[SOLVED] Is somebody trying to hack my shopping cart?

[trampolinejoe]

Hello,

 

My website has a shopping cart which posts to a database.

 

There seems to be a random order placed on it every week (has been like this for months)

 

Its all just random letters. Cept, the strange thing is the random letters sometimes conform to the form validation rules, although sometimes they break them!

 

Sometimes its data that I thought could only be possibility be posted directly from the database.

 

Below is a example of a order that I may get.

 

 

 

The customer number is: 1312

 

Customer Details:

 

Name: txertdsm, txertdsm

 

Address: isYkcwvvMdHEiWDIKBn

 

Suburb: ZnJxhecWsWegNoqRk , NT

 

Zip: AAhe

 

Home Number: rM SWcTwxTCspis

 

Mobile Number: WTnEUSQbQg

 

Email: obzxac@ooqgyn.com

 

 

 

 

 

Order Details :

 

Orderd Date: 2008-11-24

 

Product Orderd: 12ftpads

 

Connote Number: TZA122754954

 

Warrenty: 3

 

Notes:

t81UK6 ovsxjnvwrjdd, bahsspxnmsds, [link=http://liwrtcwsnzzj.com/]liwrtcwsnzzj[/link], http://ncrgljxstowi.com/

 

 

[flyhoney]

It could be a bot.  The reason a lot of sites have captchas is because there are thousands of bots that essentially patrol the internet filling out forms with random junk.  I'm not 100% on all the reasons for having a bot like this, but one is example is blog comments.  Bots will try to post comments on blogs that have a bunch of links in them and it is essentially an advertisement game.  I would say that is isn't necessarily a hacking attempt, just a bot trying to fill out your shopping cart forms.

[kenrbnsn]

You have a form that you are using for input and you're not validating the input. The spammers screen scraped it and are sending you random values. If you are relying on Javascript to validate, don't, since this will be bypassed by the hackers.

 

If you post your code, we may be able to help.

 

Ken

[premiso]

It sounds like the cart uses JScript to validate fields and not the PHP. If someone creates their own form with the right data they can easily post an item to the database and bypass the validation. I would suggest coding the validation inside php and doing the checks there. You can use the same function with AJAX if you want dynamic non-page reload checking.

 

Are they trying to hack, probably not. They are probably just testing a way to spam you and if it works.

[trampolinejoe]

I am building a new form at the moment in AJAX, just trying to get my head around AJAX for the first time. Its such as headache I got most things working at the moment still figuring out a few things

 

The strange thing is, for options that are only in drop down menu's sometimes they can type there own variables. How are they posting if they are just filling out the form?

 

So you guys think the bot as its own form and they are using it to post to us?

 

Cheers,

Joe

[premiso]

So you guys think the bot as its own form and they are using it to post to us?

 

Sort of, a bot can pull out all the fields and then just send in those fields filled out. Or even another human can easily create their own form that posts to your site.

 

example:

<form action="http://www.yoursite.com/page.php" method="post">
    <input type="hidden" name="zipcode" value="asdf" />
    <input type="submit" value="Send" />
</form>

 

That will successfully send a zipcode of asdf, given that your page is page.php that processes the data and that you do have a field called zipcode.

[flyhoney]

Wait, rofl.  Is that true?  You can't post across domains, can you?  I mean, without using CURL or something?

[trampolinejoe]

Yeah, see how do you post across domains? I do not see how that would work?

I should try it and see what happens.

 

[DarkWater]

You're just saying to the browser: "Send a request to http://www.example.com/form.php using the POST method, with the values x=x and y=y."  Nothing special.  They can post whatever they want, and they can even intercept data on the way out to change anything last minute (I do it all the time).  That's why validation is crucial.

[premiso]

Wait, rofl.  Is that true?  You can't post across domains, can you?  I mean, without using CURL or something?

 

Yep that is completely true. Back in my "script kiddie" days, I would setup a page that mimiced Hotmail but was hosted on my server than at school I would just change the address manually and got a few of my friends passwords, after they hit submit it went to MSN like normal but gave me their data =) (bad I know)

 

But the point is that is totally viable and how some people spam.

[trampolinejoe]

thanks for all the advice and know how guys, ill mark this one as solved.

 

cheers,

Joe