Hi,
Last few days we put on public domain our new nopcommerce 3.3 (.net MVC) app. MSSQL DB is still locally. When we started this app, DB start to grow up dramaticly. Within 10 days it got 10GB size.
When I looked on app log, I found 4.5 Million new lines. When I research other tables in the database, I found the same number of new USER records (with status active! - even through it is set up for e-mail approval, other fields stay null) and also same number of USER Roles, but these new "users" are not seen on the admin panel.
I have stopped public site, clean-up the database, put ReCaptcha on Register page, but problem remain.
Here are the logs:
1/ IIS log from public site (still these same 2 lines, about 5 times in a seccond):
#Software: Microsoft Internet Information Services 8.0
#Version: 1.0
#Date: 2014-04-10 21:14:30
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2014-04-10 21:14:34 xxx.xxx.xxx.64 POST /momif/eai_getjobs.php sig=fccc6cf1a1181dae60acb3986f8a5f65 80 - yyy.yyy.yyy.204 uF_IGV2 - 404 0 0 3812
2014-04-10 21:14:34 xxx.xxx.xxx.64 POST /momif/eai_loginrequest.php sig=3c4bfa72052630e662ab4d277588a88c 80 - yyy.yyy.yyy.204 uF_IGV2 - 404 0 0 3812
2014-04-10 21:14:34 xxx.xxx.xxx.64 POST /momif/registerserver.php sig=65d399dda4506315a05b02f513a848e8 80 - yyy.yyy.yyy.204 uF_IGV2 - 404 0 0 26640
2014-04-10 21:14:34 xxx.xxx.xxx.64 POST /momif/eai_getjobs.php sig=fccc6cf1a1181dae60acb3986f8a5f65 80 - yyy.yyy.yyy.204 uF_IGV2 - 404 0 0 796
2014-04-10 21:14:34 xxx.xxx.xxx.64 POST /momif/eai_loginrequest.php sig=3c4bfa72052630e662ab4d277588a88c 80 - yyy.yyy.yyy.204 uF_IGV2 - 404 0 0 859
2014-04-10 21:14:35 xxx.xxx.xxx.64 POST /momif/eai_getjobs.php sig=fccc6cf1a1181dae60acb3986f8a5f65 80 - yyy.yyy.yyy.204 uF_IGV2 - 404 0 0 421
2014-04-10 21:14:35 xxx.xxx.xxx.64 POST /momif/eai_loginrequest.php sig=3c4bfa72052630e662ab4d277588a88c 80 - yyy.yyy.yyy.204 uF_IGV2 - 404 0 0 484
2014-04-10 21:14:35 xxx.xxx.xxx.64 POST /momif/eai_loginrequest.php sig=3c4bfa72052630e662ab4d277588a88c 80 - yyy.yyy.yyy.204 uF_IGV2 - 404 0 0 421
2014-04-10 21:14:35 xxx.xxx.xxx.64 POST /momif/eai_getjobs.php sig=fccc6cf1a1181dae60acb3986f8a5f65 80 - yyy.yyy.yyy.204 uF_IGV2 - 404 0 0 484
2014-04-10 21:14:35 xxx.xxx.xxx.64 POST /momif/eai_getjobs.php sig=fccc6cf1a1181dae60acb3986f8a5f65 80 - yyy.yyy.yyy.204 uF_IGV2 - 404 0 0 437
...
where xxx - ip address is from public site, yyy - ip address is IP from SQL server.
2/ NopCommerce error messages:
A:
Delete
The level of log entry.Log level: Error
The log entry message.Short message: The controller for path '/momif/eai_getjobs.php' was not found or does not implement IController.
The details for the log entry.Full message: System.Web.HttpException (0x80004005): The controller for path '/momif/eai_getjobs.php' was not found or does not implement IController. at System.Web.Mvc.DefaultControllerFactory.GetControllerInstance(RequestContext requestContext, Type controllerType) at System.Web.Mvc.DefaultControllerFactory.CreateController(RequestContext requestContext, String controllerName) at System.Web.Mvc.MvcHandler.ProcessRequestInit(HttpContextBase httpContext, IController& controller, IControllerFactory& factory) at System.Web.Mvc.MvcHandler.BeginProcessRequest(HttpContextBase httpContext, AsyncCallback callback, Object state) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
IP address of the machine that caused the exception.IP address: yyy.yyy.yyy.204
Name of the customer who caused the exception.Customer: Guest
Originating page of exception.Page URL: http://<website>/ws/momif/eai_getjobs.php?sig=fccc6cf1a1181dae60acb3986f8a5f65
The referrer URL.Referrer URL:
Date/Time the log entry was created.Created on: 4/12/2014 8:02:56 AM
B:
The level of log entry.Log level: Error
The log entry message.Short message: The controller for path '/momif/eai_loginrequest.php' was not found or does not implement IController.
The details for the log entry.Full message: System.Web.HttpException (0x80004005): The controller for path '/momif/eai_loginrequest.php' was not found or does not implement IController. at System.Web.Mvc.DefaultControllerFactory.GetControllerInstance(RequestContext requestContext, Type controllerType) at System.Web.Mvc.DefaultControllerFactory.CreateController(RequestContext requestContext, String controllerName) at System.Web.Mvc.MvcHandler.ProcessRequestInit(HttpContextBase httpContext, IController& controller, IControllerFactory& factory) at System.Web.Mvc.MvcHandler.BeginProcessRequest(HttpContextBase httpContext, AsyncCallback callback, Object state) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
IP address of the machine that caused the exception.IP address: yyy.yyy.yyy.204
Name of the customer who caused the exception.Customer: Guest
Originating page of exception.Page URL: http://<website>/ws/momif/eai_loginrequest.php?sig=3c4bfa72052630e662ab4d277588a88c
The referrer URL.Referrer URL:
Date/Time the log entry was created.Created on: 4/12/2014 8:02:56 AM
3/ I tryed to find directories /ws/momif/... but not found even with showing <hiden items> and <file extensions>
4/ By clicking on Guest (above) link I can administer the user account where no data, I can save it etc., but still is not visible directly in admin panel.
Can you help me?
Thanks
NopCommerce 3.3 attack
- 37
- 758
- 6/4/2012
- Czech Republic
a.m. wrote:
Thats good Andrei, but, how to deny new customer records and and roles records creating? These are going together with these errors.
No worries here. Looks like somebody used software to find security holes in your site. They open popular pages of third-party plugins, etc.
Regarding log messages. You can disable these "not found" log records by setting "commonsettings.log404errors" setting to "false"
Regarding log messages. You can disable these "not found" log records by setting "commonsettings.log404errors" setting to "false"
Thats good Andrei, but, how to deny new customer records and and roles records creating? These are going together with these errors.
- 37
- 758
- 6/4/2012
- Czech Republic
Still wrong, Andrei.
I started this web.
I have put 404 errors off in log, that's fine.
But Using Scheduled tasks for deleting guests do not clean up the database, during about half an hour I got:
+ 20.000 new Customer records
+ 20.000 new Customer_CustomerRole_mapping Records.
which could not be deleted using Scheduled tasks.
...and it even cannot be stopped when the store is closed
Only one chance is to stop application.
I started this web.
I have put 404 errors off in log, that's fine.
But Using Scheduled tasks for deleting guests do not clean up the database, during about half an hour I got:
+ 20.000 new Customer records
+ 20.000 new Customer_CustomerRole_mapping Records.
which could not be deleted using Scheduled tasks.
...and it even cannot be stopped when the store is closed
Only one chance is to stop application.
MVP
- 11320
- 100942
- 5/22/2011
- United States
fibox wrote:
yyy - ip address is IP from SQL server.
...
IP address of the machine that caused the exception.IP address: yyy.yyy.yyy.204
The "IP address of the machine that caused the exception" is the IP address of the robot/hacker. If that's your " IP from SQL server", then you are causing the problem. Are you doing some kind of keep-alive? Custom web service?
yyy - ip address is IP from SQL server.
...
IP address of the machine that caused the exception.IP address: yyy.yyy.yyy.204
The "IP address of the machine that caused the exception" is the IP address of the robot/hacker. If that's your " IP from SQL server", then you are causing the problem. Are you doing some kind of keep-alive? Custom web service?
- 37
- 758
- 6/4/2012
- Czech Republic
Thanks New York, for your post.
Your thought seems to be logical, I asked me first the same way, but we do not do anything you mean on YYY.
Yes, we run there our local developers copy on tha same database connection, but even, when we stop it, "ghost customers" still continue on creating these records.
What I cannot undestand, you can see on the first post the errors like:
2014-04-10 21:14:34 xxx.xxx.xxx.64 POST /momif/eai_getjobs.php sig=fccc6cf1a1181dae60acb3986f8a5f65 80 - yyy.yyy.yyy.204 uF_IGV2 - 404 0 0 3812
but we do not provide any PHP aktivity on both our IIS servers, and PHP modules are not installed...
Summary: My problem is database size, there fore scheduled task do not delete these ghost records - but I can delete them with sql command.
Here is sample of created record in customer table:
Id CustomerGuid Username Email Password PasswordFormatId PasswordSalt AdminComment IsTaxExempt AffiliateId VendorId Active Deleted IsSystemAccount SystemName LastIpAddress CreatedOnUtc LastLoginDateUtc LastActivityDateUtc BillingAddress_Id ShippingAddress_Id
4700681 00BF20DA-23C4-407B-8FC2-7E8AFD4CBC8D NULL NULL NULL 0 NULL NULL 0 0 0 1 0 0 NULL NULL 2014-04-12 16:16:57.980 NULL 2014-04-12 16:16:57.980 NULL NULL
4700682 C7223F50-A239-46A8-8472-945AFC03C656 NULL NULL NULL 0 NULL NULL 0 0 0 1 0 0 NULL NULL 2014-04-12 16:16:57.997 NULL 2014-04-12 16:16:57.997 NULL NULL
4700683 EDFE9DA8-D301-46E6-83AF-87B911FF3CF2 NULL NULL NULL 0 NULL NULL 0 0 0 1 0 0 NULL NULL 2014-04-12 16:16:58.307 NULL 2014-04-12 16:16:58.307 NULL NULL
4700684 C4E14CF2-30BE-4DF5-8C61-42C456071BB2 NULL NULL NULL 0 NULL NULL 0 0 0 1 0 0 NULL NULL 2014-04-12 16:16:58.337 NULL 2014-04-12 16:16:58.337 NULL NULL
4700685 35836A56-D260-4E3E-8874-7D3660661087 NULL NULL NULL 0 NULL NULL 0 0 0 1 0 0 NULL NULL 2014-04-12 16:16:58.650 NULL 2014-04-12 16:16:58.650 NULL NULL
4700686 F88E0EFD-6659-4F09-8CF6-1E675CBEB1EB NULL NULL NULL 0 NULL NULL 0 0 0 1 0 0 NULL NULL 2014-04-12 16:16:58.697 NULL 2014-04-12 16:16:58.697 NULL NULL
4700687 C58DE471-5513-41AA-9ECC-4607791ECE3D NULL NULL NULL 0 NULL NULL 0 0 0 1 0 0 NULL NULL 2014-04-12 16:16:59.057 NULL 2014-04-12 16:16:59.057 NULL NULL
4700688 230EEFC4-D099-4E0E-81F3-DCD4F737710E NULL NULL NULL 0 NULL NULL 0 0 0 1 0 0 NULL NULL 2014-04-12 16:16:59.103 NULL 2014-04-12 16:16:59.103 NULL NULL
4700689 960282E8-5BC6-4F0D-AEA4-14C32007150C NULL NULL NULL 0 NULL NULL 0 0 0 1 0 0 NULL NULL 2014-04-12 16:16:59.400 NULL 2014-04-12 16:16:59.400 NULL NULL
You can see there last IP address is null, but usually is something real...
Thanks
Your thought seems to be logical, I asked me first the same way, but we do not do anything you mean on YYY.
Yes, we run there our local developers copy on tha same database connection, but even, when we stop it, "ghost customers" still continue on creating these records.
What I cannot undestand, you can see on the first post the errors like:
2014-04-10 21:14:34 xxx.xxx.xxx.64 POST /momif/eai_getjobs.php sig=fccc6cf1a1181dae60acb3986f8a5f65 80 - yyy.yyy.yyy.204 uF_IGV2 - 404 0 0 3812
but we do not provide any PHP aktivity on both our IIS servers, and PHP modules are not installed...
Summary: My problem is database size, there fore scheduled task do not delete these ghost records - but I can delete them with sql command.
Here is sample of created record in customer table:
Id CustomerGuid Username Email Password PasswordFormatId PasswordSalt AdminComment IsTaxExempt AffiliateId VendorId Active Deleted IsSystemAccount SystemName LastIpAddress CreatedOnUtc LastLoginDateUtc LastActivityDateUtc BillingAddress_Id ShippingAddress_Id
4700681 00BF20DA-23C4-407B-8FC2-7E8AFD4CBC8D NULL NULL NULL 0 NULL NULL 0 0 0 1 0 0 NULL NULL 2014-04-12 16:16:57.980 NULL 2014-04-12 16:16:57.980 NULL NULL
4700682 C7223F50-A239-46A8-8472-945AFC03C656 NULL NULL NULL 0 NULL NULL 0 0 0 1 0 0 NULL NULL 2014-04-12 16:16:57.997 NULL 2014-04-12 16:16:57.997 NULL NULL
4700683 EDFE9DA8-D301-46E6-83AF-87B911FF3CF2 NULL NULL NULL 0 NULL NULL 0 0 0 1 0 0 NULL NULL 2014-04-12 16:16:58.307 NULL 2014-04-12 16:16:58.307 NULL NULL
4700684 C4E14CF2-30BE-4DF5-8C61-42C456071BB2 NULL NULL NULL 0 NULL NULL 0 0 0 1 0 0 NULL NULL 2014-04-12 16:16:58.337 NULL 2014-04-12 16:16:58.337 NULL NULL
4700685 35836A56-D260-4E3E-8874-7D3660661087 NULL NULL NULL 0 NULL NULL 0 0 0 1 0 0 NULL NULL 2014-04-12 16:16:58.650 NULL 2014-04-12 16:16:58.650 NULL NULL
4700686 F88E0EFD-6659-4F09-8CF6-1E675CBEB1EB NULL NULL NULL 0 NULL NULL 0 0 0 1 0 0 NULL NULL 2014-04-12 16:16:58.697 NULL 2014-04-12 16:16:58.697 NULL NULL
4700687 C58DE471-5513-41AA-9ECC-4607791ECE3D NULL NULL NULL 0 NULL NULL 0 0 0 1 0 0 NULL NULL 2014-04-12 16:16:59.057 NULL 2014-04-12 16:16:59.057 NULL NULL
4700688 230EEFC4-D099-4E0E-81F3-DCD4F737710E NULL NULL NULL 0 NULL NULL 0 0 0 1 0 0 NULL NULL 2014-04-12 16:16:59.103 NULL 2014-04-12 16:16:59.103 NULL NULL
4700689 960282E8-5BC6-4F0D-AEA4-14C32007150C NULL NULL NULL 0 NULL NULL 0 0 0 1 0 0 NULL NULL 2014-04-12 16:16:59.400 NULL 2014-04-12 16:16:59.400 NULL NULL
You can see there last IP address is null, but usually is something real...
Thanks
MVP
- 11320
- 100942
- 5/22/2011
- United States
It still seems odd that the request are coming from your yyy ip address. In any case, you may need to use something to block the requests like urlscan
- 107
- 871
- 11/30/2012
- United States
I believe the issue is because of keepalive. Refer to this, it might help. https://www.nopcommerce.com/boards/t/29558/guest-accounts-keepalive-33.aspx.
- 37
- 758
- 6/4/2012
- Czech Republic
New York wrote:
SOLVED
Hi guys, thanks especially New York, this way is working:
I am dropping all PHP requests on IIS rewrite module:
<system.webServer>
<rewrite>
<rules>
<rule name="BlockPHPfiles" patternSyntax="Wildcard">
<match url="*" />
<conditions>
<add input="{URL}" pattern="*.php*" />
</conditions>
<action type="AbortRequest"/>
</rule>
</rules>
</rewrite>
</system.webServer>
The problem was not regard Scheduled task, I have tryed it but with no sense.
Once more, thanks.
It still seems odd that the request are coming from your yyy ip address. In any case, you may need to use something to block the requests like urlscan
SOLVED
Hi guys, thanks especially New York, this way is working:
I am dropping all PHP requests on IIS rewrite module:
<system.webServer>
<rewrite>
<rules>
<rule name="BlockPHPfiles" patternSyntax="Wildcard">
<match url="*" />
<conditions>
<add input="{URL}" pattern="*.php*" />
</conditions>
<action type="AbortRequest"/>
</rule>
</rules>
</rewrite>
</system.webServer>
The problem was not regard Scheduled task, I have tryed it but with no sense.
Once more, thanks.