Jump to content

Unusual order activity

Remitur
 Share

Recommended Posts

bnb Junior Member

bnb

Posted
Posted

Ok… 

The custom field “solution” is no longer working.

We are getting new registrations again even with a mandatory custom field in the order form.

My guess is that these spammers are looking on this page since it’s public and bypass all solutions here. Is there a way to turn this post private or something similar?

@WHMCS John is there any eta for hcaptcha or turnstile even as a patch to see if we can solve this permanently?

0
Link to comment
Share on other sites
  • Replies 135
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Remitur
Remitur

It's few days I'm experiencing a strange malicious activity, that is the registration of several fake accounts with the following characteristics: all of them use no-existing email addresses,

Remitur
Remitur

The activity is slowly going on... every few hours, a new fake account is created. After the banning of the domains used for emails, "generic" email domains are used (@gmail.com, @msn.com, @iclou

Eugene van der Merwe
Eugene van der Merwe

Here is another one, 17 minutes later. Again, see referrer of register.php, seems they use something on this page to do the rest:   cat access_log | grep 5.102.101.157 5.102.101.157 - - [05/Ju

Posted Images

Vander Host Junior Member

Vander Host

Posted
Posted (edited)

The custom field “solution” is no longer working.

Yes agreed. We implemented the custom field "fix" on the 6th of July, and had no spam registrations up to 9 hours ago. Today we have  around 20 new ones. So the custom field "fix" only worked for around 3 weeks. Back to square one.

Annoyingly, these orders  are also bumping our WHMCS license count past the next threshold and we have to contact WHMCS to reduce it manually. They automatically bump it up to get more money, but you have to ask them to bring it down again. Not really user friendly when you are a victim of fraud.

Edited by Vander Host
1
Link to comment
Share on other sites
snake Senior Member

snake

Posted
Posted
  On 7/26/2024 at 7:24 PM, WHMCS John said:

Rate limiting based on IP may be of some limited benefit in situations like this. However as the discussion in this thread does point to the actions originating from a range of addresses, it might not be a panacea.

I didn't locate a request to rate limit orders or credit card attempts, so I invite you to submit that so we can start tracking demand: https://requests.whmcs.com

Expand  

this won;t help as every order comes from a different IP, thus why IP blocking is not working.

0
Link to comment
Share on other sites
snake Senior Member

snake

Posted
Posted

it seems problems like this could be mostly avoided if the email verification actually worked.

currently it does nothing, most customers just ignore it.
 

new customers  should be INACTIVE until they have verified their email address, and if they do not verify within x days, then the account gets auto deleted.
Being inactive until verified would also solve the issue with WHMCS auto increasing your licence fee for fraudulent registrations as well.

2
Link to comment
Share on other sites
snake Senior Member

snake

Posted
Posted
  On 8/2/2024 at 5:29 AM, bnb said:

Ok… 

The custom field “solution” is no longer working.

We are getting new registrations again even with a mandatory custom field in the order form.

My guess is that these spammers are looking on this page since it’s public and bypass all solutions here. Is there a way to turn this post private or something similar?

@WHMCS John is there any eta for hcaptcha or turnstile even as a patch to see if we can solve this permanently?

Expand  

same.. presumably every is using the exact same custom field with the same question/answer...

I have changed the custom field to a different question/answer, which I hope will stop them for a while.

0
Link to comment
Share on other sites
NetWise UK Junior Member

NetWise UK

Posted
Posted
  On 7/7/2024 at 3:49 AM, chrismfz said:

Assuming this won't continue for ever.... weeks or months, we implement this: 

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Check if the User-Agent matches
    RewriteCond %{HTTP_USER_AGENT} "Mozilla/5.0 \(Windows NT 10.0; Win64; x64; rv:127.0\) Gecko/20100101 Firefox/127.0"

    # Check if the request method is POST
    RewriteCond %{REQUEST_METHOD} POST

    # Check if the URL is register.php
    RewriteCond %{REQUEST_URI} register.php$

    # Deny access by returning a 403 Forbidden status
    RewriteRule .* - [F]
</IfModule>

 

The agent is always the same, so we block it on web server layer. 

Hope it helps.

Expand  

This is the only thing that worked for us. Not had a fake signup since implementing it. 

0
Link to comment
Share on other sites
Mandalorian Senior Member

Mandalorian

Posted
Posted
  On 8/2/2024 at 4:26 PM, snake said:

this didn;t work for me.

I have however found this addon, which seems like it will solve the issue, since they use fake email addresss.

 

https://marketplace.whmcs.com/product/6953-email-verifier

Expand  

I tried a similar add on but the bots still are able to circumvent the verification and continue to make spam orders.

0
Link to comment
Share on other sites
Mandalorian Senior Member

Mandalorian

Posted
Posted
  On 8/3/2024 at 6:31 PM, snake said:

have you actually changed the custom field to a different question/answer  as I suggested above?

Expand  

Sorry I missed the "change" part.  I think the bots will soon figure that change out too just as it learns to go past the previous custom field and verification checks.  Whmcs got to sort the spam handling out in a better way.

0
Link to comment
Share on other sites
bear Senior Member

bear

Posted
Posted

I can't help but wonder why they're expending this sort of energy when it's not getting them a hosting account/domain or anything of actual value. I'd consider there's another value in it, that perhaps it's being manipulated into sending spam in  some way, or just phishing for exploits (if that were the case, they could just grab a pirated version and use that to check for that possibility),

What's in it for them? If it was one attempt over many installs, fishing for exploits maybe. 
One install with many attempts, which also include manual intervention to manage the Q&A kludge, that's a concerted effort on each installation, too much for simple nuisance activity.
Something more is going on here. 

1
Link to comment
Share on other sites
Mandalorian Senior Member

Mandalorian

Posted
Posted
  On 8/3/2024 at 8:55 PM, bear said:

I can't help but wonder why they're expending this sort of energy when it's not getting them a hosting account/domain or anything of actual value. I'd consider there's another value in it, that perhaps it's being manipulated into sending spam in  some way, or just phishing for exploits (if that were the case, they could just grab a pirated version and use that to check for that possibility),

What's in it for them? If it was one attempt over many installs, fishing for exploits maybe. 
One install with many attempts, which also include manual intervention to manage the Q&A kludge, that's a concerted effort on each installation, too much for simple nuisance activity.
Something more is going on here. 

Expand  

Absolutely 💯 

0
Link to comment
Share on other sites
snake Senior Member

snake

Posted
Posted
  On 8/3/2024 at 6:39 PM, Mandalorian said:

Sorry I missed the "change" part.  I think the bots will soon figure that change out too just as it learns to go past the previous custom field and verification checks.  Whmcs got to sort the spam handling out in a better way.

Expand  

 if your not using the exact same custom field as everyone else and change it regularly then you will keep them at bay until there 

0
Link to comment
Share on other sites
snake Senior Member

snake

Posted
Posted
  On 8/3/2024 at 8:55 PM, bear said:

I can't help but wonder why they're expending this sort of energy when it's not getting them a hosting account/domain or anything of actual value. I'd consider there's another value in it, that perhaps it's being manipulated into sending spam in  some way, or just phishing for exploits (if that were the case, they could just grab a pirated version and use that to check for that possibility),

What's in it for them? If it was one attempt over many installs, fishing for exploits maybe. 
One install with many attempts, which also include manual intervention to manage the Q&A kludge, that's a concerted effort on each installation, too much for simple nuisance activity.
Something more is going on here. 

Expand  

somoene is likley paying some crappy * center in India to do this, and they are just hitting the same sites over and over again.

0
Link to comment
Share on other sites
slim Senior Member

slim

Posted
Posted (edited)

I agree that something more is going on. The password reset attempts after registration re concerning, but I also noticed this..

 

I have two whmcs installs (two brands). Brand A allows registrations without orders. Overnight it got about 15 registrations. Brand B doesn’t - so each registration is accompanied by an order for a random domain.

I changed the config on Brand A this morning to match Brand B and within 10 minutes I had another fake order. So whatever is doing the orders is adaptive. 

whmcssetting.png.e9a08ce8b8833a48950804643eb3ed57.png

 

Edited by slim
corrected image
0
Link to comment
Share on other sites
shaqeel Junior Member

shaqeel

Posted
Posted

Hi,

We've been experiencing similar issues since July, but things have worsened in August. We're getting around 50 signups a day, and even when we pause signups, we're still receiving fake orders continuously.

It definitely seems like there might be some suspicious bots trying to exploit the WHMCS code or something similar.

0
Link to comment
Share on other sites
Collin Junior Member

Collin

Posted
Posted
  On 8/2/2024 at 2:55 PM, snake said:

it seems problems like this could be mostly avoided if the email verification actually worked.

currently it does nothing, most customers just ignore it.
 

new customers  should be INACTIVE until they have verified their email address, and if they do not verify within x days, then the account gets auto deleted.
Being inactive until verified would also solve the issue with WHMCS auto increasing your licence fee for fraudulent registrations as well.

Expand  

Agree that this is the priority fix. Captcha isn't a one-step fix as it can be bypassed.  IP blocking... it comes from different IPs. What we need is forced actual email verification. In order to join this community, I had to verify my email address and have my first posts manually moderated. WHMCS needs to have the same for registration. Actual email verification.

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept