Hi ECT Support,

I am running latest Ecommerce Plus PHP v6.8.0 and have received an Unauthorised PayPal order totaling $113,754.00
The order contains dozens upon dozens of items, everything offered on website multiple time.
Where Product Options are required, the details entered say stuff like:

quote:

---

Domain Name: 1' and (sleep(24)+1) limit 1 --

---

Which I believe indicates an automated SQL Injection Attack, according to this Wiki >>

Source IP was 212.237.42.159 located in Italy.

Anyway, is this exploit something to be overly concerned about, something you would like to take a closer look at ?

If not, I will just delete the order.

Regards,

Gary

Hi Gary

If they ever complete the order and you get $113,754.00 in your account, just remember who your friends are

Adding multiple items to cart doesn't really sound that serious but I'll pass on the details for you.

Andy

Please feel free to review / rate our software

Hi Gary
This isn't showing that the SQL has been "injected" into the database but rather that it is just being escaped and so harmlessly accepted as text, in this case a domain name. There doesn't seem to be anything to worry about here and it just looks like kids trying a few things out.

Vince


Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

Thanks for that advice Vince.

Gary

For a few days now, a bot has been on our site and in one instance, an incomplete order come in. Much like Gary's with several hundred line items.
What happening is the site slows to a crawl every few minutes, for about 45 seconds. I expect this is when the bot is loading item into a cart that has many many line items.

I am working today to setup some code to limit the number of line items added to a cart and see if that helps, but if anyone has any suggestions, it would be appreciated.

Hi Dave
In database terms a few hundred items is a drop in the ocean. I doubt that would affect anything in the way you describe. Could there be anything else going on in the site? Have you checked the CPU on the server to see if it is really your server and not the network that is slow?

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

I have an open ticket with Servelink.
I am pretty sure than once you have hundreds of line items in my cart, just about all of them with multiple option selections, that when adding additional items to the cart, there is a significant slowdown,
Unfortunately, when Servelink moved to the new servers, and a new version of Plesk, there are multiple tools that I am unable to access, so I am a bit limited as to what I can see.
Specifically the database tables.

This morning, I see the same bot has make it to the last step of checkout again, and I should have pulled that first order to the admin and cancelled it, because it's the same order where this thing has continued to add items to the cart. It could be 500+ line items or more. It's ridiculous.

I have some code in testing, but I don't know if will stop this thing. I use javascript to check how many line items in the cart, and once my pre-set limit is reached, a modal window pops up with google-recaptcha that forces the user to solve that before they can proceed. I am working on final touches, so maybe that will help.

Here is a transcript of the ticket -

quote:

---

ME
Today, quite a few times, we have had slowdowns where a requested page takes as long as 45 seconds (or more) to load.
Are you all experiencing issues?
I have noticed this "netsparker" bot attempting to fill out forms on the site earlier today, but I am not convinced that's the source of the slowdowns, so I thought I would ask.
Thanks,
David

SERVELINK -
No, no known issues. Server load is negligible, all parameters are green. Those bots are usually not only filling out forms but also dumping tens of thousands of complex database queries on your site, which can have negative effects on the ASP script engine and database processing. If you have one of those visitors then I would treat that as the primary culprit before looking elsewhere. Thanks.

MY RESPONSE -
Well, during the night there was an abandoned order with hundreds of line items. So when this thing adds to cart, they slow the site to a crawl until the new line item is added.
This afternoon, it seems to be happening again, so can you tell me if you have any ideas of a way to kick their ass off the site?

SERVELINK -
Is this the netsparker bot still? We already ban that by User-Agent, but it may well be that they they now hide their true identity to avoid that type of simple block. Are there any other unique characteristics in the related log entries that might be used to craft another ban? Post a couple a couple of associated log entries and we could look. IP based bans are probably a waste of energy.

Beyond that, the problem is that adding stuff to the cart is perfectly normal. Aside from all their sql injection, XSS attempts and so on, most of which is likely blocked, adding to cart isn't something that's likely to trigger any sort of bad behavior filter. Might be something ECT want to build in as a hidden parameter "more than 64 line items then destroy the session and abort the connection", that sort of thing.

You're not helping with this:

<requestLimits maxQueryString="10024" />

no need to allow such a long qs and just allow bigger and fancier sql injections. The default 512 bytes is enough for pretty much anyone, except when PayPal are being dumb and returning a lot of data in the qs in which case you might need 1536 bytes (heaven knows why they don't POST data instead of exposing it in this way). I have never seen a need for more than 2048 bytes.


MY RESPONSE -
I have downloaded a log file from yesterday and will check through it. The issue seems to be adding to cart after so many items are added, it drags the site to a crawl with each item added.
The directive in the web.config was to allow the shipping quote tool in the adnin to work with large orders. I am not sure it that feature has been changed, but I probably set that way too high back then. I will adjust that and check it out.

I am guessing it's the netsparker because the cart from yesterday had the sample@email.tst email address, and I believe that's one associated with that bot.

SERVELINK -
I think that's Acunetix, but it's much the same thing and a monumental pain in the rear. While we block much of the malicious looking activity (you'll see lots of 403/404 responses given) I don't think there's a known way at present to kill it completely. IP blocking is pointless as it's an on-premise 'solution'. If it's reproducible then it could be worth seeing if ECT can optimize the relevant sql query than causes the slowdown at all, as an alternative approach (if you can't stop the bot, then try and make the cart run more efficiently with hundreds of items in the cart). Thanks.

---

Vince, I never went back and checked that log file closely, it's really huge, so I think maybe I am off base with too many line items in the cart and this thing is just sending tons of requests.
It does look like this thing is loading products with text input options and in some cases, I see this sort of thing in the text inputs

if(now()=sysdate(),sleep(62.094),0)/*'XOR(if(now()=sysdate(),sleep(62.094),0))OR'"XOR(if(now()=sysdate(),sleep(62.094),0))OR"*/

another - -1); waitfor delay '0:0:93.141' --

another - (select convert(int,CHAR(65)))

Hopefully soon Servelink with work though the plesk issues. I would love to get a look at my database tables.

My site was being super slow other day when trying edit products, it would take quite awhile to load but instantly updated after hitting submit. I just checked again and still kind of sluggish. No bot orders ..... server issue?

Mark
Responsive Design Deals Ecomm Plus - ASP 6.8
www.paradiseclothingco.com

Was there ever a resolution to this? Its happening again to me today.