Demitry Posted January 15, 2019 Share Posted January 15, 2019 I think an easy way to get around bot creation of fake accounts or abuse of Tell A Friend page is to add in a script that requires the user to approve the account or email-send action via a button sent to their email. This is an added step, but you could spin it as it is designed to protect them (the customer). And a hacker or spammer is not going to use their own email account. This would not work for the Contact Us page, but if set up right, it will only execute the final account-submit or email-send action upon a human approval from the account of the email they used. It would likely require some A/B testing to see if an added step like this would have a significant negative impact on new account creations and Tell A Friend emails sent via real customers. osCommerce: made for programmers, ...because store owners do not want to be programmers. https://trends.google.com/trends/explore?date=all&geo=US&q=oscommerce Link to comment Share on other sites More sharing options...
♥JcMagpie Posted January 15, 2019 Share Posted January 15, 2019 10 hours ago, Snarg said: Should I be worried? remove them using phpMyAdmin directly in the db in customers table it will overcome this issue. I would imagine that the garbage they entered when making the account is causing issues. Link to comment Share on other sites More sharing options...
mhsuffolk Posted January 15, 2019 Share Posted January 15, 2019 I have "Tell a Friend" switched off in my shop. Can a fake account still do anything naughty? Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions. Link to comment Share on other sites More sharing options...
♥JcMagpie Posted January 15, 2019 Share Posted January 15, 2019 Any input form on your site that accepts input from a user and stores it in your database is open to abuse. You just have to do what you can to secure each one. @Jack_mcs Honeypot lets you pick which pages to cover so should work for most issues. If it’s some idiot sitting at a pc with time on there hands doing the spamming ( and there are many doing this) then there is very little you can do to stop them. Blocking IP’s works for a while but the just move to another using VPN’s! If it’s bot’s then the honeypot should catch most of them. They look at the code and when they find a form/input filed they dump rubbish into it. Honeypots normally add a hidden ( to the user) filed to the page which the user will not see but the bot’s will and they dump rubbish into it which tells the honeypot that it’s not a human and it can block that bot. Link to comment Share on other sites More sharing options...
burt Posted January 15, 2019 Share Posted January 15, 2019 14 hours ago, Snarg said: When I select one of these fake accounts, I get a bunch of errors. Should I be worried? This error means that some of the customer data is missing from either the customers db table or the customers_info table. customers_info table is more likely to have data missing. Link to comment Share on other sites More sharing options...
MrPhil Posted January 15, 2019 Share Posted January 15, 2019 4 hours ago, JcMagpie said: If it’s bot’s then the honeypot should catch most of them. They look at the code and when they find a form/input filed they dump rubbish into it. Honeypots normally add a hidden ( to the user) filed to the page which the user will not see but the bot’s will and they dump rubbish into it which tells the honeypot that it’s not a human and it can block that bot. Just be careful that if it's a blind person using a screen reader that they don't get blocked by your anti-bot measures. That could even be illegal. You might want to label the input field "anti-spambot measure, leave empty" or something like that, until the spammers wise up and catch on to it! (looking for "leave empty", "leave blank", "don't fill in", "for office use only", etc.) Then you might need to use Javascript to scramble the label so bots can't see it without processing the JS (like email hiding can be done), but a screen reader can still speak it. Or maybe the prompt/label could say "enter 735 here:", where the number is randomly generated. It's a never-ending war... Link to comment Share on other sites More sharing options...
MrPhil Posted January 15, 2019 Share Posted January 15, 2019 3 hours ago, burt said: This error means that some of the customer data is missing from either the customers db table or the customers_info table. customers_info table is more likely to have data missing. If simply missing data will blow up osC, that's a code error. I'm guessing that this is a very old (2.3.4) version of osC, and it might have been fixed in Frozen. Link to comment Share on other sites More sharing options...
Snarg Posted January 15, 2019 Author Share Posted January 15, 2019 12 hours ago, MrPhil said: I presume that's the "official" osC 2.3.4? I'm not sure it will properly run at PHP 5.6. The community-supported osC 2.3.4.1BS "Frozen" (see link in my signature) will go to at least PHP 7.1, so you should strongly consider upgrading your shop. As for why only "fake" accounts exhibit this behavior, I have never heard of this behavior. I suppose it's somewhat possible that there is some fishy data stored with these accounts, but offhand I can't think of what it could be. Maybe you could go into phpMyAdmin and take a look at one of these problem-causing fake accounts, and compare them with a normal real account, and see if there is anything in the customer data that looks like a script (HTML tags) or something else odd. Are you sure it's only fake accounts, or are those the only ones you tried this operation on? This is only selecting the account, and you haven't pressed Delete yet? burt installed my shop a while ago, I think it is, BE'? How can I get the exact version? I only get those errors from fake accounts. I have brought up the customers table in phpMyAdmin and examined the cells. Nothing, other than the bizarre, names, seems amiss. I'll attach some screenshots of what I see. I have not tried deleting one of the accounts yet. Link to comment Share on other sites More sharing options...
Snarg Posted January 15, 2019 Author Share Posted January 15, 2019 4 hours ago, burt said: This error means that some of the customer data is missing from either the customers db table or the customers_info table. customers_info table is more likely to have data missing. Does this look normal? Link to comment Share on other sites More sharing options...
Snarg Posted January 15, 2019 Author Share Posted January 15, 2019 Oh, also, I have tell a friend disabled. Has been for a long time now. Link to comment Share on other sites More sharing options...
♥JcMagpie Posted January 15, 2019 Share Posted January 15, 2019 That data looks fine. I would simply back up your database and then deleat one of the bad accounts. Log back in and check if all is well tthen simply remove the others. compare it to stock data. Link to comment Share on other sites More sharing options...
Snarg Posted January 15, 2019 Author Share Posted January 15, 2019 2 minutes ago, JcMagpie said: That data looks fine. I would simply back up your database and then deleat one of the bad accounts. Log back in and check if all is well tthen simply remove the others. compare it to stock data. Delete it from the customers table and customers_info? Link to comment Share on other sites More sharing options...
♥JcMagpie Posted January 15, 2019 Share Posted January 15, 2019 No all you need to do is deleate from customer table. Link to comment Share on other sites More sharing options...
♥JcMagpie Posted January 15, 2019 Share Posted January 15, 2019 ok it's odd but looks like the fake accounts have no dob set! Have you checked? Link to comment Share on other sites More sharing options...
♥JcMagpie Posted January 15, 2019 Share Posted January 15, 2019 I'm not sure they are fake accounts! You bettter check first! Looking at some of the email used I would say it looks like your database has been comprmised and some data overwriten. Link to comment Share on other sites More sharing options...
Snarg Posted January 15, 2019 Author Share Posted January 15, 2019 5 minutes ago, JcMagpie said: ok it's odd but looks like the fake accounts have no dob set! Have you checked? I don't require a DOB for my store. Link to comment Share on other sites More sharing options...
♥JcMagpie Posted January 15, 2019 Share Posted January 15, 2019 ok that would explain that 😂 Link to comment Share on other sites More sharing options...
♥JcMagpie Posted January 15, 2019 Share Posted January 15, 2019 57 minutes ago, Snarg said: I think it is, BE'? How can I get the exact version? That's not relavent if your using CE as they all say 2.3.4.1! But if you go to admin/tools/version checker it will show you somthing like this, Link to comment Share on other sites More sharing options...
♥JcMagpie Posted January 15, 2019 Share Posted January 15, 2019 looking at your error codes you get, which would point to an issue in the data that is beeing merged posiably id's not matching up? Link to comment Share on other sites More sharing options...
Snarg Posted January 15, 2019 Author Share Posted January 15, 2019 29 minutes ago, JcMagpie said: That's not relavent if your using CE as they all say 2.3.4.1! But if you go to admin/tools/version checker it will show you somthing like this, I am fairly certain my version is 2.3.4 BS. Burt can confirm it. Side note, I'm surprised it's not easier to tell what version you have. Link to comment Share on other sites More sharing options...
♥JcMagpie Posted January 15, 2019 Share Posted January 15, 2019 8 minutes ago, Snarg said: Side note, I'm surprised it's not easier to tell what version you have. 😊 it is what it is. I did a few checks on my test site and I was unable to produce the error you have by simply removing data from customers or customer_info tables or changing it. The only way I was able to brake customers deleat was by chnging a customer id so it did not match that in customer_info but all that did was stop that customer from beeing selected. So I would say somthing else is going on with your db. Link to comment Share on other sites More sharing options...
Snarg Posted January 15, 2019 Author Share Posted January 15, 2019 To add to the strangeness, I can not delete these fake accounts through the Admin CP. I get a bunch of errors and the accounts don't go away. I can, however, delete them via phpMyAdmin. This *ONLY* happens with fake accounts. Normal accounts are not affected. This leads me to believe that it is not an error with my site but, rather, some type of odd hacking attempt is going on. Link to comment Share on other sites More sharing options...
♥JcMagpie Posted January 15, 2019 Share Posted January 15, 2019 1 hour ago, Snarg said: type of odd hacking attempt is going on. I think that could be the case as I can not reproduce your error by removing data from a test account. You should take one or two of the emails and see if they are linked to any orders! As I said the emails look valid but names are jibrish as if they have been over writen by a script. I would also run a virus scan on your db and site. Link to comment Share on other sites More sharing options...
burt Posted January 16, 2019 Share Posted January 16, 2019 18 hours ago, MrPhil said: If simply missing data will blow up osC, that's a code error. I'm guessing that this is a very old (2.3.4) version of osC, and it might have been fixed in Frozen. When joining two tables...if one side is broken...any software would react similarly. Link to comment Share on other sites More sharing options...
burt Posted January 16, 2019 Share Posted January 16, 2019 18 hours ago, Snarg said: burt installed my shop a while ago, I think it is, BE'? How can I get the exact version? You are somewhere between Gold and Frozen. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.