Cs-Cart Attackers

I have been going through my cscart_logs table to see how many login failures we had. I discovered some stuff that is disturbing.

I had 14,186 attempts to login to accounts on my CS-Cart website. They were all coming from same source so I wanted to share my solution that might help you. Here is the list of their IP addresses.

212.7.217.2
212.7.217.7
212.7.217.46
212.7.217.26
212.7.217.122
212.7.220.0/24

If you have root access and csf installed on your server. You can simply run the following command to ban them for life.

csf -d 212.7.217.2
csf -d 212.7.217.7
csf -d 212.7.217.46
csf -d 212.7.217.26
csf -d 212.7.217.122
csf -d 212.7.220.0/24

If you want to find out how many times they attempted to login to your website:

SELECT log_id, user_id, timestamp, type, content
FROM `cscart_logs`
WHERE `action` = 'failed_login' 
AND (content LIKE '%212.7.220.%' OR content LIKE '%212.7.217.2%' OR content LIKE '%212.7.217.7%'
OR content LIKE '%212.7.217.46%' OR content LIKE '%212.7.217.26%' OR content LIKE '%212.7.217.122%')
ORDER BY `log_id` DESC

In my case, the total row count is 14,186. Here is the breakdown:

content count {s:22:"edgardofqp@hotmail.com";s:10:"ip_address";s:12:"212.7.220.14";} 1933 times {s:22:"edgardofqp@hotmail.com";s:10:"ip_address";s:12:"212.7.220.13";} 1733 times {s:22:"edgardofqp@hotmail.com";s:10:"ip_address";s:12:"212.7.217.46";} 656 times {s:20:"cenkuigvvz@sogou.com";s:10:"ip_address";s:12:"212.7.220.14";} 632 times {s:20:"cenkuigvvz@sogou.com";s:10:"ip_address";s:12:"212.7.220.13";} 611 times {s:20:"cenkuigvvz@sogou.com";s:10:"ip_address";s:12:"212.7.220.20";} 463 times {s:20:"chuizhu5525@21cn.com";s:10:"ip_address";s:12:"212.7.220.20";} 445 times {s:20:"cenkuigvvz@sogou.com";s:10:"ip_address";s:12:"212.7.220.16";} 386 times {s:22:"edgardofqp@hotmail.com";s:10:"ip_address";s:12:"212.7.220.20";} 370 times {s:20:"chuizhu5525@21cn.com";s:10:"ip_address";s:12:"212.7.220.16";} 367 times {s:22:"edgardofqp@hotmail.com";s:10:"ip_address";s:12:"212.7.220.16";} 298 times {s:20:"cenkuigvvz@sogou.com";s:10:"ip_address";s:12:"212.7.217.46";} 249 times {s:20:"chuizhu5525@21cn.com";s:10:"ip_address";s:12:"212.7.220.14";} 243 times {s:20:"chuizhu5525@21cn.com";s:10:"ip_address";s:12:"212.7.220.13";} 216 times {s:20:"cenkuigvvz@sogou.com";s:10:"ip_address";s:12:"212.7.220.19";} 213 times {s:20:"chuizhu5525@21cn.com";s:10:"ip_address";s:12:"212.7.220.19";} 212 times {s:15:"eakalar@126.com";s:10:"ip_address";s:12:"212.7.220.14";} 207 times {s:20:"chuizhu5525@21cn.com";s:10:"ip_address";s:12:"212.7.220.22";} 200 times {s:20:"cenkuigvvz@sogou.com";s:10:"ip_address";s:11:"212.7.217.2";} 191 times {s:20:"chuizhu5525@21cn.com";s:10:"ip_address";s:11:"212.7.217.2";} 189 times {s:20:"chuizhu5525@21cn.com";s:10:"ip_address";s:12:"212.7.220.25";} 184 times {s:15:"eakalar@126.com";s:10:"ip_address";s:12:"212.7.217.46";} 181 times {s:22:"edgardofqp@hotmail.com";s:10:"ip_address";s:12:"212.7.220.19";} 168 times {s:20:"cenkuigvvz@sogou.com";s:10:"ip_address";s:12:"212.7.220.22";} 164 times {s:15:"eakalar@126.com";s:10:"ip_address";s:12:"212.7.220.13";} 157 times {s:20:"chuizhu5525@21cn.com";s:10:"ip_address";s:13:"212.7.217.122";} 148 times {s:20:"cenkuigvvz@sogou.com";s:10:"ip_address";s:12:"212.7.220.25";} 145 times {s:20:"cenkuigvvz@sogou.com";s:10:"ip_address";s:13:"212.7.217.122";} 143 times {s:22:"edgardofqp@hotmail.com";s:10:"ip_address";s:12:"212.7.220.22";} 140 times {s:22:"edgardofqp@hotmail.com";s:10:"ip_address";s:12:"212.7.220.25";} 139 times {s:22:"edgardofqp@hotmail.com";s:10:"ip_address";s:12:"212.7.220.18";} 138 times {s:22:"edgardofqp@hotmail.com";s:10:"ip_address";s:11:"212.7.217.2";} 135 times {s:25:"shidi62050146364@yeah.net";s:10:"ip_address";s:12:"212.7.220.20";} 131 times {s:20:"cenkuigvvz@sogou.com";s:10:"ip_address";s:12:"212.7.220.21";} 124 times {s:25:"shidi62050146364@yeah.net";s:10:"ip_address";s:12:"212.7.220.19";} 111 times {s:20:"chuizhu5525@21cn.com";s:10:"ip_address";s:12:"212.7.217.46";} 110 times {s:20:"chuizhu5525@21cn.com";s:10:"ip_address";s:12:"212.7.220.21";} 109 times {s:22:"edgardofqp@hotmail.com";s:10:"ip_address";s:12:"212.7.220.21";} 102 times {s:22:"edgardofqp@hotmail.com";s:10:"ip_address";s:13:"212.7.217.122";} 96 times {s:25:"shidi62050146364@yeah.net";s:10:"ip_address";s:12:"212.7.220.16";} 96 times {s:12:"brdbobbshild";s:10:"ip_address";s:12:"212.7.217.46";} 67 times {s:16:"osvicari@163.com";s:10:"ip_address";s:12:"212.7.217.46";} 67 times {s:15:"eakalar@126.com";s:10:"ip_address";s:12:"212.7.220.20";} 65 times {s:25:"shidi62050146364@yeah.net";s:10:"ip_address";s:12:"212.7.220.21";} 61 times {s:10:"ododoorosa";s:10:"ip_address";s:12:"212.7.217.46";} 60 times {s:19:"ganskui647@sohu.com";s:10:"ip_address";s:12:"212.7.217.46";} 60 times {s:15:"eakalar@126.com";s:10:"ip_address";s:12:"212.7.220.19";} 57 times {s:8:"aceralle";s:10:"ip_address";s:12:"212.7.217.46";} 56 times {s:16:"llinwo12@163.com";s:10:"ip_address";s:12:"212.7.217.46";} 56 times {s:20:"cenkuigvvz@sogou.com";s:10:"ip_address";s:12:"212.7.220.18";} 53 times {s:15:"eakalar@126.com";s:10:"ip_address";s:12:"212.7.220.16";} 53 times {s:15:"eakalar@126.com";s:10:"ip_address";s:12:"212.7.220.21";} 45 times {s:10:"ododoorosa";s:10:"ip_address";s:12:"212.7.220.14";} 45 times {s:19:"ganskui647@sohu.com";s:10:"ip_address";s:12:"212.7.220.14";} 45 times {s:13:"nlalpandoburl";s:10:"ip_address";s:12:"212.7.217.46";} 45 times {s:21:"zuoying29791@yeah.net";s:10:"ip_address";s:12:"212.7.217.46";} 45 times {s:12:"brdbobbshild";s:10:"ip_address";s:12:"212.7.220.14";} 44 times {s:16:"osvicari@163.com";s:10:"ip_address";s:12:"212.7.220.14";} 43 times {s:13:"nlalpandoburl";s:10:"ip_address";s:12:"212.7.220.14";} 36 times {s:21:"zuoying29791@yeah.net";s:10:"ip_address";s:12:"212.7.220.14";} 36 times {s:10:"ododoorosa";s:10:"ip_address";s:12:"212.7.220.13";} 35 times {s:19:"ganskui647@sohu.com";s:10:"ip_address";s:12:"212.7.220.13";} 35 times {s:22:"edgardofqp@hotmail.com";s:10:"ip_address";s:12:"212.7.217.22";} 34 times {s:8:"aceralle";s:10:"ip_address";s:12:"212.7.220.13";} 34 times {s:16:"llinwo12@163.com";s:10:"ip_address";s:12:"212.7.220.13";} 34 times {s:13:"nlalpandoburl";s:10:"ip_address";s:12:"212.7.220.13";} 32 times {s:21:"zuoying29791@yeah.net";s:10:"ip_address";s:12:"212.7.220.13";} 32 times {s:25:"shidi62050146364@yeah.net";s:10:"ip_address";s:12:"212.7.220.22";} 31 times {s:8:"aceralle";s:10:"ip_address";s:12:"212.7.220.14";} 28 times {s:16:"llinwo12@163.com";s:10:"ip_address";s:12:"212.7.220.14";} 28 times {s:12:"brdbobbshild";s:10:"ip_address";s:12:"212.7.220.13";} 24 times {s:16:"osvicari@163.com";s:10:"ip_address";s:12:"212.7.220.13";} 24 times {s:15:"eakalar@126.com";s:10:"ip_address";s:12:"212.7.220.22";} 22 times {s:20:"cenkuigvvz@sogou.com";s:10:"ip_address";s:12:"212.7.217.22";} 19 times {s:7:"dlndwai";s:10:"ip_address";s:12:"212.7.217.46";} 19 times {s:22:"beizhang90117@yeah.net";s:10:"ip_address";s:12:"212.7.217.46";} 19 times {s:20:"chuizhu5525@21cn.com";s:10:"ip_address";s:12:"212.7.220.18";} 18 times {s:12:"acanadajacka";s:10:"ip_address";s:12:"212.7.217.46";} 17 times {s:25:"shidi62050146364@yeah.net";s:10:"ip_address";s:12:"212.7.217.26";} 12 times {s:20:"cenkuigvvz@sogou.com";s:10:"ip_address";s:11:"212.7.217.7";} 11 times {s:20:"chuizhu5525@21cn.com";s:10:"ip_address";s:12:"212.7.217.22";} 10 times {s:20:"cenkuigvvz@sogou.com";s:10:"ip_address";s:12:"212.7.217.26";} 9 times {s:15:"eakalar@126.com";s:10:"ip_address";s:12:"212.7.217.26";} 9 times {s:20:"chuizhu5525@21cn.com";s:10:"ip_address";s:12:"212.7.217.26";} 8 times {s:20:"chuizhu5525@21cn.com";s:10:"ip_address";s:11:"212.7.217.7";} 8 times {s:7:"dlndwai";s:10:"ip_address";s:12:"212.7.220.14";} 8 times {s:22:"beizhang90117@yeah.net";s:10:"ip_address";s:12:"212.7.220.14";} 8 times {s:7:"dlndwai";s:10:"ip_address";s:12:"212.7.220.13";} 8 times {s:22:"beizhang90117@yeah.net";s:10:"ip_address";s:12:"212.7.220.13";} 8 times {s:15:"eakalar@126.com";s:10:"ip_address";s:11:"212.7.217.7";} 3 times {s:22:"edgardofqp@hotmail.com";s:10:"ip_address";s:11:"212.7.217.7";} 2 times {s:25:"shidi62050146364@yeah.net";s:10:"ip_address";s:11:"212.7.217.7";} 2 times {s:22:"edgardofqp@hotmail.com";s:10:"ip_address";s:12:"212.7.217.26";} 2 times {s:15:"eakalar@126.com";s:10:"ip_address";s:11:"212.7.217.2";} 2 times {s:25:"shidi62050146364@yeah.net";s:10:"ip_address";s:11:"212.7.217.2";} 2 times {s:13:"nlalpandoburl";s:10:"ip_address";s:12:"212.7.217.22";} 1 time {s:21:"zuoying29791@yeah.net";s:10:"ip_address";s:12:"212.7.217.22";} 1 time {s:8:"aceralle";s:10:"ip_address";s:12:"212.7.217.22";} 1 time {s:16:"llinwo12@163.com";s:10:"ip_address";s:12:"212.7.217.22";} 1 time {s:9:"evonebrun";s:10:"ip_address";s:12:"212.7.220.21";} 1 time {s:12:"ealangeruthp";s:10:"ip_address";s:12:"212.7.220.21";} 1 time {s:9:"ghingjoan";s:10:"ip_address";s:12:"212.7.220.13";} 1 time {s:12:"acanadajacka";s:10:"ip_address";s:12:"212.7.220.14";} 1 time {s:12:"acanadajacka";s:10:"ip_address";s:12:"212.7.220.13";} 1 time {s:15:"agomohammasanti";s:10:"ip_address";s:12:"212.7.217.46";} 1 time {s:20:"zhihxi04900@sohu.com";s:10:"ip_address";s:12:"212.7.217.46";} 1 time {s:12:"brdbobbshild";s:10:"ip_address";s:12:"212.7.217.26";} 1 time {s:16:"osvicari@163.com";s:10:"ip_address";s:12:"212.7.217.26";} 1 time {s:11:"nwomennorth";s:10:"ip_address";s:12:"212.7.217.26";} 1 time {s:19:"daobi51695@yeah.net";s:10:"ip_address";s:12:"212.7.217.26";} 1 time

You can set up CSF to automatically block them after a certain number of failed attempts. You can also do this within CSCart itself.

You can set up CSF to automatically block them after a certain number of failed attempts. You can also do this within CSCart itself.

CSF doesn't block them automatically. They are not trying to access to SSH or FTP, they are trying to login to the website so all it sees is GET/POST. I think you are referring to the Fraud detection addon but I never used that. If you can expand on this, I would appreciate. The method I found above is working, most of these IP addresses are also comment spammers so blocking them at the firewall level stopped lot of Rolex/viagra BS.

The addon is "Access restrictions". It's self explanatory.

Login is one thing...spam is another.

[attachment=12478:access_restrictions_ settings.jpg]

access_restrictions_ settings.jpg