René H4 101 Posted October 12, 2018 Hi, In my shop I receive a lot of fake account creations at the moment, around 20 a day. They look like: Loans For Bad Credit Loans For Bad Credit Paydayloan Direct Lender Loans PC RobertNus RobertNusIR Loans Online Loan Cash PC Is there a way to get rid of these creations? It is quite annoying. Installed Version: osCommerce Online Merchant v2.3.4.1 Regards, Rene Share this post Link to post Share on other sites
Jack_mcs 1,020 Posted October 12, 2018 This has come up a few times here but there isn't a good solution so far since it is difficult to distinguish such an account from a legitimate one. If you can find some common characteristic, like "Loans" in the name, then you could block based on that. Support Links: Need Help? See this thread and provide the information requested. Is your version of osC up to date? You'll find the latest osC version (the community-supported responsive version) here. How to Upgrade to the latest version Recommended SEO Addons Share this post Link to post Share on other sites
bonbec 120 Posted October 12, 2018 Take a look in the server logs to see if all registrations are made from the same IP. If so, then block the IP in the .htaccess 1 franky303 reacted to this Get the latest Phoenix here (Live : OsC 2.2, php 5.4 & UTF-8 | Local : Phoenix 1.0.7.11 for future shop, php 7.3) Share this post Link to post Share on other sites
René H4 101 Posted October 12, 2018 Bonbec, I have started to record the IP's, but I am sure is will be a tremendous job to maintain that. I'd hoped that there would be a simple Captcha for this problem that I could implement. Something like a question, of which everybody knows the answer, which would the have to be typed in a box. If the answer is correct, the proces of creation would continue. Share this post Link to post Share on other sites
René H4 101 Posted October 12, 2018 Just checked: These guys can just pass the .htaccess. So that does not help...... Share this post Link to post Share on other sites
René H4 101 Posted October 12, 2018 4 hours ago, Jack_mcs said: This has come up a few times here but there isn't a good solution so far since it is difficult to distinguish such an account from a legitimate one. If you can find some common characteristic, like "Loans" in the name, then you could block based on that. Is there an easy way to block certain names that are used? Share this post Link to post Share on other sites
ArtcoInc 364 Posted October 12, 2018 You mean like this: (this was taken just now off of one of my live shops) M Get the latest Responsive osCommerce CE (community edition) here . Share this post Link to post Share on other sites
Jack_mcs 1,020 Posted October 12, 2018 42 minutes ago, honda4 said: Is there an easy way to block certain names that are used? If you mean a common name, in the create_account.php file, find the line that reads $error = false and add this below it. Be sure to change the names used in the code. $error = false; if (strtolower($firstname) == 'bob' || strtolower($lastname) == 'hacker') { $error = true; } If you mean to block them for each name, you would need to use the IP as Fred mentioned. Support Links: Need Help? See this thread and provide the information requested. Is your version of osC up to date? You'll find the latest osC version (the community-supported responsive version) here. How to Upgrade to the latest version Recommended SEO Addons Share this post Link to post Share on other sites
a123 2 Posted October 12, 2018 comment out this line: https://github.com/osCommerce/oscommerce2/blob/de9e922377cbfd0678c9e4b9e8eb51123f3e230a/catalog/create_account.php#L249 and will no reason to attack with email bombs something and after ask developer to fix it. The best way to use unique account page against well known general page. GDPR rules could be a good choice.. Share this post Link to post Share on other sites
Jack_mcs 1,020 Posted October 13, 2018 If the accounts are being created to send out spam emails, then a better approach would be to install the Honeypot addon. But I've seen this happen before and, as mentioned, there have been other threads on it here and in those cases, the accounts are being created many times by regular people, albeit hackers, as opposed to spammers. The reason is not clear but I suspect it is to give them more access to the database, or something like that. Support Links: Need Help? See this thread and provide the information requested. Is your version of osC up to date? You'll find the latest osC version (the community-supported responsive version) here. How to Upgrade to the latest version Recommended SEO Addons Share this post Link to post Share on other sites
puggybelle 29 Posted October 13, 2018 7 hours ago, ArtcoInc said: You mean like this: My Admin looks just like yours every day! My question for you is: why aren't you deleting these fake accounts as they roll in? You've got fake accounts dating back for days or weeks in that screenshot of yours. I whack 'em as soon as I see them. Leaves me feeling that this software is a popular target for hackers. I never saw this, on this scale, in my old 2.2 shop which I had for over a decade. Heck, I even removed all Contact Us links in my site and renamed the file to...anything but contact_us.php Didn't delete it, but...no one will ever guess what it is. And that was AFTER installing Honeypot Captcha! - Andrea Share this post Link to post Share on other sites
Jack_mcs 1,020 Posted October 13, 2018 Spammers have always tried to use forms to send emails. That's why the cpatcha-type code was created in the first place. But this creating fake accounts is a relatively new thing (last few years), to my knowledge. They have always created such accounts but lately they do it much, much more, when they start in on a site. And it isn't just oscommerce. There are many posts on the web about this for other platforms. As for deleting them, you may not have had too many and I don't know how many the op had but I had a client recently where new accounts were being added at about 30 per day. The shop owner couldn't keep up with the deletions. To be clear about what Honeypot does, it stops spammers from using scripts to submit emails. And if you have the settings to not allow emails and url's, it will stop spammers from adding them manually. If won't stop anyone else since that would render the form useless. 1 altoid reacted to this Support Links: Need Help? See this thread and provide the information requested. Is your version of osC up to date? You'll find the latest osC version (the community-supported responsive version) here. How to Upgrade to the latest version Recommended SEO Addons Share this post Link to post Share on other sites
René H4 101 Posted October 13, 2018 13 hours ago, Jack_mcs said: If you mean a common name, in the create_account.php file, find the line that reads $error = false and add this below it. Be sure to change the names used in the code. $error = false; if (strtolower($firstname) == 'bob' || strtolower($lastname) == 'hacker') { $error = true; } If you mean to block them for each name, you would need to use the IP as Fred mentioned. Nicely resolved! Share this post Link to post Share on other sites
Rwe 35 Posted October 13, 2018 The registration is commonly made by robots who look at the right form fields. firstname, lastname , email etcetera. I had this problem too the last weeks of fake accounts exactly as mentiont earlyer. I did the following to trick them; 1 in create_account.php duplicate the firstname input field (just plain html input field can too)and place it before the original firstname field and add a class to the div and and hide it (css display:none ! not use a style="") 2 rename the original firstname field with a newname ( name ="newfirstname") + change : $firstname = tep_db_prepare_input($_POST[newfirstname']); 3 make a rule to give an error when the formfield fistname is being filled up by the robot and place it in the top somewhere between the other fom check codes: if(!empty($_POST['firstname'])) { $error = true; } Finished. i can see in the server logs that the robot has been trying but could not make an account. for now this is working for me. i hope i could help with this . Share this post Link to post Share on other sites
René H4 101 Posted October 14, 2018 On 10/12/2018 at 8:57 PM, Jack_mcs said: If you mean a common name, in the create_account.php file, find the line that reads $error = false and add this below it. Be sure to change the names used in the code. $error = false; if (strtolower($firstname) == 'bob' || strtolower($lastname) == 'hacker') { $error = true; } If you mean to block them for each name, you would need to use the IP as Fred mentioned. I have tried this, and changed the names to pay and loan. It works, but as soon as I try to create an account with the name pay1 or loan1 the account is still created. Apparantly this is nog the solution then. Share this post Link to post Share on other sites
Jack_mcs 1,020 Posted October 14, 2018 On 10/13/2018 at 6:19 AM, Rwe said: 1 in create_account.php duplicate the firstname input field (just plain html input field can too)and place it before the original firstname field and add a class to the div and and hide it (css display:none ! not use a style="") That is the idea behind the Honeypot code. You may want to look at that addon since it checks other forms and can limit what is sent via the contact us page. Support Links: Need Help? See this thread and provide the information requested. Is your version of osC up to date? You'll find the latest osC version (the community-supported responsive version) here. How to Upgrade to the latest version Recommended SEO Addons Share this post Link to post Share on other sites
Jack_mcs 1,020 Posted October 14, 2018 7 hours ago, honda4 said: I have tried this, and changed the names to pay and loan. It works, but as soon as I try to create an account with the name pay1 or loan1 the account is still created. That's because pay and pay1, as well as loan and loan1, are not the same. The following will catch all similar names. However, that it means it will catch names like Payton so you may end up blocking legitimate customers. $error = false; if (strpos($firstname, 'pay') !== false || strpos($lastname, 'loan') !== false { $error = true; } Support Links: Need Help? See this thread and provide the information requested. Is your version of osC up to date? You'll find the latest osC version (the community-supported responsive version) here. How to Upgrade to the latest version Recommended SEO Addons Share this post Link to post Share on other sites
burt 5,421 Posted October 14, 2018 Protect create_account.php with an Action Recorder module perhaps allowing 1 sign up per 96 hour period and a Captcha (or two) could be one google capcha and a maths capcha People should soon get bored of waiting 4 days. Bots should be stopped in their tracks. 2 raiwa and cupidare reacted to this Help shape the future of Phoenix; join the Phoenix Club Share this post Link to post Share on other sites
♥Gyakutsuki 115 Posted October 14, 2018 The solution proposed by Burt is good. I have a customer in less 1 night, receive 80 000 emails. it's crazy. H had numeric captcha but not dynamic(like 5+four). In this case, a quickly test can be made. Now, the account form has action recorder, invisible captcha and a dynamic numeric captcha. Pb resolved The pb is the bot or the hacker change everytime the ip. In this case the recorder is not enough. Where is the pb ? I think the big problem come when you hide the state, in this case, it's more simple to fill the field. With the state enable, if you don't know a state, there is an error. If you decide to hide the states it's better to protect you. Regards ----------------------------------------- Loïc Contact me by skype for business Contact me @gyakutsuki for an answer on the forum Share this post Link to post Share on other sites
René H4 101 Posted October 15, 2018 (edited) 15 hours ago, burt said: Protect create_account.php with an Action Recorder module perhaps allowing 1 sign up per 96 hour period People should soon get bored of waiting 4 days. Bots should be stopped in their tracks. Nicely said (no offence), but where would I find such a module? It's not in the standard install? (By the way: I have added .htaccess block on a few IP addresses. The creation of fake accounts has allmost beel eliminated for the moment). Edited October 15, 2018 by honda4 Share this post Link to post Share on other sites
♥Gyakutsuki 115 Posted October 15, 2018 Action recorder is in contact form and need also a module. You can use this ewample and update your code Regards ----------------------------------------- Loïc Contact me by skype for business Contact me @gyakutsuki for an answer on the forum Share this post Link to post Share on other sites
René H4 101 Posted October 15, 2018 1 hour ago, Gyakutsuki said: Action recorder is in contact form and need also a module. You can use this ewample and update your code I am looking into this right now. But why inventing the wheel if it already exists? 😉 Share this post Link to post Share on other sites
René H4 101 Posted October 15, 2018 (edited) 2 hours ago, Gyakutsuki said: Action recorder is in contact form and need also a module. You can use this ewample and update your code Is this just the script file and the language file that do the job, of is there more tot it? If it's only these two, I can upload and test. Edited October 15, 2018 by honda4 Like ar_create_account.php (twice) Share this post Link to post Share on other sites
♥Gyakutsuki 115 Posted October 15, 2018 Contact form is your base to work after you must update in consequence in your account. Regards ----------------------------------------- Loïc Contact me by skype for business Contact me @gyakutsuki for an answer on the forum Share this post Link to post Share on other sites
René H4 101 Posted October 15, 2018 47 minutes ago, Gyakutsuki said: Contact form is your base to work after you must update in consequence in your account. Allthough you have the best meaning, this is not of much help, sorry. At this moment I have created: /httpdocs/includes/modules/action_recorder/ar_create_account.php and /httpdocs/includes/languages/mylanguage/modules/action_recorder/ar_create_account.php I am able to install them in the mdules section, but I am at the point where I have to integrate them into the create_account.php file. That is where it is getting a bit complex for a learner... 🙂 Share this post Link to post Share on other sites