Ok, I removed those pages and we changed the db password and user name.

Hi Steven
The latest update that went out addresses a security issue. From your logs I don't think this is being exploited on your site, but to be on the safe side, I would apply the latest updater.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

Thanks. We updated earlier today.

Im not sure if this has anything to do with it, but a ip from the UK left a bunch of code using the ratings system and I also noticed a different ip tried, but failed to login to the admin.

Hi Steven,
All that will get sanitized so there's nothing to worry about there. I would however clear them all away and add Google Recaptcha to the reviews.

Are your stock levels okay today or have they been compromised again?



* Database Migrations and Conversions*
* ASP to PHP Cart Conversions*
*Contact Us*
*Buy The PHP Capture Card Plugin*
*Rate Our Services/View Our Feedback*

Thanks Phil.

No changes to the inventory today. It happened a few times yesterday.
I've updated to 7.16, I guess I have to wait and see.
There is a recaptcha on the review form.

Ok, it happened again a few hours ago. Im in bind here. My web guy is at a loss. We have tried everything and its still happening.

Its happened again, within the last 2 hours. Where do I go from here this is crazy. I spoke to my hosting company and they
see no problems in the logs. So who do I hire to fix such a thing?

If you login to your FTP
Outside the root directory where the public_html directory resides there should be a file named .lastlogin, this contains the ip addresses and time stamps for cpanel logins.
Just have a look in there and see if there's anything untoward.

I'm sure the host will have looked in there though. Maybe the host can move the database to another server and see if that helps at all?

Apart from that, and without looking at your logs I can't help you any more. If you want me to take a look for you that's no problem, but if the host has looked properly there's obviously nothing obvious there.



* Database Migrations and Conversions*
* ASP to PHP Cart Conversions*
*Contact Us*
*Buy The PHP Capture Card Plugin*
*Rate Our Services/View Our Feedback*

Login file to cpanel looks good Phil.

I would appreciate the extra help. Ill send you an email.

Vince now knows about the problem I had and fixed it for me this weekend.
No more anonymous orders that will be crashing the site. Thanks for everyone's help!

Seems like the bot is back to hitting my sites cart to place orders. I need help asap because its causing havoc with inventory quantities.

If you are using the PHP version, make this modification to the vsadmin/inccart.php file. I use this trick on several sites without any problems. Just a reminder though, it is a modification to a core file which will be overwritten with updates. And you can change the redirect URL, but I think you will find the image funny.

Look for the below statement:
var regex=/[^@]+@[^@]+\.[a-z]{2,}$/i;
if(!regex.test(frm.email.value)){
alert("<?php print jscheck($GLOBALS['xxValEm'])?>");
frm.email.focus();
return(false);
}

Replace it with this

var regex=/[^@]+@[^@]+\.[a-z]{2,}$/i;
if(frm.email.value=="netsparker@example.com") {
window.location.href="https://ih1.redbubble.net/image.717939983.4497/flat,750x,075,f-pad,750x1000,f8f8f8.u6.jpg";
return(false);
}
else if(!regex.test(frm.email.value)){
alert("<?php print jscheck($GLOBALS['xxValEm'])?>");
frm.email.focus();
return(false);
}

This assumes it is always the same email. And being server side, disabling JavaScript will have no effect.

You can also do it going after the phone number.

Look for:
if(frm.phone.value=="") return(chkfocus(frm.phone,"<?php print jscheck($GLOBALS['xxPlsEntr'] . ' "' . $GLOBALS['xxPhone'])?>\"."));

Replace with

if(frm.phone.value=="5234534558") {
window.location.href="https://ih1.redbubble.net/image.717939983.4497/flat,750x,075,f-pad,750x1000,f8f8f8.u6.jpg";
return(false);
}
else if(frm.phone.value=="") return(chkfocus(frm.phone,"<?php print jscheck($GLOBALS['xxPlsEntr'] . ' "' . $GLOBALS['xxPhone'])?>\"."));


Marshall
CENLYT Productions - ms designs
Affordable Web Design
Custom Ecommerce Designs
Responsive Websites
Cenlyt.com

Marshall thats funny!!

Am not a coding person, so please bear with me.
I correct in thinking that this will only stop the netsparker@example.com bot?

Yes, it will only stop the designated email, or phone number if you use that option.

Marshall
CENLYT Productions - ms designs
Affordable Web Design
Custom Ecommerce Designs
Responsive Websites
Cenlyt.com

Marshall, interesting I searched that email and found another canceled bot order from 2 years ago. But there have been more from different emails.

This should work

if(frm.email.value=="netsparker@example.com" or "another email" or "another email") {

But I would double check with someone who is better versed in PHP than me.

Marshall
CENLYT Productions - ms designs
Affordable Web Design
Custom Ecommerce Designs
Responsive Websites
Cenlyt.com

A nslookup on the IP address goes to ip117.208-100-0.static.steadfastdns.net
A whois on steadfastdns.net shows the Registrar: Google LLC
Send a complaint email to the following Registrar Abuse Contact Email: registrar-abuse@google.com
Send a complaint email to steadfast: abuse@steadfast.net
In your firewall block 208.100.0.0/24 which are all from steadfast.
If you are still getting issues from other 208.100.x.x ip addresses then in your firewall block 208.100.0.0/18 which will block steadfast completely out.

John

John, thats great info and I'll go that.

But at this point it seems very important for the guys at Ecommerce to figure were the hole is in the software that's letting them in. We are all at risk.