Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Help!Some one adding 1000s of products to shopping cart


akyana

Recommended Posts

I have a guest session thats been active for over 3 hours and so far added over $32k of product to their shopping cart.

 

I noticed it because a user reported they were having problems logging into their account.

 

I tested it, got a 404 on a correct login. hitting on the product catalog shows my test account is logged in, but get the 404 after I hit the login button.

 

1. How the hell do I cancel this session. No one orders that amount off us. We retail.

 

2. Is this customer login problem related.

 

Been searching the help files like crazy, but can't find anythign specific and I need urgent help.

 

thanks

Andrea

Link to comment
Share on other sites

You can look for the IP address of the bad visitor in your hosting access log.

 

Then, you can block that IP address, using your hosting account control panel.

 

(if you run your store over a dedicated server, I know that's possible, but I don't know how to do it, I'm sorry).

 

if that users who added 1000 products into his/her/its shopping cart, you can clean it if you install this contribution: http://addons.oscommerce.com/info/2045

(easy to install).

 

I know if you run certain sql query, you can delete that customer cart even if it is not registered in your store, but I don't really know what query is.

 

Hope this can help a little bit.

 

I don't think the 404 status code is because that customers cart. If so, then it could be a bug.

If removing the cart content doen´t help, try to see the access log again for that customers, then look for suspicious urls accessed

by he/she/it. Maybe, just maybe, it could be an attack (I don't really think so, but you never know!).

 

If I realize something else, I'll write again.

 

Regards,

Hey!!... I still need help with this http://www.oscommerce.com/forums/index.php?showtopic=309208. Please, take a look on it.

Link to comment
Share on other sites

Ah!.. .

If you have the session id, you can delete that session row from the database, using:

 

delete from sessions where sesskey = "*the-session-id-here*"

 

Regards,

 

Ok, I ran that and its telling me 0 lines deleted. Am I correct in thining the session Id is the part in the URL after csid=

 

Russian IP using Yandex, BTW

 

I guess I'm not going on vacation tomorrow :(

 

Andrea

Link to comment
Share on other sites

Yes. You're right. The session id is the value of the osCsid parameter in the url.

 

However, if the browser of that user has cookies enabled, then the session id could not appear in the url.

 

Hope you can go on vacations!.

 

Did you notice something wrong in the server access log??

 

Regards,

 

EDIT: if you are using a shared server... can you access another sites hosted in the same server? I mean, could it be a misconfiguration of the server the cause of the 404 error?

Hey!!... I still need help with this http://www.oscommerce.com/forums/index.php?showtopic=309208. Please, take a look on it.

Link to comment
Share on other sites

Ok crash session for me in spiders, sessions and sql.

 

The spider is/was spider35.yandex.ru. IP 77.88.24.28.

 

He had, has, multiple sessions going so I found out just how to list all sessions in sql through myphpadmin, then just pick his sessions from the list and delete.

 

I also used a section in the control panel of out host that lets you block spiders, and put in both his IP and the spider addy.

 

I'm guessing it takes a while to propagate, because his sessions and IP keep appearing and he keeps indexing and adding to the shopping cart.

 

So, I am not sure I am there yet, but our test customer accounts can now log in, and I just keep hitting delete and cancelling his sessions.

 

Going to have a look at the blocking contribution now.

 

BTw, I had only caught his first session. His earlier longer session had racked up $392k in the shopping cart.

 

Andrea

Link to comment
Share on other sites

you can also put a limit on the amount products allowed in your shopping cart. from inside the "Maximum values" field

inside your "Configuration" Option (admin area..)

Link to comment
Share on other sites

It was tough to research whilst deleting the sessions from the database, clearing the shopping cart and allowing other users to log in.

 

The boss helped ;)

 

Anyway, the cure to get the Yandex spider to go away was as simple as finding the file spiders.txt under includes, and adding the word "Yandex".

 

I consider this a lesson, and I'll be keeping a closer eye on it, and the spiders.txt file from now on. Up until this point I had no idea that useful file existed.

 

Thanks for all your help when I was panicking.

 

Btw, customer login is now fine, and became so once we started deleting the Yandex sessions with massive amounts of products. We've used the test log in and watched different customers log in and out.

 

Andrea

 

Edit - to answer the question asked, I noticed it because a customer dropped me an e-mail leting me know he couldn't log in. I used the test customer accounts, and got the 404. Then went to the whois online section under tools in the admin area to check how many sessions were active. Thats when I noticed the big cartm which turned out to be the snmaller of the carts under the 3 yandex sessions. it shows whats in the cart on the right hand side when you click on a session. So did a ping through windows on the IP and found the spider details.

Link to comment
Share on other sites

andrea,

Their is a contribution called unsoldcart...which shows you on the admin side all of the carts and more that are not completed...meaning completed to sales....it gives you the options to delete them...so a search on the contribution side for unsoldcart and you will find it...easy to install and use...I hope this helps.

dittone

roman

Link to comment
Share on other sites

Be aware of adding user agents on the spider.txt list.

 

This list is intended for the use of known and good bots or spiders, not the bad ones(this way, robots in this list cannot start a session). If yandex is a good bot, then you did well.

 

If that yandex bot is bad, then you better block it using .htaccess or another server-level exclussion list.

 

It seems that yandex is good (I'm not pretty sure). But, for future reference, consider include just the good bots to the spiders.txt file and block all bad bots using .htaccess or something like that.

 

Enjoy your vacations!

 

Regards,

Hey!!... I still need help with this http://www.oscommerce.com/forums/index.php?showtopic=309208. Please, take a look on it.

Link to comment
Share on other sites

Eee-hah - "yandex" was already in my spiders.txt file.

 

I guess that's because I downloaded an expanded "April 5, 2008" version of spiders.txt recently from Contributions. Have you, Andrea? It's maintained by one of the members, and is much longer than the one provided with your original install.

 

OK, I looked it up. Here it is:

 

http://addons.oscommerce.com/info/2455

 

Happy spider-blocking, everybody. And Andrea, enjoy your vacation!

 

~Wendy

Link to comment
Share on other sites

Be aware of adding user agents on the spider.txt list.

 

This list is intended for the use of known and good bots or spiders, not the bad ones(this way, robots in this list cannot start a session). If yandex is a good bot, then you did well.

 

If that yandex bot is bad, then you better block it using .htaccess or another server-level exclussion list.

 

It seems that yandex is good (I'm not pretty sure). But, for future reference, consider include just the good bots to the spiders.txt file and block all bad bots using .htaccess or something like that.

 

Enjoy your vacations!

 

Regards,

 

Interesting info, Javier. Perhaps Yandex is just a normal, "good" bot that went amok this time, and will obey the blocking function of spiders.txt.

 

I assume that if it's a "bad" bot, it will get in anyway unless you block it more aggressively.

 

Hadn't thought of this... :unsure:

 

~Wendy

Link to comment
Share on other sites

andrea,

Their is a contribution called unsoldcart...which shows you on the admin side all of the carts and more that are not completed...meaning completed to sales....it gives you the options to delete them...so a search on the contribution side for unsoldcart and you will find it...easy to install and use...I hope this helps.

dittone

roman

 

Thanks for that tip. Its actually on my list for contributions to look into and install, but seeing as how this new oscommerce administrator has to have a whole weekend of 16 hour workdays to get her other contribs and customisations done, I hadn't got around to it!

 

I am bumping it to the top of my list, after researching the spiders that should be added to the spiders.txt file.

 

The problem with the yandex spider was that it wouldn't go away and just kept adding "the precious things of the shop" to its session's shopping carts, so even deleting them didn't help till I added yandex to the spider.txt file. I might have been there all night hitting the delete option!! (was bad enough I was there till 11pm).

 

Just for reference, I watched the Yahoo spider at work, and it added one thing at a time, deleting each one before adding another.

 

I think I became an arachnaphobe tonight ;)

 

Andrea

Link to comment
Share on other sites

It is like the viruses.

 

Some viruses had a so poor design, that even the worst anti-virus software can detect it. While other, the most elegant ones, can fool a complete staff of engineerings for a whole week.

 

Some bots, the most elegant ones, does not visit each website saying "hey... i am a bad bot". What they usually do is to send a user agent string similar to some web browsers. This way, it is more difficult to webmasters to discover it.

 

However, are some bots which has little sophistication, and send an recognizable user agent. You can block them and save bandwidth, save cpu usage, and prevent your site to suffer a possible attack, or you can allow them. The decisions is yours.

 

There many (really a lot) lists of known bad bots over the internet. Search "bad bot list", for example, in your preferred search engine.

 

The good news are that osCommerce is protected to many known attack intentions. But you know, bad bots are like viruses, and some viruses evolve.

 

I hope this help in some way.

 

Regards,

Hey!!... I still need help with this http://www.oscommerce.com/forums/index.php?showtopic=309208. Please, take a look on it.

Link to comment
Share on other sites

Eee-hah - "yandex" was already in my spiders.txt file.

 

I guess that's because I downloaded an expanded "April 5, 2008" version of spiders.txt recently from Contributions. Have you, Andrea? It's maintained by one of the members, and is much longer than the one provided with your original install.

 

OK, I looked it up. Here it is:

 

http://addons.oscommerce.com/info/2455

 

Happy spider-blocking, everybody. And Andrea, enjoy your vacation!

 

~Wendy

 

Fantastic news. I think I'll get that tonight and upload. Thanks Wendy.

 

I did some research on Yandex and its apparently an indexer for a russian search engine, but known for running a bit amok with things like this. In this case its OK for me to block it because a) We sell vintage scooter parts and there aren't a whole lot of vintage scooters in Russia, just copies and the parts aren't compatible. b)Can't do extra security checks on russian credit cards, so the cost of selling a part once in a while just wouldn't be worth the extra expense.

 

I didn't feel competent enough to fool arond with the htacces file earlier on, mid panic crisis stuff. I am giving myself a swift lesson in that right now and I'll be calling our host for some help on the stuff I still don't understand tomorrow.

 

Yes, I am the company accountant and set the CC security policy ;) We have a small company now but I used to work for really big companies.

 

Thanks for all the help guys. I was in a real panic earlier on!

 

 

 

Andrea

Link to comment
Share on other sites

Interesting info, Javier. Perhaps Yandex is just a normal, "good" bot that went amok this time, and will obey the blocking function of includes/spiders.txt.

 

 

spiders.txt is not read by the bots/spiders at all..its only used by oscommerce to prevent the creation of sessions for the bots/spiders named in it. (That is if you have prevent spider sessions set to true in your admin under configuration >> sessions )

 

If you wish to "give instructions" to bots/spiders then that is done in a file called robots.txt in your shops main folder.

Link to comment
Share on other sites

spiders.txt is not read by the bots/spiders at all..its only used by oscommerce to prevent the creation of sessions for the bots/spiders named in it. (That is if you have prevent spider sessions set to true in your admin under configuration >> sessions )

 

If you wish to "give instructions" to bots/spiders then that is done in a file called robots.txt in your shops main folder.

 

Reinforcing and Summarizing:

 

1.- spiders.txt does not block spiders. Just prevent osCommerce create a session for that spiders. Thus, spiders in this list could also visit your site, but will not have any shopping cart associated and you will not fall into the problem of this topic.

 

2.- if you want to really block bad bots (or anything with an identifiable user agent or IP address) you should use the .htaccess file (or some server-level blocking service)

 

3.- spiders.txt doesn't block anything.

 

 

Regards,

Hey!!... I still need help with this http://www.oscommerce.com/forums/index.php?showtopic=309208. Please, take a look on it.

Link to comment
Share on other sites

spiders.txt is not read by the bots/spiders at all..its only used by oscommerce to prevent the creation of sessions for the bots/spiders named in it. (That is if you have prevent spider sessions set to true in your admin under configuration >> sessions )

 

If you wish to "give instructions" to bots/spiders then that is done in a file called robots.txt in your shops main folder.

 

Thanks for that info. Having just read the readme.txt file that comes with the updated spider.txt it made it all very clear for me. I feel such an idiot now.

 

One more question from this fool - are there any other files that should be updated regulalrly like the spider.txt file. I'm getting a little paranoid now having discovered how little our old web guy actually did. I've applied all the patches and installed the Easy Populate with attributes contrib.

 

Thanks

Andrea

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...