Jump to content
Sign in to follow this  
violinman

Attempted Hacking

Recommended Posts

Hi guys, I have received numerous attempted hacks via the customer password recovery page, they are always with a random email address, a user name made of random letters such as OVaDMukYnGQhBl The only reason I know whese are happening is because I get a "message could not be delivered" from my server, presumably from the random email address they use. Always different IPs so they must be using a proxy.

I did not even realise there is a password reset form available from the main index page!

(1) How can I disable that password reset form.

(2) Is there anyway to select multiple customers to delete on block (all of the spoof attempts)

Much appreciated if you can help with this one.

Brian

Share this post


Link to post
Share on other sites

Bots have a way of POSTing form data that do not require using a form. We can disable the Request Password Reset function, however. (Your legitimate customers will need to contact you to resolve their lost password problems.)

For the Request Password Reset function to be successful, there must already be a customer account with that email address. I assume that is the case here.

I have modded a store to allow for the bulk deletion of customers. Please send a PM with your email address.

Share this post


Link to post
Share on other sites

I am quite happy to disable the password reset function, very few of my legitimate customers setup an account anyway as it is almost always a one off purchase.

Please let me know the file and code section I need to change or comment out.

I am not sure how it happens, the bot or hacker sets up a meaningless account and the first I know of it is when the password reset fails, I assume they would have needed to add an item to the cart in order to have the option of setting up an account?

Many thanks,

Brian

 

Share this post


Link to post
Share on other sites

CubeCart will register an account without the need for anything to be done first or afterwards.

Curious to learn why attempts at password resets are part of the activity, though.

In /classes/user.class.php, near line 735, find:

    public function passwordRequest($email)
    {

Change to:

    public function passwordRequest($email)
    { return false; // Never perform this action!

 

Share this post


Link to post
Share on other sites

Many thanks for all of your help.

It is late evening here in the UK so I will make the changes during the day tomorrow. 

You don't actually say in the mod txt file which file is the first of the two admin files that need to be edited, you just mention the second file?

Brian

 

Share this post


Link to post
Share on other sites

Sorry. The admin skin template file customers.index.php.

 

Share this post


Link to post
Share on other sites

Hi Bsmither, I have just got around to implementing the mod you sent me. The customer page now shows the tick boxes to select multiple customers but when I delete the entries admin crashes out to a white screen.

All of the changes were as you listed in the mod text file except for the very last alteration near line 350 in customers.index.inc.php. What I have and replaced was:

---------------------------------------------------------------------------------------------------------------------------

$GLOBALS['main']->setACPNotify($lang['customer']['notify_customer_delete']);
                } else {
                    $GLOBALS['main']->setACPWarning($lang['customer']['error_customer_delete']);
                }
            } else {
                $GLOBALS['main']->setACPWarning($lang['customer']['error_customer_delete_orders']);
            }
        } else {
            $GLOBALS['main']->setACPWarning($lang['customer']['error_customer_found']);
        }
        httpredir(currentPage(array('action', 'customer_id')));
    }

Rather than:

        $GLOBALS['main']->successMessage($lang['customer']['notify_customer_delete']);
                } else {
                    $GLOBALS['main']->errorMessage($lang['customer']['error_customer_delete']);
                }
            } else {
                $GLOBALS['main']->errorMessage($lang['customer']['error_customer_delete_orders']);
            }
        } else {
            $GLOBALS['main']->errorMessage($lang['customer']['error_customer_found']);
        }
        httpredir(currentPage(array('action', 'customer_id')));
    }

Any suggestions please,

Brian

Share this post


Link to post
Share on other sites

Please create the error log.

You have CC6 several versions older. The latest version uses a new function successMessage() that enhances the setACPNotify() function (and warning message function).

So, in the new code above, replace successMessage and errorMessage with setACPNotify and setACPWarning.

Share this post


Link to post
Share on other sites

I made the change you recommend and it now works a treat so many thanks for that.

You said you were curious to learn why attempts at password resets are part of the activity. Actually thinking about it they are not. What happens in most cases is the bot generates a random customer which also included a random non existent email address, so that when the program sends an email to the customer this fails and I get a copy of the failed email which includes the password reset link.

What I don't understand is where the bot sets up the customer account, unless it is within the cart but there is never any orders shown for the bogus clients.

Anyway at least I can delete them now. I am in the process of setting up WAF on my server which should help.

Brian

Share this post


Link to post
Share on other sites

This is how I see the bot operate:

It requests the registration page. In the code for this page is the security token. A custom POST payload is constructed to include the security token. The POST is issued.

I have never seen any follow-up, however. So I cannot guess what the ultimate goal is in doing this.

I do not get a failed email delivery notice because CubeCart does not send an email when there is a new customer registered -- unless you have a plugin that does this.

Share this post


Link to post
Share on other sites

Well I suppose similar in that the bot seems to generate a random set of letters in upper and lower case.

I am setting up a WAF (Web Application Firewall) on my server to see if that blocks the bot, it will be live in two weeks time.

Brian

Share this post


Link to post
Share on other sites

Hi Bsmither, I need some more info please. I do not have the default Captcha enabled in store settings, but having continued to look into the fake account signup online quite a few people suggest having the Captch enabled.

My Question is at what part of the process does the Captcha present itself, is it just for account signup?

As always many thanks,

Brian

Share this post


Link to post
Share on other sites

I have now added the Google Captcha (v2 invisible) so hopefully that will help, as asked in previous post I would be grateful to know which parts of the site it protects.

Many thanks,

Brian

Share this post


Link to post
Share on other sites

The captcha code gets involved in the Registration page, checking out as a Guest, leaving a Ratings Comment on the product page, the Newsletter sign-up sidebox, and the Contact Us page. As of CC628 Foundation skin, there is a popup box (admin enabled) that appears when moving away from the site, asking to sign up for the newsletter. This modal Exit box also has captcha involved.

Once a visitor has passed a captcha challenge for that session, there will be no more challenges.

Note: a customer being logged in has no bearing on captcha's involvement.

Share this post


Link to post
Share on other sites

Thanks for your prompt response, I assume once I enable Captcha in store settings it will work? What I am asking is whether I need to make any changes in the code.

Regards,

Brian

Share this post


Link to post
Share on other sites

The Foundation skin has the Smarty template code to put in-place the recaptcha javascript code - if enabled.

Other CC6-conforming skins should also have the Smarty template code.

Skins originally built for CC5 has Smarty code for an implementation of recaptcha available in CC5. reCaptcha requirements have changed since then.

Share this post


Link to post
Share on other sites

I am using the galaxyx skin and CC6, in the skin templates folder there is a content.recaptcha.php file, the problem is there are no instructions as to any changes needed to this file in order for it to work. I think it is probably for an earlier version of Captcha whereas I have retrieved a site and secret key for the Google invisible Captcha and do not know what changes to make to the file.

Brian

Share this post


Link to post
Share on other sites

How did you get on with your WAF ?

I use CSF firewall, along with OWASP and Comodo Mod security, and was still seeing these.

 

Not seen any for a month though now, maybe they went away :-)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...