myst3k99

Forum Replies Created

Viewing 5 replies - 1 through 5 (of 5 total)

  • I would have liked to think this type of rate limitation for order processing would be built into WooCommerce, however I do not believe it has any. I am not an experienced WP/WC developer, so I rely on the scripts of others. There may be a way to do it. Maybe a hook into ajax order call which stores the count of order calls which were received, and then a check to see if it is over a certain value in a given timeframe. It would seem easy in theory to do.

    Yup this is also what we saw, the only ever add a single item like a 5$ item, and are completely happy with paying $16 of shipping on it. We were contemplating putting some limits on single items orders of that matter, as our products are typically purchases in multiple items due to the cost/shipping/local pickup.

    @webgmclassics I was able to use this free plugin to start blacklisting some of the domains they used for the orders, Woo Manage Fraud Orders. They were very similar in my case using @btsese.com, and @temporary-mail.net. I also blacklisted the orders, users, and ip addresses.

    In addition I am using CSF as a firewall, so I wrote a custom regex rule for lfd to detect this attack and blackhole them.

    if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^(\S+) - - .* POST \/\?wc-ajax=checkout HTTP\/[1-2][\.]?1? 200/)) {
    return ("Attempted AJAX Checkout Attack",$1,"woocommerce-ajax-attack","5","80,443","3600");
}

    In my analysis of the attack, it looked like a human being browsed around on a site for a little bit, added some products to a cart, then went to checkout and got all the cookie details. Then popped this info into a script and attacked from somewhere else like AWS/Azure with many different credit card numbers.

    In addition we worked with out credit card payment gateway to put more stringent fraud system on our ordering, so the credit card processor did not hit the end customer for charges.

    Adding I’m on WC 4.9.2 since it was released

    I have this happening to one of my sites over the past 3 days so far, causing notifications from my customers credit card processor. They are on version 5.6.1 currently, however it was updated recently over the past couple days as well. It started happening after my sites were updated from 5.6.0 to 5.6.1.

    I have put in some fail2ban limiting for this on my server looking at the log files, but that catches it after some activity occurs, but im hoping there could be a fix for it.

    We are using the Payment Plugin for USAEpay.

    
13.72.87.98 - - [04/Feb/2021:04:13:17 -0500] POST /?wc-ajax=checkout HTTP/2 200 205 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
13.72.87.98 - - [04/Feb/2021:04:13:17 -0500] POST /?wc-ajax=checkout HTTP/2 200 205 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
13.72.87.98 - - [04/Feb/2021:04:13:19 -0500] POST /?wc-ajax=checkout HTTP/2 200 273 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
13.72.87.98 - - [04/Feb/2021:04:13:17 -0500] POST /?wc-ajax=checkout HTTP/2 200 205 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
13.72.87.98 - - [04/Feb/2021:04:13:19 -0500] POST /?wc-ajax=checkout HTTP/2 200 273 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
13.72.87.98 - - [04/Feb/2021:04:13:18 -0500] POST /?wc-ajax=checkout HTTP/2 200 205 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
13.72.87.98 - - [04/Feb/2021:04:13:19 -0500] POST /?wc-ajax=checkout HTTP/2 200 202 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
13.72.87.98 - - [04/Feb/2021:04:13:16 -0500] POST /?wc-ajax=checkout HTTP/2 200 202 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
13.72.87.98 - - [04/Feb/2021:04:13:19 -0500] POST /?wc-ajax=checkout HTTP/2 200 202 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
13.72.87.98 - - [04/Feb/2021:04:13:21 -0500] POST /?wc-ajax=checkout HTTP/2 200 273 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
13.72.87.98 - - [04/Feb/2021:04:13:20 -0500] POST /?wc-ajax=checkout HTTP/2 200 202 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
13.72.87.98 - - [04/Feb/2021:04:13:21 -0500] POST /?wc-ajax=checkout HTTP/2 200 273 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
13.72.87.98 - - [04/Feb/2021:04:13:20 -0500] POST /?wc-ajax=checkout HTTP/2 200 202 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
13.72.87.98 - - [04/Feb/2021:04:13:21 -0500] POST /?wc-ajax=checkout HTTP/2 200 273 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
13.72.87.98 - - [04/Feb/2021:04:13:21 -0500] POST /?wc-ajax=checkout HTTP/2 200 202 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
13.72.87.98 - - [04/Feb/2021:04:13:21 -0500] POST /?wc-ajax=checkout HTTP/2 200 202 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
13.72.87.98 - - [04/Feb/2021:04:13:22 -0500] POST /?wc-ajax=checkout HTTP/2 200 273 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
13.72.87.98 - - [04/Feb/2021:04:13:22 -0500] POST /?wc-ajax=checkout HTTP/2 200 273 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
13.72.87.98 - - [04/Feb/2021:04:13:21 -0500] POST /?wc-ajax=checkout HTTP/2 200 202 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
13.72.87.98 - - [04/Feb/2021:04:13:22 -0500] POST /?wc-ajax=checkout HTTP/2 200 202 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
13.72.87.98 - - [04/Feb/2021:04:13:22 -0500] POST /?wc-ajax=checkout HTTP/2 200 202 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
13.72.87.98 - - [04/Feb/2021:04:13:22 -0500] POST /?wc-ajax=checkout HTTP/2 200 202 https://mysite.com/checkout/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
Viewing 5 replies - 1 through 5 (of 5 total)