Post by sooty » Thu Sep 29, 2016 7:21 pm

We are getting bombarded with enquiries via the contact page from a eric.neilmann@take5shop(.com)

It is an automated message containing an invitaion to open a list of required products supposedly on an excel spreadsheet.

We know, to the expense of a friend of ours who also received this through their opencart 1.5 shop, that the link is malicious. It takes control of your PC and then they demand $500 to release it. They have ended up scrapping a harddrive over it.

This is warning to others not to open the link.

Anyone know a way to shut the b%^$)ard down?

We think the originators IP address is 194.67.196.54 and have now blocked access.

New member

Posts

Joined
Fri Sep 21, 2012 4:59 am

Post by IP_CAM » Fri Sep 30, 2016 4:20 am

Code: Select all

inetnum: 194.67.196.0 - 194.67.199.255
netname: MAROSNET-194-67-196-0
descr: Marosnet enterprise network
country:  RU
Better deny this Network completely, I blocked those fellows on an even larger range, a long time ago!
deny from 194.24.230.0/194.88.213.255

Code: Select all

order allow,deny
allow from all
deny from 194.67.196.0/194.67.199.255
Ernie

I am no longer active at the Forum. Please do NOT send me Personal Mails,
they will no longer be replied to.
My Github OC Site: https://github.com/IP-CAM
4'300 + FREE OC Extensions, on the World's largest Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by Johnathan » Fri Sep 30, 2016 4:33 am

If they change their IPs and you want to block their domain in your contact form, you could make an edit like this:

Code: Select all

IN:
/catalog/controller/information/contact.php

REPLACE:
$mail->send();

WITH:
if (!strpos($this->request->post['email'], 'take5shop')) {
    $mail->send();
} 
You could also use an "else" statement with that "if" statement to redirect them away, or do other things (like auto-block their IP) if you're handy with code.

Image
Image Image Image Image


User avatar
Global Moderator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by debbiekipt » Fri Sep 30, 2016 11:05 pm

I am having the same issue, thanks for the suggestions!
I have also discovered something which I think may be more sinister, I do not know if they are connected:
http://forum.opencart.com/viewtopic.php?f=20&t=168452

Re the code you kindly provided Ernie, I assume it goes in our .htaccess file?
order allow,deny
allow from all
deny from 194.67.196.0/194.67.199.255

Active Member

Posts

Joined
Sun Nov 21, 2010 8:10 pm

Post by IP_CAM » Fri Sep 30, 2016 11:45 pm

I assume it goes in our .htaccess file
Yes, this is correct!
---
And just to give you an inside look into my file, for years, I use this .htaccess file, frequently updated,
in my Site ROOT Sections. It could have been coded MUCHO more professional, I know, but this is, what
I understand to manage, and it works well, and makes very little difference in page load delay, compared,
without having an .htaccess file in place! :D
---
It also re-route's incoming http://site calls to http://www.site, so, I don't have to add such
rerouting routines to OC-2 related Shop Subdirectory placed .htaccess files any longer, to avoid
Font-Awesome ICON related problems.
---
http://www.openshop.li/downloads/ernies_htaccess.zip
---
BOTTOM Rewrite Rule Line could either be something like this:

Code: Select all

RewriteRule .* - [F]
or then something like this, re-directing such IP's directly to another Domain!

Code: Select all

RewriteRule /*$ http://www.brightfort.com/spywareblaster.html[L,R]
---
Good Luck ;)
Ernie

But don't just use it, as it comes, it may BLOCK yourselfs from accessing your Site,
depending on, where you come from ::) :D

I am no longer active at the Forum. Please do NOT send me Personal Mails,
they will no longer be replied to.
My Github OC Site: https://github.com/IP-CAM
4'300 + FREE OC Extensions, on the World's largest Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by JNeuhoff » Sat Oct 01, 2016 5:28 am

sooty wrote:We are getting bombarded with enquiries via the contact page from a eric.neilmann@take5shop(.com)

It is an automated message containing an invitaion to open a list of required products supposedly on an excel spreadsheet.

We know, to the expense of a friend of ours who also received this through their opencart 1.5 shop, that the link is malicious. It takes control of your PC and then they demand $500 to release it. They have ended up scrapping a harddrive over it.

This is warning to others not to open the link.

Anyone know a way to shut the b%^$)ard down?

We think the originators IP address is 194.67.196.54 and have now blocked access.
We got loads of emails from the same guy. Might be useful to add a captcha on your Contact page.

Override Engine * Integrated VQMod * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Rich Snippets * Google Tag Manager * Export/Import Tool * SpamBot Buster * Survey Plus


User avatar
Expert Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by debbiekipt » Sat Oct 01, 2016 6:32 pm

Many thanks for your post and sharing your .htaccess Ernie!
I will take a look at that and great that it could resolve the missing Font Awesome icons too - that is something else I have an issue with in multistore shops at present.

Thanks JNeuhoff for your suggestion, we have a captcha and were still getting the emails, though none today so far after adding Ernies deny code to .htaccess yesterday :-)

Active Member

Posts

Joined
Sun Nov 21, 2010 8:10 pm

Post by JNeuhoff » Tue Oct 04, 2016 5:12 am

I added Ernie's code

Code: Select all

order allow,deny
allow from all
deny from 194.67.196.0/194.67.199.255
to the .htaccess, yet we are still getting these spam mails from take5shop, submitted via our website's Contact form (verified from the access.log). I guess it needs a different mechanism to block this IP-address range!
Last edited by JNeuhoff on Tue Oct 04, 2016 6:13 am, edited 1 time in total.

Override Engine * Integrated VQMod * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Rich Snippets * Google Tag Manager * Export/Import Tool * SpamBot Buster * Survey Plus


User avatar
Expert Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by IP_CAM » Tue Oct 04, 2016 6:00 am

I know, it can be enduring, that's, why I have some Lock-Code on IP's as well as on 'Names', related, after analyzing the source of transmissions, to sometimes find out where to 'get' em !
Good Luck!
Ernie

I am no longer active at the Forum. Please do NOT send me Personal Mails,
they will no longer be replied to.
My Github OC Site: https://github.com/IP-CAM
4'300 + FREE OC Extensions, on the World's largest Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by JNeuhoff » Tue Oct 04, 2016 6:08 am

I think the last enquiry originated from the IP-address 92.63.109.125, which is part of the range 92.63.108.0 - 92.63.109.255, coming from JSC Cloud, Irkutsk, Russia. Should be added to the deny-list, too.

Override Engine * Integrated VQMod * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Rich Snippets * Google Tag Manager * Export/Import Tool * SpamBot Buster * Survey Plus


User avatar
Expert Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by Johnathan » Tue Oct 04, 2016 10:54 pm

JNeuhoff wrote:I added Ernie's code to the .htaccess, yet we are still getting these spam mails from take5shop, submitted via our website's Contact form (verified from the access.log). I guess it needs a different mechanism to block this IP-address range!
If this happens often, you might want to just use the edit I suggested above, which should block your contact form from being used by anyone from that domain.

Image
Image Image Image Image


User avatar
Global Moderator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by Philly » Tue Oct 11, 2016 6:37 pm

Johnathans reply is perfect for this!

The spammers think they sent it as they get the confirmation message, but no email is sent!!

Just make sure you test it using their domain and another before considering it fixed :)

Thank you Johnathan!!!

Newbie

Posts

Joined
Sun Sep 18, 2016 5:46 am

Post by JNeuhoff » Tue Oct 11, 2016 8:18 pm

I am now trying this htaccess code:

Code: Select all

deny from 194.67.196.0/22
deny from 92.63.108.0/23
which should block this spammer's IP address ranges

194.67.196.0 to 194.67.199.255
92.63.108.0 to 92.63.109.255

This spammer is actually manually visiting the information/contact page, then copying and pasting his standard spam text, and then hitting the Submit button.

User avatar
Expert Member

Posts

Joined
Wed Dec 05, 2007 3:38 am

Who is online

Users browsing this forum: No registered users and 27 guests