Jump to content

Attempted Hacking


violinman

Recommended Posts

Hi guys, I have received numerous attempted hacks via the customer password recovery page, they are always with a random email address, a user name made of random letters such as OVaDMukYnGQhBl The only reason I know whese are happening is because I get a "message could not be delivered" from my server, presumably from the random email address they use. Always different IPs so they must be using a proxy.

I did not even realise there is a password reset form available from the main index page!

(1) How can I disable that password reset form.

(2) Is there anyway to select multiple customers to delete on block (all of the spoof attempts)

Much appreciated if you can help with this one.

Brian

Link to comment
Share on other sites

Bots have a way of POSTing form data that do not require using a form. We can disable the Request Password Reset function, however. (Your legitimate customers will need to contact you to resolve their lost password problems.)

For the Request Password Reset function to be successful, there must already be a customer account with that email address. I assume that is the case here.

I have modded a store to allow for the bulk deletion of customers. Please send a PM with your email address.

Link to comment
Share on other sites

I am quite happy to disable the password reset function, very few of my legitimate customers setup an account anyway as it is almost always a one off purchase.

Please let me know the file and code section I need to change or comment out.

I am not sure how it happens, the bot or hacker sets up a meaningless account and the first I know of it is when the password reset fails, I assume they would have needed to add an item to the cart in order to have the option of setting up an account?

Many thanks,

Brian

 

Link to comment
Share on other sites

CubeCart will register an account without the need for anything to be done first or afterwards.

Curious to learn why attempts at password resets are part of the activity, though.

In /classes/user.class.php, near line 735, find:

    public function passwordRequest($email)
    {

Change to:

    public function passwordRequest($email)
    { return false; // Never perform this action!

 

Link to comment
Share on other sites

Many thanks for all of your help.

It is late evening here in the UK so I will make the changes during the day tomorrow. 

You don't actually say in the mod txt file which file is the first of the two admin files that need to be edited, you just mention the second file?

Brian

 

Link to comment
Share on other sites

Hi Bsmither, I have just got around to implementing the mod you sent me. The customer page now shows the tick boxes to select multiple customers but when I delete the entries admin crashes out to a white screen.

All of the changes were as you listed in the mod text file except for the very last alteration near line 350 in customers.index.inc.php. What I have and replaced was:

---------------------------------------------------------------------------------------------------------------------------

$GLOBALS['main']->setACPNotify($lang['customer']['notify_customer_delete']);
                } else {
                    $GLOBALS['main']->setACPWarning($lang['customer']['error_customer_delete']);
                }
            } else {
                $GLOBALS['main']->setACPWarning($lang['customer']['error_customer_delete_orders']);
            }
        } else {
            $GLOBALS['main']->setACPWarning($lang['customer']['error_customer_found']);
        }
        httpredir(currentPage(array('action', 'customer_id')));
    }

Rather than:

        $GLOBALS['main']->successMessage($lang['customer']['notify_customer_delete']);
                } else {
                    $GLOBALS['main']->errorMessage($lang['customer']['error_customer_delete']);
                }
            } else {
                $GLOBALS['main']->errorMessage($lang['customer']['error_customer_delete_orders']);
            }
        } else {
            $GLOBALS['main']->errorMessage($lang['customer']['error_customer_found']);
        }
        httpredir(currentPage(array('action', 'customer_id')));
    }

Any suggestions please,

Brian

Link to comment
Share on other sites

I made the change you recommend and it now works a treat so many thanks for that.

You said you were curious to learn why attempts at password resets are part of the activity. Actually thinking about it they are not. What happens in most cases is the bot generates a random customer which also included a random non existent email address, so that when the program sends an email to the customer this fails and I get a copy of the failed email which includes the password reset link.

What I don't understand is where the bot sets up the customer account, unless it is within the cart but there is never any orders shown for the bogus clients.

Anyway at least I can delete them now. I am in the process of setting up WAF on my server which should help.

Brian

Link to comment
Share on other sites

This is how I see the bot operate:

It requests the registration page. In the code for this page is the security token. A custom POST payload is constructed to include the security token. The POST is issued.

I have never seen any follow-up, however. So I cannot guess what the ultimate goal is in doing this.

I do not get a failed email delivery notice because CubeCart does not send an email when there is a new customer registered -- unless you have a plugin that does this.

Link to comment
Share on other sites

  • 2 weeks later...

Hi Bsmither, I need some more info please. I do not have the default Captcha enabled in store settings, but having continued to look into the fake account signup online quite a few people suggest having the Captch enabled.

My Question is at what part of the process does the Captcha present itself, is it just for account signup?

As always many thanks,

Brian

Link to comment
Share on other sites

The captcha code gets involved in the Registration page, checking out as a Guest, leaving a Ratings Comment on the product page, the Newsletter sign-up sidebox, and the Contact Us page. As of CC628 Foundation skin, there is a popup box (admin enabled) that appears when moving away from the site, asking to sign up for the newsletter. This modal Exit box also has captcha involved.

Once a visitor has passed a captcha challenge for that session, there will be no more challenges.

Note: a customer being logged in has no bearing on captcha's involvement.

Link to comment
Share on other sites

The Foundation skin has the Smarty template code to put in-place the recaptcha javascript code - if enabled.

Other CC6-conforming skins should also have the Smarty template code.

Skins originally built for CC5 has Smarty code for an implementation of recaptcha available in CC5. reCaptcha requirements have changed since then.

Link to comment
Share on other sites

I am using the galaxyx skin and CC6, in the skin templates folder there is a content.recaptcha.php file, the problem is there are no instructions as to any changes needed to this file in order for it to work. I think it is probably for an earlier version of Captcha whereas I have retrieved a site and secret key for the Google invisible Captcha and do not know what changes to make to the file.

Brian

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...