@madjax
I have all those settings unchecked, but they successfully managed to create the fake order and the fake user.
I have read about half of the pages on this thread, so I may have missed things.
I suspect that reCAPTCHA may not protect against this issue.
Until the source of the issue is found, I would recommend restricting shipping addresses to places that the websites actually ship to. Of course, this would not help people who ship world-wide, or who want to sell digital goods anywhere, but it should help a significant percentage of sites.
@carike I agree, wish I was able to recreate it
Just FYI, I posted a bit of an analysis further back here:
https://wordpress.org/support/topic/failed-orders-fake-information/page/8/#post-13611713
it was initially held for moderation, but seems to have been approved now.
Does anyone know the IP#(s) that is being used?
@tapaway
there are many different IP’s from many countries
Plugin Support
Mike S
(@mikestraw)
Our team has been looking into this issue.
For now, we’ve got enough information to evaluate this and will post any updates as we have them.
To avoid overloading this thread, please don’t post more “me too” comments. That way folks looking for updates aren’t inundated with emails that aren’t moving them towards a solution.
Instead, you can subscribe to this topic and get an email with any updates.
Thanks!
@madjax Have you checked your database?
Have you checked (in the db itself, not just on the user list) how many admins there are and if the number is what is expected?
Have you checked the values in your options table and compared them to the values from a fresh installation (+ newly installed plugins / theme)?
@davetgreen : Brilliant set of deductions! I had three failed orders this morning and used those IP addresses to track down which plugins were being tested by the bot. Here is a list of plugins being probed and the IPs that these were coming from. Fortunately, I don’t have most of those plugins.
- loginizer
- drag-and-drop-multiple-file-upload-contact-form-7
- superstorefinder-wp
- super-interactive-maps
- superlogoshowcase-wp
- wp-file-manager
- wt-smart-coupons-for-woocommerce
- jetpack
- woocommerce
- wpforms-lite
- woocommerce-gateway-stripe
- ocean-product-sharing
- 144.208.68.135
- 167.172.47.240
- 66.249.64.170
- 66.249.64.172
- 66.249.64.174
- 172.104.16.142
cheers @mvenkadesan 🙂
The only plugins that match from your list to my client’s site are Woo, and the Woo Stripe Gateway, so they seem like the obvious ones at the moment.
In terms of IP, the scammer will either be using a botnet, or randomising his IP using specific tools.
@mikestraw if you need any additional information I’d be happy to help out. Woo version was 4.3.2 in the case I’ve had today/over the weekend.
@madjax
@bobwey1 what about you – do you have access logs from the server?
I do have access logs. They pretty much mirror what @davetgreen has described. The fake order was followed by a rankmath hit. The next day there was a string of 30 rankmath hits from as many IPs in about 45 minutes. Another string a day later. They are still coming.
Interestingly, as I mentioned earlier, they are using page 4 of this thread as the ‘from’ url of the hit.
It looks like @mikestraw has the team looking into this now. If the logs are needed I can supply them.
-
This reply was modified 1 month, 1 week ago by
bobwey1.
Does anyone enablebot protection in cloudways and did it still get through?
Same. I got two of these purchases in the last 12 hours. Both with the same information but different email and same address. I just deleted them and will go from there.
Same. I got two of these purchases in the last 12 hours. Both with the same information but different email and same address. I just deleted them and will go from there.
Make sure they didn’t create any backend user accounts. Delete them if they did.
@zabnabs : Yes, I had bot protection enabled in CloudWays & had also disabled any user registrations. They seem to be exploiting either a plugin or wordpress core files.
