User tracking mod

[mc12345678]

Has anyone incorporated tracking restrictions using the spiders file? And to take it a step further, incorporated it so that the data is still logged with an option to hide spider views or show them when reviewing the log?

This last question is asked, because it seems that ip addresses to not log are specifically that, not logged versus not shown. Would think that would want to log all accesses (unless REALLY concerned about log space) and just ignore them when reviewing the logs.

I've gone ahead and made the modifications described above. Additionally added code that was obtained from this forum that addressed the presentation of the idle time. The following is taken from the update file.

Added ability to hide/show spider visits using the spiders.txt file of Zen Cart. Default view is to hide spider visits.

Modified the information shown at the bottom of the view to show the number of users and number of bots/spiders that have visited. This spider/bot information will show whether the actual visit is or is not shown.

Also incorporated modifications published in this Thread/Forum related to display of the Idle time of a visitor. (Previous calculations lead to incorrect display depending on timezone.) Just added it in, so still needs to go through review and acceptance.

[mc12345678]

Fyi,

Submitted another change to the user tracking mod. The list of changes are as follows (by memory):
1. Identified that in some cases the OnChange event of clicking the new Hide/Show Spiders buttons didn't work on first click, so rewrote to use an OnClick event instead.
2. Removed some of the hard coded text that had recently been added and placed in the language files.
3. Added a Back to Today and Forward to Today option if the date chosen is two or more days away from the date when the date on which the selection was made.
4. When moving the text to the language file ensured that values of zero displayed for number of "events".
5. Incorporated the use of the notify system instead of calling a function into the footers. (The previous method still works); however, new installs are directed to use the notify method.
6. By request of the Zen Cart Team trimmed down the readme files so that there is only a new install and upgrade file by incorporating the history of the previous updates into the update readme.

It is likely/possible that this update will be available after this coming weekend; however, the Zen Cart Team as far as I know also is a volunteer support group, so please be patient while they make their reviews to publish.

[mc12345678]

I am hoping someone can help me. We upgraded to Zen Cart 1.5.1 and User Tracking 1.4.2 and I am getting these errors in the log file:

Code:

[07-Aug-2013 01:26:56 America/New_York] PHP Fatal error:  1064:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0=A&products_id=13493', 'Learning Resources Pretend and Play Food Snack Set', 'O' at line 1 :: insert into user_tracking (customer_id, full_name, session_id, ip_address, time_entry, time_last_click, last_page_url, referer_url, page_desc, customers_host_address) values ('0', 'Guest', '931f031bebc22bab074f3e9f9dd60475', '198.100.145.182', '1375853216', '1375853216', '/index.php?main_page=\'0=A&products_id=13493', 'http://www.clevershoppers.com/index.php?main_page='0=A&products_id=13493', 'Learning Resources Pretend and Play Food Snack Set', 'OFFICE_IP_TO_HOST_ADDRESS') in /MASKED/includes/classes/db/mysql/query_factory.php on line 120

Code:

[07-Aug-2013 01:26:57 America/New_York] PHP Fatal error:  1064:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0=A', 'NAVBAR_TITLE', 'OFFICE_IP_TO_HOST_ADDRESS')' at line 1 :: insert into user_tracking (customer_id, full_name, session_id, ip_address, time_entry, time_last_click, last_page_url, referer_url, page_desc, customers_host_address) values ('0', 'Guest', '42c15c5d5052c1bd8b9601e07c1c65ff', '198.100.145.182', '1375853217', '1375853217', '/index.php?main_page=product_info&products_id=\'0=A', 'http://www.clevershoppers.com/index.php?main_page=product_info&products_id='0=A', 'NAVBAR_TITLE', 'OFFICE_IP_TO_HOST_ADDRESS') in /MASKED/includes/classes/db/mysql/query_factory.php on line 120

Code:

[07-Aug-2013 01:26:58 America/New_York] PHP Fatal error:  1064:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0=A+and+1=1&products_id=13493', 'Learning Resources Pretend and Play Food Snack ' at line 1 :: insert into user_tracking (customer_id, full_name, session_id, ip_address, time_entry, time_last_click, last_page_url, referer_url, page_desc, customers_host_address) values ('0', 'Guest', '4fbeab1bb17a9a9ab8b444106ba60f2d', '198.100.145.182', '1375853218', '1375853218', '/index.php?main_page=\'0=A+and+1=1&products_id=13493', 'http://www.clevershoppers.com/index.php?main_page='0=A+and+1=1&products_id=13493', 'Learning Resources Pretend and Play Food Snack Set', 'OFFICE_IP_TO_HOST_ADDRESS') in /MASKED/includes/classes/db/mysql/query_factory.php on line 120

These are just some examples, there are 100s of these errors in the log. On The Admin side, I see tracking and such but obvious something is wrong here.

Thanks!

I'm curious from what version you upgraded.

Basically, what I have discovered from errors of that type, is that whomever or whatever is at the ip address shown in the error is/has been trying to abuse Zen Cart by sending a bad URL. You can reproduce/force the error by manually entering the same URL. The good thing? Now you know about it, and hopefully/probably now they can't use the same trick they used to to get what they were able to. (Sorry, I'm assuming that since the same IP address was in each of those error logs, that they have probably been sending that URL for a while.)

See, it is if someone is trying to submit what I think is called SQL injection, because if you notice that after main_page= there is a backwards slash followed by an apostrophein SQL that combination is like forcing an apostrophe to stay in the string which if improperly handled in the code could act like a break in a line with the following text to be executed if as actual code. For example, one of the entries evaluates to 0=A which results in an error because you can't assign the letter A to the number 0. If the code didn't catch this then there might be a problem. But basically, to log records, the user tracking mod is passing to the SQL interpreter the data that is shown, and it doesn't like some of the data.

That's my interpretation based on finding an occasional similar event in my log, tracking down the originator (same place each time), and a little research on the values attempted to inject.

[BlessIsaacola]

I upgraded from Version: 1.3.6.2. If I understand you correctly, this is nothing to worry about other than the annoying 100s of entry in the log folder? If this continues I still may ditch this mod. It's interesting that this never show up before upgrading to Zen Cart 1.5.1. Thanks so much for looking into this.

[mc12345678]

I upgraded from Version: 1.3.6.2. If I understand you correctly, this is nothing to worry about other than the annoying 100s of entry in the log folder? If this continues I still may ditch this mod. It's interesting that this never show up before upgrading to Zen Cart 1.5.1. Thanks so much for looking into this.

Well, glad you upgraded from such an old version. My understanding is that likely it had security issues. My recommendation would be to use this previously unavailable information to take action on your site. Take a look at the errors and see what commonalities exist. Perhaps that (or those) ip addresses need to be reported to the respective host(s) about how they are trying to abuse your site, and then maybe also have the address(es) blocked from your site through your .htaccess file(s). Afterall, if they're not engaging with your site appropriately then either they shouldn't be able to or maybe they have an issue that needs to be corrected. Take a look at the product_id identified and review your database through your myPHPAdmin panel, do you have a product_id of 13493? (Or could look through your store to find the same.) My guess is that no, you don't have 13,493 items and therefore don't have a product_id that high, which further indicates that it's not actually your cart providing that URL, but someone/something providing that to your cart to attempt to abuse it.

Realize, ignoring the abusive behavior won't resolve anything, and it may even escalate.

[BlessIsaacola]

Thank you again! I will definitely keep an eye on it and block the ips as they come through. The product ids that's included are valid on our site and work just fine. I still find it rather interesting that they are using User Tracking Mod to try and attack. Obviously, there's a reason for that best known to them. I will monitor the log for a while and add the offending ip to the block list. Thanks for troubleshooting with me.

[mc12345678]

I upgraded from Version: 1.3.6.2. If I understand you correctly, this is nothing to worry about other than the annoying 100s of entry in the log folder? If this continues I still may ditch this mod. It's interesting that this never show up before upgrading to Zen Cart 1.5.1. Thanks so much for looking into this.

Also, this may not have been observed before because the old version of your Zen Cart may have allowed that computer to do what it was doing before processing the user tracking code. Now that you are on the latest version of Zen Cart, Zen Cart is allowing that "request" to move forward. So, to further clarify (seeing a newer post), they may not be targeting the User Tracking, but "known" issues with the older Zen Cart systems that potentially have security issues, it's just now you have something reported as a result of having the plugin.

Again, I caution about just blocking the ip addresses, it "fixes" potential issues with them reaching to you, but doesn't notify anyone about the attempts they are making.

[BlessIsaacola]

I will greatly appreciate if anyone have a uninstall instruction for the database changes and page registration that was made by this mod. I have uninstalled it from our site and would like to clean it up from the DB.

[mc12345678]

I will greatly appreciate if anyone have a uninstall instruction for the database changes and page registration that was made by this mod. I have uninstalled it from our site and would like to clean it up from the DB.

They (the instructions and or uninstall SQL) should be part of the installation instructions.

Other than the numerous error messages generated by one or more computers attempting to provide a bad string, was there anything else that you saw that could be improved? (I have some plans for additional mods, so I am interested in if I am planning the right ones.)

[BlessIsaacola]

They (the instructions and or uninstall SQL) should be part of the installation instructions.

Other than the numerous error messages generated by one or more computers attempting to provide a bad string, was there anything else that you saw that could be improved? (I have some plans for additional mods, so I am interested in if I am planning the right ones.)

The keyword there is they should be but I don't see uninstall instruction. Inside the Readme I have HOW_TO_UPDATE-V1.5.0.txt and New_Install_Readme.txt and inside the sql folder I have new_install_user_tracking.sql and UPDATE_user_tracking.sql Now sure if my 1.4.2 package download is missing something but there's no uninstall instruction for the database or page registration stuff. I honestly cannot tell you what exactly is wrong but we have so many customization on our site and this is the only mod that's not playing well with the database (in the sense that it keeps triggering an error related to an insert and line 120 of query factory). Instead of chasing it around, I decided to remove it from our site for now. When there's another release I will try it again but it's not critical enough to our business to be messing with it. Our livehelp mod have a built functionality that collects the same data so I am not missing anything. Thanks!