Implement some sort of CAPTCHA at registration. The ones included in OpenCart might not be that effective, but there are other in the marketplace that may work better.
in htaccess:
1) block any request with a host header stating your server ip address instead of your domain
2) block any request with a protocol lower than http/1.1, i.e. http/0.9 and http/1.0
3) block any POST request without a language accept header
1 and 2 will cover about 95% of all covert bots, 3 will cover public bots as well.
For the remaining, better constructed bots (as in trying to pretent to be human), add an extension like spambuster by Neuhoff or something similar that is avialable in the marketplace.
DISCLAIMER:
You should not modify core files .. if you would like to donate a cup of coffee I will write it in a modification for you.
https://www.youtube.com/watch?v=zXIxDoCRc84
There is no setting to verify account via email in OpenCart. You could try searching the marketplace, but unless it deletes they unverified accounts it wouldn't make much difference.
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
A new customer has signed up:
Web Site: www.clearvape.com
First Name: Raymondnum
Last Name: RaymondnumOP
Customer Group: Customer
E-Mail: first_of_all@rambler.ru
Telephone: 85799641642
Business Web Development | Content Creation | Analytics and Reporting | SEO
If that's a real customer that's a pretty serious GDPR breachgsc1ugs wrote: ↑Thu Mar 02, 2023 4:25 pmWeb Site: www.clearvape.com
First Name: ***
Last Name: ***
Customer Group: Customer
E-Mail: ***@***.ru
Telephone: ***
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
Code: Select all
# 1--------------------------------------------------------------------------------------
# your server ip in host request header, always a bad bot targetting on ip space scans.
# apache will use the first VH if it cannot find a proper match which basically allows scanners to target the server by ip only.
# 421 misdirected request
# requested host contains server ip address
RewriteCond %{HTTP_HOST} xxx\.xxx\.xxx\.xxx
#
RewriteRule ^.*$ - [END,R=421]
# 2--------------------------------------------------------------------------------------
# wrong host, always a useless bot, basically also covers rule 1 which is also a wrong host
# 421 misdirected request
#
# requested host not containing your domain name
RewriteCond %{HTTP_HOST} !your-domain-name [NC]
#
RewriteRule ^.*$ - [END,R=421]
# 3--------------------------------------------------------------------------------------
# http/0.9 or http/1.0, cheap bots
# 426 upgrade required
# http/1.0
RewriteCond %{THE_REQUEST} HTTP/1\.0 [OR]
# http/0.9
RewriteCond %{THE_REQUEST} HTTP/0\.9
#
RewriteRule ^.*$ - [END,R=426]
# 4--------------------------------------------------------------------------------------
# POST without accept-language header, always a bot but also legit bots like googlebot, bingbot, etc.
# whitelist any bot which should be posting and where.
# 406 Not Acceptable
#
# POST method used
RewriteCond %{REQUEST_METHOD} POST
#
# whitelist possible callbacks (paypal)
RewriteCond %{QUERY_STRING} !callback
#
# no language accept header, only bots ommit this
RewriteCond %{HTTP:Accept-language} ^$
#
RewriteRule ^.*$ - [END,R=406]
# --------------------------------------------------------------------------------------
Code: Select all
<?php
define('EXITLOG', 'path to your oc error log file');
function exit_log_prepare () {
global $exitlog_handle;
$exitlog_handle = fopen(EXITLOG, 'a');
if (!$exitlog_handle) {
error_log('HTA:Error: can't open '.EXITLOG.' file');
} elseif (!flock($exitlog_handle, LOCK_EX)) {
error_log('HTA:Error: can't get a lock on '.EXITLOG.' file');
}
}
function exitlog_write($log = false) {
global $exitlog_handle;
if ($exitlog_handle) {
fwrite($exitlog_handle, '['.date('Y/m/d H:i:s').'] '.$log."\n");
} else {
error_log('HTA: Cannot use '.EXITLOG.', fallback to php error log.');
error_log($log."\n");
}
}
// the basics
$ip = $_SERVER['REMOTE_ADDR'];
$host = ($_SERVER['HTTP_HOST'] ?? '');
$url = ($_SERVER['REQUEST_URI'] ?? '');
$query = ($_SERVER['QUERY_STRING'] ?? '');
$method = ($_SERVER['REQUEST_METHOD'] ?? '');
$user_agent = ($_SERVER['HTTP_USER_AGENT'] ?? '');
$referer = ($_SERVER['HTTP_REFERER'] ?? '');
$protocol = ($_SERVER['SERVER_PROTOCOL'] ?? 'HTTP/1.1');
exit_log_prepare ();
$condition = (isset($_SERVER['REDIRECT_CONDITION']) ? $_SERVER['REDIRECT_CONDITION'] : false);
if ($condition) {
// parse the environment variable condition
$parts = explode('_',$condition);
$res = (isset($parts[0]) ? $parts[0] : '');
$reason = (isset($parts[1]) ? $parts[1] : '');
// get the request headers
$aheaders = array_change_key_case(apache_request_headers(),CASE_LOWER);
// log report by default
$report = true;
// don't log request headers by default
$report_aheaders = false;
// check response codes and what to do with them
if ($res == '421') {
$response = '421 Misdirected Request';
$report = false;
$report_headers = true;
} elseif ($res == '426') {
$response = '426 Upgrade Required';
$report = false;
} elseif ($res == '406') {
$response = '406 Not Acceptable';
} else {
$response = '503 Service Unavailable';
exitlog_write('HTA:['.$ip.'] No valid response code given:['.$res.'], responding with default 503);
$report_headers = true;
}
// remove any headers we might have set
if (!headers_sent()) header_remove();
// log report
if ($report) exitlog_write('HTA:['.$ip.']['.$response.'] because of ['.$reason.'] requesting ['.$protocol.']['.$method.']['.$url.$query.'] with agent['.$user_agent.'] referred by ['.$referer.']');
// log request headers
if ($report_aheaders) exitlog_write('HTA:['.$ip.'] '.print_r($aheaders,true));
} else {
exitlog_write('HTA:['.$ip.'] No valid condition given, responding with 503 requesting ['.$protocol.']['.$method.']['.$url.$query.'] with agent['.$user_agent.'] referred by ['.$referer.']');
$response = '503 Service Unavailable';
}
fclose($exitlog_handle);
// set the final response header
header($protocol.' '.$response, true);
exit();
Code: Select all
# 1--------------------------------------------------------------------------------------
# your server ip in host request header, always a useless bot, targetting on ip space scans.
# apache will use the first VH if it cannot find a proper match which basically allows scanners to target the server by ip only.
# 421 misdirected request
#
# requested host contains server ip address
RewriteCond %{HTTP_HOST} xxx\.xxx\.xxx\.xxx
#
RewriteRule ^.*$ /hta.php [END,NE,E=CONDITION:421_IpInHost]
# 2--------------------------------------------------------------------------------------
# wrong host, always a useless bot, basically also covers rule 1
# 421 misdirected request
#
# requested host not containing your domain name
RewriteCond %{HTTP_HOST} !your-domain-name [NC]
#
RewriteRule ^.*$ /hta.php [END,NE,E=CONDITION:421_WrongHost]
# 3--------------------------------------------------------------------------------------
# http/0.9 or http/1.0, cheap bots
# 426 upgrade required
#
# http/1.0
RewriteCond %{THE_REQUEST} HTTP/1\.0 [OR]
#
# http/0.9
RewriteCond %{THE_REQUEST} HTTP/0\.9
#
RewriteRule ^.*$ /hta.php [END,NE,E=CONDITION:426_WrongProtocol]
# 4--------------------------------------------------------------------------------------
# POST without accept-language header, always a bot but also legit bots like googlebot, bingbot, etc.
# whitelist any bot which should be allowd to post and where!
# 406 Not Acceptable
#
# POST method used
RewriteCond %{REQUEST_METHOD} POST
#
# whitelist possible callbacks (paypal)
RewriteCond %{QUERY_STRING} !callback
#
# no language accept header, most and only bots ommit this
RewriteCond %{HTTP:Accept-language} ^$
#
RewriteRule ^.*$ /hta.php [END,NE,E=CONDITION:406_PostNoLAHeader]
# --------------------------------------------------------------------------------------
DISCLAIMER:
You should not modify core files .. if you would like to donate a cup of coffee I will write it in a modification for you.
https://www.youtube.com/watch?v=zXIxDoCRc84
Users browsing this forum: NicNie, opencartArab, shanghua and 424 guests