I shut the site down in admin panel and a hacked order still got through

Steven,

I may be on a newer version of 7.4.6 as it has the verify email option. That said, what I have is this:


I HAVE NOT TESTED THIS! so I make no promises at this point. Make sure you have the most current version of 7.4.6 and backup the vsadmin/incart.php file. Let me know if it works.

I had the opportunity to test it and it works fine.

Marshall
CENLYT Productions - ms designs
Affordable Web Design
Custom Ecommerce Designs
Responsive Websites
Cenlyt.com

Hi Guys,
We just got hit with this today also. It happened within less than 60 seconds after I turned off Cloudflare caching that I normally use for its benefits. I had to turn it off to verify a separate issue with a CORS access denial that I thought Cloudflare caching may be causing an interference with. As soon as I turned it off, I started getting deluged with emails arriving every second, of new stores being setup from a separate sub-product 'Store Locator' that I have on the site. It uses a separate database with it's own admin area. Checking my ECT orders, I note I only got one order from netsparker before I turned Cloudflare back on. I also flagged the site with Cloudflare that it was under attack. Cloudflare forces a slight delay accessing the site by interjecting an interstitial delay for a few seconds that displays a message stating that it's checking to make sure the site is secure. This and re-enabling Cloudflare appears to be enough to stop the attack as it is working so far. It appears Vince's recently implemented security procedures may have worked on the one order from netsparker as only one got through, but is flagged as Unauthorized.
I haven't implemented Marshall's idea yet, which btw, I find really humorous what it does. I could think of a few more choice derogatory jpg's to display instead, but we'll leave it at that :)
As a side note, unfortunately I have noticed recently from stats I get from Cloudflare that they had been blocking an order of magnitude larger than normal of malicious attempts to attack the site from Russia. We do have products we sell to military customers only and obviously those orders must be vetted first. I truly hope its not that, but sadly, considering current world events...
We're on ECT 7.5.1 running with PHP 8.1 and have all security patches applied and up to date.

Best,
Karl
https://www.tek-tite.com

Karl have you seen some of the options in the ip blocking area of the admin?

Thanks Steven. Yes I'm aware of ECT's IP blocking. The Dealer Locater app doesn't track IP's of when stores are created. The store creation routine is through the admin entrance which is protected with a secure userid/password, and soon to be recaptcha. However, the IP of the ECT order geolocates to a Microsoft ISP outside Washington, D.C. It's most likely an Azure VPN so the end culprit could originate anywhere. I don't think this bot came in through the front door. I'm not sure how it got in yet.

Search the Laguna street address and you will get your answers.
There is also this post - https://www.ecommercetemplates.com/support/topic.asp?TOPIC_ID=109230

Thanks,
David

Thanks Dave. Yes it's very annoying. However, we also had a dramatic increase in page requests through Cloudflare yesterday that jumped from a 'normal' range of about 800 or so requests per hour, ramping up beginning at 4pm to over 26,200 per hour by 9pm. It stopped completely when I turned on Cloudflare's Under Attack mode.
In a 'I wish it was legit' moment, I would be thrilled if we really had that many legitimate hits per hour.

Karl not the ip blocking itself, but there are options in there to limit number of transactions that can be placed and the number of items in the cart. This has weeded out this bot a few times for us. BUT its also caught a couple of people that like to put large amounts in their cart until they figure out what they really want, check it out.

Marshall Id like to try this again, can you help out with code for v7.6.3, and php 8.2.11