Failed Orders – Fake Information

@tapaway

there are many different IP’s from many countries

Our team has been looking into this issue.

For now, we’ve got enough information to evaluate this and will post any updates as we have them.

To avoid overloading this thread, please don’t post more “me too” comments. That way folks looking for updates aren’t inundated with emails that aren’t moving them towards a solution.

Instead, you can subscribe to this topic and get an email with any updates.

Thanks!

@madjax Have you checked your database?
Have you checked (in the db itself, not just on the user list) how many admins there are and if the number is what is expected?
Have you checked the values in your options table and compared them to the values from a fresh installation (+ newly installed plugins / theme)?

@davetgreen : Brilliant set of deductions! I had three failed orders this morning and used those IP addresses to track down which plugins were being tested by the bot. Here is a list of plugins being probed and the IPs that these were coming from. Fortunately, I don’t have most of those plugins.

• loginizer
• drag-and-drop-multiple-file-upload-contact-form-7
• superstorefinder-wp
• super-interactive-maps
• superlogoshowcase-wp
• wp-file-manager
• wt-smart-coupons-for-woocommerce
• jetpack
• woocommerce
• wpforms-lite
• woocommerce-gateway-stripe
• ocean-product-sharing

• 144.208.68.135
• 167.172.47.240
• 66.249.64.170
• 66.249.64.172
• 66.249.64.174
• 172.104.16.142

cheers @mvenkadesan ??

The only plugins that match from your list to my client’s site are Woo, and the Woo Stripe Gateway, so they seem like the obvious ones at the moment.

In terms of IP, the scammer will either be using a botnet, or randomising his IP using specific tools.

@mikestraw if you need any additional information I’d be happy to help out. Woo version was 4.3.2 in the case I’ve had today/over the weekend.

@madjax
@bobwey1 what about you – do you have access logs from the server?

I do have access logs. They pretty much mirror what @davetgreen has described. The fake order was followed by a rankmath hit. The next day there was a string of 30 rankmath hits from as many IPs in about 45 minutes. Another string a day later. They are still coming.
Interestingly, as I mentioned earlier, they are using page 4 of this thread as the ‘from’ url of the hit.

It looks like @mikestraw has the team looking into this now. If the logs are needed I can supply them.

• This reply was modified 4 years ago by bobwey1.

Does anyone enablebot protection in cloudways and did it still get through?

Same. I got two of these purchases in the last 12 hours. Both with the same information but different email and same address. I just deleted them and will go from there.

Same. I got two of these purchases in the last 12 hours. Both with the same information but different email and same address. I just deleted them and will go from there.

Make sure they didn’t create any backend user accounts. Delete them if they did.

@zabnabs : Yes, I had bot protection enabled in CloudWays & had also disabled any user registrations. They seem to be exploiting either a plugin or wordpress core files.

@stoickp what i dont get is why buzz lightyear is using bbbbbbb and the same email domain abbuzz everytime which would show up so easily in plain sight to anybody that it’s trying to hack – call yourself “samantha jones” or something and most people won’t notice it right away. Either he is being sloppy or he wants you to notice the fake orders for as part of his plan. Is it possible he wants you to delete the orders or user accounts or do something with them upon awareness? either that or he is just a sloppy hacker. I mean what hacker would alert the user of their own malicious activity?

I searched my logs too and confirm the same activities as @davetgreen . fortunately they all returned error codes 401 400 etc.

@zabnabs That’s what I was thinking. They seem to be careless about it and might have launched a mass attack, just hoping to infect any number of website they could. For now, it’s best to block the domain & name using @wigster plugin.

I have added some more htaccess rules to prevent XSS attacks & SQL injection. Not sure if that would be of any use here.

Also, do refresh your WP Salt keys after you have deleted the dummy users.

No more attack on any website since using great
@wigster plugin
https://guwii.com/block-specific-woocommerce-spam-orders/

Why is wordpress so slow to accept the plugin officially ?
When the world is under attack maybe it’s time to move faster ?!

@celsta – I’ve tweeted WP/Woo in the hope of speeding up the process:
https://twitter.com/mrwigster/status/1323537169890320385?s=20

The plugins queue is comparatively short.
It is completely staffed by volunteers – and they first need to do a code review before accepting the submission, in addition to other checks like licensing, etc.
If there are no issues, the plugin should be available in around 3 days or so. It may be more or less depending on volunteer availability.
As WooCommerce support is looking into the matter, there is a chance that they may have some sort of patch available (heavily dependent on what is actually causing the issue) by that time, which would make the new plugin submission redundant.