Jump to content
violinman

Attempted Hacking

Recommended Posts

Hi guys, I have received numerous attempted hacks via the customer password recovery page, they are always with a random email address, a user name made of random letters such as OVaDMukYnGQhBl The only reason I know whese are happening is because I get a "message could not be delivered" from my server, presumably from the random email address they use. Always different IPs so they must be using a proxy.

I did not even realise there is a password reset form available from the main index page!

(1) How can I disable that password reset form.

(2) Is there anyway to select multiple customers to delete on block (all of the spoof attempts)

Much appreciated if you can help with this one.

Brian

Share this post


Link to post
Share on other sites

Bots have a way of POSTing form data that do not require using a form. We can disable the Request Password Reset function, however. (Your legitimate customers will need to contact you to resolve their lost password problems.)

For the Request Password Reset function to be successful, there must already be a customer account with that email address. I assume that is the case here.

I have modded a store to allow for the bulk deletion of customers. Please send a PM with your email address.

Share this post


Link to post
Share on other sites

I am quite happy to disable the password reset function, very few of my legitimate customers setup an account anyway as it is almost always a one off purchase.

Please let me know the file and code section I need to change or comment out.

I am not sure how it happens, the bot or hacker sets up a meaningless account and the first I know of it is when the password reset fails, I assume they would have needed to add an item to the cart in order to have the option of setting up an account?

Many thanks,

Brian

 

Share this post


Link to post
Share on other sites

CubeCart will register an account without the need for anything to be done first or afterwards.

Curious to learn why attempts at password resets are part of the activity, though.

In /classes/user.class.php, near line 735, find:

    public function passwordRequest($email)
    {

Change to:

    public function passwordRequest($email)
    { return false; // Never perform this action!

 

Share this post


Link to post
Share on other sites

Many thanks for all of your help.

It is late evening here in the UK so I will make the changes during the day tomorrow. 

You don't actually say in the mod txt file which file is the first of the two admin files that need to be edited, you just mention the second file?

Brian

 

Share this post


Link to post
Share on other sites

Sorry. The admin skin template file customers.index.php.

 

Share this post


Link to post
Share on other sites

Hi Bsmither, I have just got around to implementing the mod you sent me. The customer page now shows the tick boxes to select multiple customers but when I delete the entries admin crashes out to a white screen.

All of the changes were as you listed in the mod text file except for the very last alteration near line 350 in customers.index.inc.php. What I have and replaced was:

---------------------------------------------------------------------------------------------------------------------------

$GLOBALS['main']->setACPNotify($lang['customer']['notify_customer_delete']);
                } else {
                    $GLOBALS['main']->setACPWarning($lang['customer']['error_customer_delete']);
                }
            } else {
                $GLOBALS['main']->setACPWarning($lang['customer']['error_customer_delete_orders']);
            }
        } else {
            $GLOBALS['main']->setACPWarning($lang['customer']['error_customer_found']);
        }
        httpredir(currentPage(array('action', 'customer_id')));
    }

Rather than:

        $GLOBALS['main']->successMessage($lang['customer']['notify_customer_delete']);
                } else {
                    $GLOBALS['main']->errorMessage($lang['customer']['error_customer_delete']);
                }
            } else {
                $GLOBALS['main']->errorMessage($lang['customer']['error_customer_delete_orders']);
            }
        } else {
            $GLOBALS['main']->errorMessage($lang['customer']['error_customer_found']);
        }
        httpredir(currentPage(array('action', 'customer_id')));
    }

Any suggestions please,

Brian

Share this post


Link to post
Share on other sites

Please create the error log.

You have CC6 several versions older. The latest version uses a new function successMessage() that enhances the setACPNotify() function (and warning message function).

So, in the new code above, replace successMessage and errorMessage with setACPNotify and setACPWarning.

Share this post


Link to post
Share on other sites

I made the change you recommend and it now works a treat so many thanks for that.

You said you were curious to learn why attempts at password resets are part of the activity. Actually thinking about it they are not. What happens in most cases is the bot generates a random customer which also included a random non existent email address, so that when the program sends an email to the customer this fails and I get a copy of the failed email which includes the password reset link.

What I don't understand is where the bot sets up the customer account, unless it is within the cart but there is never any orders shown for the bogus clients.

Anyway at least I can delete them now. I am in the process of setting up WAF on my server which should help.

Brian

Share this post


Link to post
Share on other sites

This is how I see the bot operate:

It requests the registration page. In the code for this page is the security token. A custom POST payload is constructed to include the security token. The POST is issued.

I have never seen any follow-up, however. So I cannot guess what the ultimate goal is in doing this.

I do not get a failed email delivery notice because CubeCart does not send an email when there is a new customer registered -- unless you have a plugin that does this.

Share this post


Link to post
Share on other sites

Well I suppose similar in that the bot seems to generate a random set of letters in upper and lower case.

I am setting up a WAF (Web Application Firewall) on my server to see if that blocks the bot, it will be live in two weeks time.

Brian

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...