violinman Posted January 6, 2020 Share Posted January 6, 2020 Hi guys, I have received numerous attempted hacks via the customer password recovery page, they are always with a random email address, a user name made of random letters such as OVaDMukYnGQhBl The only reason I know whese are happening is because I get a "message could not be delivered" from my server, presumably from the random email address they use. Always different IPs so they must be using a proxy. I did not even realise there is a password reset form available from the main index page! (1) How can I disable that password reset form. (2) Is there anyway to select multiple customers to delete on block (all of the spoof attempts) Much appreciated if you can help with this one. Brian Link to comment Share on other sites More sharing options...
bsmither Posted January 6, 2020 Share Posted January 6, 2020 Bots have a way of POSTing form data that do not require using a form. We can disable the Request Password Reset function, however. (Your legitimate customers will need to contact you to resolve their lost password problems.) For the Request Password Reset function to be successful, there must already be a customer account with that email address. I assume that is the case here. I have modded a store to allow for the bulk deletion of customers. Please send a PM with your email address. Link to comment Share on other sites More sharing options...
violinman Posted January 6, 2020 Author Share Posted January 6, 2020 I am quite happy to disable the password reset function, very few of my legitimate customers setup an account anyway as it is almost always a one off purchase. Please let me know the file and code section I need to change or comment out. I am not sure how it happens, the bot or hacker sets up a meaningless account and the first I know of it is when the password reset fails, I assume they would have needed to add an item to the cart in order to have the option of setting up an account? Many thanks, Brian Link to comment Share on other sites More sharing options...
bsmither Posted January 6, 2020 Share Posted January 6, 2020 CubeCart will register an account without the need for anything to be done first or afterwards. Curious to learn why attempts at password resets are part of the activity, though. In /classes/user.class.php, near line 735, find: public function passwordRequest($email) { Change to: public function passwordRequest($email) { return false; // Never perform this action! Link to comment Share on other sites More sharing options...
violinman Posted January 6, 2020 Author Share Posted January 6, 2020 Many thanks for all of your help. It is late evening here in the UK so I will make the changes during the day tomorrow. You don't actually say in the mod txt file which file is the first of the two admin files that need to be edited, you just mention the second file? Brian Link to comment Share on other sites More sharing options...
bsmither Posted January 6, 2020 Share Posted January 6, 2020 Sorry. The admin skin template file customers.index.php. Link to comment Share on other sites More sharing options...
violinman Posted January 10, 2020 Author Share Posted January 10, 2020 Hi Bsmither, I have just got around to implementing the mod you sent me. The customer page now shows the tick boxes to select multiple customers but when I delete the entries admin crashes out to a white screen. All of the changes were as you listed in the mod text file except for the very last alteration near line 350 in customers.index.inc.php. What I have and replaced was: --------------------------------------------------------------------------------------------------------------------------- $GLOBALS['main']->setACPNotify($lang['customer']['notify_customer_delete']); } else { $GLOBALS['main']->setACPWarning($lang['customer']['error_customer_delete']); } } else { $GLOBALS['main']->setACPWarning($lang['customer']['error_customer_delete_orders']); } } else { $GLOBALS['main']->setACPWarning($lang['customer']['error_customer_found']); } httpredir(currentPage(array('action', 'customer_id'))); } Rather than: $GLOBALS['main']->successMessage($lang['customer']['notify_customer_delete']); } else { $GLOBALS['main']->errorMessage($lang['customer']['error_customer_delete']); } } else { $GLOBALS['main']->errorMessage($lang['customer']['error_customer_delete_orders']); } } else { $GLOBALS['main']->errorMessage($lang['customer']['error_customer_found']); } httpredir(currentPage(array('action', 'customer_id'))); } Any suggestions please, Brian Link to comment Share on other sites More sharing options...
bsmither Posted January 10, 2020 Share Posted January 10, 2020 Please create the error log. You have CC6 several versions older. The latest version uses a new function successMessage() that enhances the setACPNotify() function (and warning message function). So, in the new code above, replace successMessage and errorMessage with setACPNotify and setACPWarning. Link to comment Share on other sites More sharing options...
violinman Posted January 10, 2020 Author Share Posted January 10, 2020 Many thanks, I am away from home at present, I will do it tomorrow morning and let you know how it goes. Brian Link to comment Share on other sites More sharing options...
violinman Posted January 11, 2020 Author Share Posted January 11, 2020 I made the change you recommend and it now works a treat so many thanks for that. You said you were curious to learn why attempts at password resets are part of the activity. Actually thinking about it they are not. What happens in most cases is the bot generates a random customer which also included a random non existent email address, so that when the program sends an email to the customer this fails and I get a copy of the failed email which includes the password reset link. What I don't understand is where the bot sets up the customer account, unless it is within the cart but there is never any orders shown for the bogus clients. Anyway at least I can delete them now. I am in the process of setting up WAF on my server which should help. Brian Link to comment Share on other sites More sharing options...
bsmither Posted January 11, 2020 Share Posted January 11, 2020 This is how I see the bot operate: It requests the registration page. In the code for this page is the security token. A custom POST payload is constructed to include the security token. The POST is issued. I have never seen any follow-up, however. So I cannot guess what the ultimate goal is in doing this. I do not get a failed email delivery notice because CubeCart does not send an email when there is a new customer registered -- unless you have a plugin that does this. Link to comment Share on other sites More sharing options...
keat Posted January 12, 2020 Share Posted January 12, 2020 Is this the same bot which registers a name similar to this ? RafaelVahHC, RafaelVahHC This has been bugging me for a few years. Link to comment Share on other sites More sharing options...
violinman Posted January 12, 2020 Author Share Posted January 12, 2020 Well I suppose similar in that the bot seems to generate a random set of letters in upper and lower case. I am setting up a WAF (Web Application Firewall) on my server to see if that blocks the bot, it will be live in two weeks time. Brian Link to comment Share on other sites More sharing options...
bsmither Posted January 12, 2020 Share Posted January 12, 2020 Yes. Link to comment Share on other sites More sharing options...
violinman Posted January 27, 2020 Author Share Posted January 27, 2020 Hi Bsmither, I need some more info please. I do not have the default Captcha enabled in store settings, but having continued to look into the fake account signup online quite a few people suggest having the Captch enabled. My Question is at what part of the process does the Captcha present itself, is it just for account signup? As always many thanks, Brian Link to comment Share on other sites More sharing options...
violinman Posted January 27, 2020 Author Share Posted January 27, 2020 I have now added the Google Captcha (v2 invisible) so hopefully that will help, as asked in previous post I would be grateful to know which parts of the site it protects. Many thanks, Brian Link to comment Share on other sites More sharing options...
bsmither Posted January 27, 2020 Share Posted January 27, 2020 The captcha code gets involved in the Registration page, checking out as a Guest, leaving a Ratings Comment on the product page, the Newsletter sign-up sidebox, and the Contact Us page. As of CC628 Foundation skin, there is a popup box (admin enabled) that appears when moving away from the site, asking to sign up for the newsletter. This modal Exit box also has captcha involved. Once a visitor has passed a captcha challenge for that session, there will be no more challenges. Note: a customer being logged in has no bearing on captcha's involvement. Link to comment Share on other sites More sharing options...
violinman Posted January 27, 2020 Author Share Posted January 27, 2020 Thanks for your prompt response, I assume once I enable Captcha in store settings it will work? What I am asking is whether I need to make any changes in the code. Regards, Brian Link to comment Share on other sites More sharing options...
bsmither Posted January 27, 2020 Share Posted January 27, 2020 The Foundation skin has the Smarty template code to put in-place the recaptcha javascript code - if enabled. Other CC6-conforming skins should also have the Smarty template code. Skins originally built for CC5 has Smarty code for an implementation of recaptcha available in CC5. reCaptcha requirements have changed since then. Link to comment Share on other sites More sharing options...
violinman Posted January 28, 2020 Author Share Posted January 28, 2020 I am using the galaxyx skin and CC6, in the skin templates folder there is a content.recaptcha.php file, the problem is there are no instructions as to any changes needed to this file in order for it to work. I think it is probably for an earlier version of Captcha whereas I have retrieved a site and secret key for the Google invisible Captcha and do not know what changes to make to the file. Brian Link to comment Share on other sites More sharing options...
keat Posted January 28, 2020 Share Posted January 28, 2020 How did you get on with your WAF ? I use CSF firewall, along with OWASP and Comodo Mod security, and was still seeing these. Not seen any for a month though now, maybe they went away :-) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.