Jump to content



Photo
* * * * * 1 votes

PHP Intrusion Detection System for osCommerce


  • Please log in to reply
261 replies to this topic

#221   JoshBowe

JoshBowe
  • Members
  • 49 posts
  • Real Name:Josh Bowe

Posted 07 November 2011 - 16:47

Hi,

Just installed PHPIDS on 2.3.1 and can't seem to get it to work. As soon as I turn it on through the admin control panel my website front page just won't load. /sad.png' class='bbc_emoticon' alt=':(' />

I've followed the steps exactly as they are in the install guide, my "phpids" file was uploaded to website.com/includes/phpids without the catalog part. Could that be causing the problem? Otherwise I did everything as it said. Any help would be appreciated, cheers.

#222   mhondebrink

mhondebrink
  • Members
  • 3 posts
  • Real Name:Marco Hondebrink

Posted 16 November 2011 - 20:13

I got the following message when I try to do the following test http://www.example.c...id=1&test=">XXX works fine

What can be the issue?

#223   PLUGGER

PLUGGER
  • Members
  • 42 posts
  • Real Name:Plugger
  • Gender:Male
  • Location:Λουτράκι, Κορινθίας, Ελλάς

Posted 21 November 2011 - 20:16

is there any way of having this send out emails to an alternate email address and not the owner of the store i.e. the store developer instead

and excuse me if i have missed the answer already
If it don't fit - Get a bigger hammer

#224   guicher

guicher
  • Members
  • 13 posts
  • Real Name:Rene Guicherit

Posted 24 November 2011 - 20:10

Hi all,

I've just installed this contribution and I've checked the installation twice, so that I've made no errors. But I still have a problem. Before entering the test URL's I set the following settings.

PHPIDS Module : true
IP Ban Module : true
Show Intrusion Result : true
E-mail Log Impact Score : 8
DB Log Impact Score : 4
IP Ban Impact Score : 70


After entering the test URL's nothing happens. No message at the top of the page, no entries into the database and no emails received. Also nothing is written into the log file (which has chmod 777). When I enter an IP address manually into de banned IP's (via tools) the blocking work as it should.

Can anyone help me out here?

Kind regards
Rene Guicherit (aka guicher)

Edited by guicher, 24 November 2011 - 20:14.


#225   guicher

guicher
  • Members
  • 13 posts
  • Real Name:Rene Guicherit

Posted 25 November 2011 - 16:42

Hi all,

I've just installed this contribution and I've checked the installation twice, so that I've made no errors. But I still have a problem. Before entering the test URL's I set the following settings.

PHPIDS Module : true
IP Ban Module : true
Show Intrusion Result : true
E-mail Log Impact Score : 8
DB Log Impact Score : 4
IP Ban Impact Score : 70


After entering the test URL's nothing happens. No message at the top of the page, no entries into the database and no emails received. Also nothing is written into the log file (which has chmod 777). When I enter an IP address manually into de banned IP's (via tools) the blocking work as it should.

Can anyone help me out here?

Kind regards
Rene Guicherit (aka guicher)


Just tested the website with Kyplex security scan. And know what! All kinds of intrusions are detected and reported. So I think it's working. Only the test URL's which came with the installation manual don't work?

Kind regards
guicher

#226   iflyamphib

iflyamphib
  • Members
  • 51 posts
  • Real Name:Jim Ratte

Posted 27 November 2011 - 04:48

Good evening. I've installed a clean (not upgrading) version of 1.7 for osc 2.3.1 this afternoon. With both test urls:

http://www.siteurl.c...com/&test=">XXX and
http://www.siteurl.com/?test="><script>eval(window.name)</script>

I receive the following:
403 Forbidden

You don't have permission to access / on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
  • If I remove the portion after the .com, the test site loads / functions properly.
  • The database tables have been created properly and are viewable from Php Admin.
  • I've gone through the install manual twice to verify placement of the files and code within the modified files.
  • I can add myself (ip from the Who's Online) and ban myself, and then receive the email successfully (using the contact form only).
  • Nothing is logged to the PHPIDS Log report however. Should it be when manually banning an IP?
  • The host is HostGator. Server running php 5.2.17 with PDO enabled (viewed from previous posts)
  • This is a new test site where I have been adding contributions to have as a 'master' for upgrading / creating other sites.
Is this a hosting issue? Thank you for any light anyone can shed on this. Jim

#227   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 01 December 2011 - 09:44

Suggestion:

file: banned_ip.php
code:
$ip_check = tep_get_ip_address();
Since tep_get_ip_address() can allow either the values of the HTTP_X_FORWARDED_FOR or HTTP_CLIENT_IP header (if set) to be the ip address ahead of the dependable REMOTE_ADDR, and because it is possible to spoof both of those headers, it might be better to stick with REMOTE_ADDR as the ip address to check for banned IPs in the db. That would also be consistent with the fact that REMOTE_ADDR is used as the ip address that is banned in the banned.php file.

I know that where the webserver is a part of a cluster configuration, this can also cause false IP addresses to be banned, if you however depend on tep_get_ip_address() to check IPs in the db, that may allow for this addon to be completely bypassed if an attacker got to thinking about sending spoofed HTTP_X_FORWARDED or HTTP_CLIENT_IP ip addresses with their attacks.

code suggestion:
$ip_check = ( false !== isset( $_SERVER ) ) ? $_SERVER[ "REMOTE_ADDR" ] : getenv( "REMOTE_ADDR" );

Or more simply:
$ip_check = $_SERVER[ "REMOTE_ADDR" ]

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#228   badbo

badbo
  • Members
  • 163 posts
  • Real Name:Bo Mccoury

Posted 05 December 2011 - 09:10

2. Unzip the zipped file and rename "phpids-0.6.4" directory as "phpids".

3. Make sure that this renamed directory has the following directories directly in it:
docs
lib
tests



None of these files are in any of the packages

#229   geoffreywalton

geoffreywalton

    Available for Hire

  • Community Sponsor
  • 8,209 posts
  • Real Name:Geoffrey Walton
  • Gender:Male
  • Location:Norfolk, UK (close to the centre of the universe)

Posted 05 December 2011 - 14:32

Maybe if it said create these 3 directories in ........

Cheers

G
Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.

For links mentioned in old answers that are no longer here follow this link Useful Threads.

If this post was useful, click the Like This button over there ======>>>>>.

#230   badbo

badbo
  • Members
  • 163 posts
  • Real Name:Bo Mccoury

Posted 05 December 2011 - 18:54

What is says is to:
1. Download "PHPIDS 0.6.3.1 (ZIP)" or the latest version at:
http://php-ids.org/downloads/

2. Unzip the zipped file and rename "phpids-0.6.3.1" directory as "phpids".

3. Make sure that this renamed directory has the following directories directly in it:
docs
lib
nbproject
tests


This site can not be reached. if you have go somewhere else to get these that are not in the packages, then it is not a complete package and should state that in the package downloads instead of saying (this is a complete package.

#231   badbo

badbo
  • Members
  • 163 posts
  • Real Name:Bo Mccoury

Posted 05 December 2011 - 19:56

Does anyone have the phpids that they can upload to the package area. The http://php-ids.org/downloads/ can no longer be reached.
Thanks

#232   badbo

badbo
  • Members
  • 163 posts
  • Real Name:Bo Mccoury

Posted 06 December 2011 - 09:38

getting this error 1.6 installed with latest phpids 7.0 innstalled
Fatal error: Call to a member function bindParam() on a non-object in /home/xx/public_html/xxx/includes/phpids/lib/IDS/Log/Database.php on line 272

#233 ONLINE   altoid

altoid
  • Community Sponsor
  • 1,024 posts
  • Real Name:Steve
  • Gender:Male
  • Location:Hollidaysburg, Pennsylvania

Posted 06 December 2011 - 18:41

Does anyone have the phpids that they can upload to the package area. The http://php-ids.org/downloads/ can no longer be reached.
Thanks


Try https://phpids.org/downloads/
I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.
I remember what it was like when I first started with osC. It can be overwhelming.
However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.
There are several good pros here on osCommerce. Look around, you'll figure out who they are.

#234   badbo

badbo
  • Members
  • 163 posts
  • Real Name:Bo Mccoury

Posted 06 December 2011 - 18:54


Try https://phpids.org/downloads/

I have already installed the latest 7.0 but can find now answer for the error

#235   cooch

cooch
  • Members
  • 140 posts
  • Real Name:steve

Posted 29 December 2011 - 16:19

Can't get wishlist.php to work because POST.prod_link and REQUEST.prod_link are being detected as xss attacks:


Affected tags: xss csrf
Affected parameters: REQUEST.prod_link.0=http%3A%2F%2Fwww.domain.com%2Fstore%2Fproduct_info.php%3Fproducts_id%3D367%7B1%7D2, POST.prod_link.0=http%3A%2F%2Fwww.domain.com%2Fstore%2Fproduct_info.php%3Fproducts_id%3D367%7B1%7D2,
Request URI: /store/wishlist.php

I added REQUEST.prod_link and POST.prod_link to the exclusion list with no luck.

If I have a number of items on wishlist, the total impact bans me...Any ideas?

#236   ancla

ancla
  • Members
  • 8 posts
  • Real Name:Angel Barros
  • Gender:Male
  • Location:Cádiz - SPAIN

Posted 17 January 2012 - 22:19

Hello, good evening

I’m trying to instal a clean (not upgrading) version of 1.7 for osc 2.2rc2a.

At “Step-B: Admin” point 5 states:

Find the following code in admin/includes/boxes/tools.php file:

Array {
‘code’ => FILENAME_ACTION_RECORDER,
‘title’ => BOX_TOOLS_ACTION_RECORDER,
‘link’ => tep_href_link (FILENAME_ACTION_RECORDER)
},

Though that array is not in my “tools.php” file. The whole content of my file is:

<?php
/*
$Id: tools.php 1739 2007-12-20 00:52:16Z hpdl $
osCommerce, Open Source E-Commerce Solutions
http://www.oscommerce.com
Copyright © 2002 osCommerce
Released under the GNU General Public License
*/
?>
<!-- tools //-->
<tr>
<td>
<?php
$heading = array();
$contents = array();

$heading[] = array('text' => BOX_HEADING_TOOLS,
'link' => tep_href_link(FILENAME_BACKUP, 'selected_box=tools'));

if ($selected_box == 'tools') {
$contents[] = array('text' => '<a href="' . tep_href_link(FILENAME_BACKUP) . '" class="menuBoxContentLink">' . BOX_TOOLS_BACKUP . '</a><br>' .
'<a href="' . tep_href_link(FILENAME_BANNER_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_BANNER_MANAGER . '</a><br>' .
'<a href="' . tep_href_link(FILENAME_CACHE) . '" class="menuBoxContentLink">' . BOX_TOOLS_CACHE . '</a><br>' .
'<a href="' . tep_href_link(FILENAME_DEFINE_LANGUAGE) . '" class="menuBoxContentLink">' . BOX_TOOLS_DEFINE_LANGUAGE . '</a><br>' .
'<a href="' . tep_href_link(FILENAME_FILE_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_FILE_MANAGER . '</a><br>' .
'<a href="' . tep_href_link(FILENAME_MAIL) . '" class="menuBoxContentLink">' . BOX_TOOLS_MAIL . '</a><br>' .
'<a href="' . tep_href_link(FILENAME_NEWSLETTERS) . '" class="menuBoxContentLink">' . BOX_TOOLS_NEWSLETTER_MANAGER . '</a><br>' .
'<a href="' . tep_href_link(FILENAME_SERVER_INFO) . '" class="menuBoxContentLink">' . BOX_TOOLS_SERVER_INFO . '</a><br>' .
'<a href="' . tep_href_link('csv_import.php') . '" class="menuBoxContentLink">Importar CSV de Excel/OOCalc</a><br>' .
'<a href="' . tep_href_link(FILENAME_WHOS_ONLINE) . '" class="menuBoxContentLink">' . BOX_TOOLS_WHOS_ONLINE . '</a>');
}
$box = new box;
echo $box->menuBox($heading, $contents);
?>
</td>
</tr>
<!-- tools_eof //-->

Please, can anyone tell me where insert the following required code or if lacks some code in my file?
The code to insert is:

array(
'code' => FILENAME_PHPIDS,
'title' => BOX_TOOLS_PHPIDS,
'link' => tep_href_link(FILENAME_PHPIDS)
),
array(
'code' => FILENAME_BANNED_IP,
'title' => BOX_TOOLS_BANNED_IP,
'link' => tep_href_link(FILENAME_BANNED_IP)
),

Thank you for any help you can give me.
Angel Barros

#237   geoffreywalton

geoffreywalton

    Available for Hire

  • Community Sponsor
  • 8,209 posts
  • Real Name:Geoffrey Walton
  • Gender:Male
  • Location:Norfolk, UK (close to the centre of the universe)

Posted 18 January 2012 - 10:26

Hi

Just add a line after

'<a href="' . tep_href_link(FILENAME_FILE_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_FILE_MANAGER . '</a><br>' .

and change the words in capitals to those for the contibution you are trying to add.

HTH

G
Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.

For links mentioned in old answers that are no longer here follow this link Useful Threads.

If this post was useful, click the Like This button over there ======>>>>>.

#238   DougieMac

DougieMac
  • Members
  • 12 posts
  • Real Name:Dougie MacIntosh

Posted 27 January 2012 - 01:58

Hi, Let me apologise first in case this problem has already been posted, but its late now and I cant find anything similar.

I am hoping you can help me with this error :-

1146 - Table 'a4993375_msc.TABLE_BANNED_IP' doesn't exist

select ip_address from TABLE_BANNED_IP where ip_status='0'

[TEP STOP]


when I try to access the shop, http://mywebsite/catalog/index.php. This occured when trying the test http://mywebsite/cat...d=1&test=">XXX. Prior to this test I could access the site easily.

I am running oscommerce 2.3.1 on win xp64 with phpids 1.7 installed. Given that I am fairly new to php, can you point me to where I have went wrong. There are no entries in the PHPIDS log and no entries in the banned IP section.

Edited by DougieMac, 27 January 2012 - 02:00.


#239   DougieMac

DougieMac
  • Members
  • 12 posts
  • Real Name:Dougie MacIntosh

Posted 27 January 2012 - 09:08

Hi, Let me apologise first in case this problem has already been posted, but its late now and I cant find anything similar.

I am hoping you can help me with this error /whistling.gif' class='bbc_emoticon' alt=':-' />

1146 - Table 'a4993375_msc.TABLE_BANNED_IP' doesn't exist

select ip_address from TABLE_BANNED_IP where ip_status='0'

[TEP STOP]


when I try to access the shop, http://mywebsite/catalog/index.php. This occured when trying the test http://mywebsite/cat...d=1&test=">XXX. Prior to this test I could access the site easily.

I am running oscommerce 2.3.1 on win xp64 with phpids 1.7 installed. Given that I am fairly new to php, can you point me to where I have went wrong. There are no entries in the PHPIDS log and no entries in the banned IP section.



Ok, fresh look at the forum this morning and I found the solution. Doh! Apologies.

#240   modem2.0

modem2.0
  • Members
  • 70 posts
  • Real Name:Modem 2.0

Posted 16 March 2012 - 18:43

Hello,

I'm building a new shop using oscommerce 2.3.1 and I added this contrib, but when I do the 2 suggested tests I get the following error:

Exception: PDOException: SQLSTATE[28000] [1045] Access denied for user 'root'@'localhost' (using password: NO)
I'm building it on my windows PC using WAMP, so I'm wondering if this is the problem...

I have it running correctly on my old oscommerce 2.2 shop...

Any idea?