post
Share on other sites

Recapture is switch on, so I'm guessing they circumvented it.

Share this post


Link to post
Share on other sites
Just now, keat said:

Recapture is switch on, so I'm guessing they circumvented it.

What about on the newsletter signup box?

Share this post


Link to post
Share on other sites

Where is this ?

I don't recall seeing it, maybe I removed it at some point in the past.

 

Mican skin by the way

Share this post


Link to post
Share on other sites

Rewinding a bit. Where do you see the new accounts. Are they customers, orders, newsletter emails, all of those or something else?

If you want to PM me details I'll have a look.

Share this post


Link to post
Share on other sites

Looking for newsletter sign up and it doesn't appear on my home page, but the link (if I type it in manually) is still live.

index.php?_a=newsletter.

However, this appears to only contain an email address, so it's not this.

 

If I log in to the cart back end, choose 'customer list', it will be in there.

Sticks out like a sore thumb due to the pattern.

 

I alredy deleted the recent entry, so there would be nothing to see.

 

I'm using Recapture V2, maybe I should consider V3, is there any code for this ?

Share this post


Link to post
Share on other sites

I'm not aware of any Recapture V2 circumvention. We don't have v3 integration which is very different. It's score based. 

Share this post


Link to post
Share on other sites

Instead of just deleting these, I'm now blacklisting the IP's, see if there's a pattern in there also.

 

Share this post


Link to post
Share on other sites

I have added some code to the very beginning of when CubeCart is waking up that looks at the POST payload. This robot has a known "signature" and is easily tested for. If the signature is found in POST, PHP dies.

Share this post


Link to post
Share on other sites

Unless they are doing this manually, i'd like to know how the circumvented captur.

Here's another one.

bot.jpg

Share this post


Link to post
Share on other sites
Posted (edited)

Got another one yesterday.

There's a class B subnet pattern emerging 212.92.x.x

 

Since monitoring, I've seen 114, 116 and 117 class C's.

We have no customers in any of these subnets, so I blocked the subnets in my firewall for now.

 

Edited by keat

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...