Our website was under attack for two hours from a US bot with no valid ip address placing over 165,000 orders in two hours, which has led to 165,000 pending orders.
They were all done under one email address, can anyone help with the SQL to delete pending orders from one specific email address? Many thanks. James
SQL to delete orders from one specific customer
MVP
- 11328
- 101032
- 22/05/2011
- United States
This will 'purge' all Orders (and OrderItems and OrderNotes, because they are FK on delete cascade) for given customer. It does not consider status (e.g. 'pending'), which I would not think matters in your case if the customer was bogus.
(I say 'purge', because this is a hard delete, unlike clicking the Delete button in an admin Order page which would just set the Order's Deleted field's value to 1)
delete from [Order]
where CustomerId = (select Id from Customer where Email = 'builtin@search_engine_record.com')
(I say 'purge', because this is a hard delete, unlike clicking the Delete button in an admin Order page which would just set the Order's Deleted field's value to 1)
- 72
- 490
- 13/08/2014
- United Kingdom
Thank you for the advice, sorry I should have mentioned that the orders were all 'guest' orders using one email address (I have now found out that this was a "carding attack"). Your code works perfectly for registered customers. We don't want to delete all pending orders because on rare occasions orders via PayPal will not auto update to paid so we keep them for contingencies. Any suggestions?
Many thanks, James
Many thanks, James
MVP
- 11328
- 101032
- 22/05/2011
- United States
Guests do not have an Email.
This will delete Pending orders for Guests
However, it can't distinguish legitimate guests (with pending orders), vs. your attacker. So, you may also want to check for (example IP address)
AND LastIpAddress = '127.0.0.1'
and/or (example date range)
AND CreatedOnUtc between '2021-03-05 15:47' and '2021-05-05 15:47'
P.S. If you change the above query's DELETE [Order] to a SELECT *, then you can see the results of what will be deleted before you actually delete.
This will delete Pending orders for Guests
DELETE [Order]
FROM [Order] o
JOIN Customer c ON c.Id = o.CustomerId
WHERE o.OrderStatusId = 10 --Pending
AND c.Email is null --Guest
However, it can't distinguish legitimate guests (with pending orders), vs. your attacker. So, you may also want to check for (example IP address)
AND LastIpAddress = '127.0.0.1'
and/or (example date range)
AND CreatedOnUtc between '2021-03-05 15:47' and '2021-05-05 15:47'
P.S. If you change the above query's DELETE [Order] to a SELECT *, then you can see the results of what will be deleted before you actually delete.
- 72
- 490
- 13/08/2014
- United Kingdom
This was a very cleaver carding attack. Our payment gateway provider has informed me (correctly or incorrectly) that the attacker places thousands (hundreds of thousands in our case) of small orders to verify if stolen card details are active or inactive at taking payments. They then go on to use or sell these card details, the attack was from the US using US debit cards (we are UK online business). Not only did it autofill all the checkout process on our site, but it also auto completed the sage payment (now Opayo) 'form' system. It started at 3.00am on Saturday 6th and we did not notice the activity until 8.00am when we realised significant pending orders over what could ever be realistic (£94,000).
The obvious immediate solution was to block the IP address, however this was masked and not visible on the order details. The only short term solution I could think of was to create a firewall rule that blocks any visitor which tries to access the payment URL more than twice in any 2 second period via Cloudflare. This worked and blocked the attacker. I don't know of any more robust long term solution as my IT skills are limited, however as it is the weekend we will consult our web developer on Monday when they are back. the process cost us half a day in lost sales, but has also locked our merchant account which means we can only accept PayPal payments until tomorrow (Monday). We plan to update our site to V4.3 and install google reCAPTCHA v3 during the checkout process. I would recommend anyone taking steps to prevent this as based on our experience it happens when you are in a position to do little to stop it. Thankfully we also had PayPal on our ecommerce site or we would have lost two to three days sales.
The obvious immediate solution was to block the IP address, however this was masked and not visible on the order details. The only short term solution I could think of was to create a firewall rule that blocks any visitor which tries to access the payment URL more than twice in any 2 second period via Cloudflare. This worked and blocked the attacker. I don't know of any more robust long term solution as my IT skills are limited, however as it is the weekend we will consult our web developer on Monday when they are back. the process cost us half a day in lost sales, but has also locked our merchant account which means we can only accept PayPal payments until tomorrow (Monday). We plan to update our site to V4.3 and install google reCAPTCHA v3 during the checkout process. I would recommend anyone taking steps to prevent this as based on our experience it happens when you are in a position to do little to stop it. Thankfully we also had PayPal on our ecommerce site or we would have lost two to three days sales.
MVP
- 11328
- 101032
- 22/05/2011
- United States
Thanks for the info. Yes, it's disconcerting (to all using nopCommerce), that they were able to "autofill all the checkout process on our site". This may interest you
https://www.nopcommerce.com/en/ecommerce-fraud-detection-how-to-protect-your-online-store
https://www.nopcommerce.com/en/ecommerce-fraud-detection-how-to-protect-your-online-store