Jump to content



Photo
* * * * * 1 votes

PHP Intrusion Detection System for osCommerce


  • Please log in to reply
261 replies to this topic

#241   modem2.0

modem2.0
  • Members
  • 70 posts
  • Real Name:Modem 2.0

Posted 17 March 2012 - 21:14

I found the issue of my problem... My Wamp MySQL server is not running on the default port, and the script is not using the OSC configuration. Once I changed the port on osc_phpids.php in the modules folder it worked flawlessly.

#242   modem2.0

modem2.0
  • Members
  • 70 posts
  • Real Name:Modem 2.0

Posted 18 April 2012 - 13:20

Hi,

I'm having this contribution installed, and I'm also using the contribution customer Must Accept Terms and Conditions (MATC) http://addons.oscommerce.com/info/5750
But now I have lots on entries in the table PHPIDS Log related to REQUEST.conditions and POST.conditions in the create_account.php file and with all the conditions written.

Is there a way to fix this?

#243   modem2.0

modem2.0
  • Members
  • 70 posts
  • Real Name:Modem 2.0

Posted 28 April 2012 - 19:41

Hi,

I'm having this contribution installed, and I'm also using the contribution customer Must Accept Terms and Conditions (MATC) http://addons.oscommerce.com/info/5750
But now I have lots on entries in the table PHPIDS Log related to REQUEST.conditions and POST.conditions in the create_account.php file and with all the conditions written.

Is there a way to fix this?

Anyone??

#244   chandrika

chandrika
  • Members
  • 15 posts
  • Real Name:Chandrika
  • Gender:Female

Posted 23 May 2012 - 15:45

Hi,
I have just discovered that my installation of phpids, was causing a problem with my paypal IPN notifications. Sometimes they were getting sent, sometimes not and checking the error logs on the server for paypals ipn notification url (173.0.81.1) I found

[Wed May 23 06:18:54 2012] [error] [client 173.0.81.1] PHP Fatal error: Class 'PDO' not found in /home/****/public_html/includes/phpids/lib/IDS/Log/Database.php on line 172

I have disabled phpids for a while and ipn notifications are now ok. I use paypal standard module for payments.

I see there is an option in admin phpids, for variable exclusions and thinking that maybe there is something I can enter there that might stop phpids blocking paypal ipns. The ipn notification script in my oscommerce is at /ext/modules/payment/paypal/standard_ipn.php

I could post that page if someone may be able to tell me whether there is a variable there i could exclude? What do you think?

#245   cooch

cooch
  • Members
  • 140 posts
  • Real Name:steve

Posted 30 May 2012 - 17:54

Anyone??


Did you ever get this fixed?

#246   modem2.0

modem2.0
  • Members
  • 70 posts
  • Real Name:Modem 2.0

Posted 14 August 2012 - 15:56

Did you ever get this fixed?

Never.

But now I also have the PDO issue in the create account...

Edited by modem2.0, 14 August 2012 - 15:57.


#247   ce7

ce7
  • Members
  • 244 posts
  • Real Name:lyn

Posted 11 September 2012 - 08:20

Hi there,

I had installed this addon, till step E Test, TEST-1, I got a warning as below:

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /includes/modules/osc_phpids.php:199) in /includes/functions/sessions.php on line 102

And the TEST-2, I did not see any test result, the page just showed HTTP 406 Not Acceptable.

Is it normal or what I did wrong?

Many thanks in advance.

Lyn

#248   broadstreetbully

broadstreetbully
  • Members
  • 114 posts
  • Real Name:jason

Posted 13 September 2012 - 21:39

kept getting a "missing table" error in my admin after correct installation....uninstalled after reading about all the issues and scripts built specifically for this addon...

#249   ce7

ce7
  • Members
  • 244 posts
  • Real Name:lyn

Posted 08 November 2012 - 02:35

Hi, I just got an attack:

IP: 184.82.78.125
Date: 2012-11-08T10:12:16+11:00
Impact: 14
Affected tags: xss csrf id rfe lfi
Affected parameters: REQUEST.excerpt=%5B...%5D+that+is+the+end+of+this+article.+Here+you%E2%80%99ll+find+some+sites+that+we+think+you%E2%80%99ll+appreciate%2C+just+click+the+links+over%5B...%5D%E2%80%A6, POST.excerpt=%5B...%5D+that+is+the+end+of+this+article.+Here+you%E2%80%99ll+find+some+sites+that+we+think+you%E2%80%99ll+appreciate%2C+just+click+the+links+over%5B...%5D%E2%80%A6,
Request URI: /mg/product_info.php?products_id=212/trackback

anyone knows what should I do, and if my website has affected, if so what steps should I go futher? Many thanks in advance.

Lyn

#250   LeanderPL

LeanderPL
  • Members
  • 6 posts
  • Real Name:LeanderPL
  • Gender:Male

Posted 30 December 2012 - 11:38

Hi, I just got an attack:

IP: 184.82.78.125
Date: 2012-11-08T10:12:16+11:00
Impact: 14
Affected tags: xss csrf id rfe lfi
Affected parameters: REQUEST.excerpt=%5B...%5D+that+is+the+end+of+this+article.+Here+you%E2%80%99ll+find+some+sites+that+we+think+you%E2%80%99ll+appreciate%2C+just+click+the+links+over%5B...%5D%E2%80%A6, POST.excerpt=%5B...%5D+that+is+the+end+of+this+article.+Here+you%E2%80%99ll+find+some+sites+that+we+think+you%E2%80%99ll+appreciate%2C+just+click+the+links+over%5B...%5D%E2%80%A6,
Request URI: /mg/product_info.php?products_id=212/trackback

anyone knows what should I do, and if my website has affected, if so what steps should I go futher? Many thanks in advance.

Lyn


I've got it to. For different IPs it started to send notifications somewhere about 21 december, almost 100 per day. What to do now? Is it a hack attack on shop?

Entering PHPLDS plugin in Admin Panel gives popup with "9537246810"...

Edited by LeanderPL, 30 December 2012 - 11:46.


#251   geoffreywalton

geoffreywalton

    Available for Hire

  • Community Sponsor
  • 8,211 posts
  • Real Name:Geoffrey Walton
  • Gender:Male
  • Location:Norfolk, UK (close to the centre of the universe)

Posted 30 December 2012 - 23:20

Looks like the add-on is reporting and attack that has been thwarte.

You could ban the ip address using you htaccess file, pop this in google

Block a specific IP address from accessing your website

HTH

G
  • ce7 likes this
Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.

For links mentioned in old answers that are no longer here follow this link Useful Threads.

If this post was useful, click the Like This button over there ======>>>>>.

#252   ce7

ce7
  • Members
  • 244 posts
  • Real Name:lyn

Posted 06 January 2013 - 21:58

@ geoffreywalton

Hi Geoffrey,

Thank you very much for reply. The past whole week I can say something going on my website, but I have no idea how to check where they had done.

Several things I found very strange includes:

1.
when I add new addons, I tested in three others as well, the one I got PHP Intrution warning, had been changed back while the other three test one has no attack remain the same.
I delete that complete catelog and reinstall a backup one

2.
I had set up secured by htpasswd, but it keeps said that I had wrong attempt login, and after 2 times try, I had been block and need to wait another 5 minutes. I am pretty sure I had the password input correctly but it just kept tell me wrong password and block....

3.
after I set up new admin with new password, and I made sure I logoff, and delete the internet cookie, and refresh, it showed that I logoff completely.

after after few hour or next day when I refresh the computer again, it just automatically log me in that I don't even need to type in user and password.

I had a rental and a sale catalog under my domain, and both has the same problem as mentioned 2 and 3.

4.
Because the strange things happend and PHP warning everyday, so I installed the supertracker and who's online enhancement.
I couldnt make who's online show any informaiton, but supertracker with last ten visitor, I can see I have few visitors never expected, such as from China, Africa, and Turkey.... I google and also you reply from the other thread, I know that China one is definately the bad one (PHP intrution waning as well...)

What should I do now?
How can I check what files possible be modified?

Many thanks in advance.

Lyn

#253   ce7

ce7
  • Members
  • 244 posts
  • Real Name:lyn

Posted 06 January 2013 - 22:08

Looks like the add-on is reporting and attack that has been thwarte.

You could ban the ip address using you htaccess file, pop this in google

Block a specific IP address from accessing your website

HTH

G



Geoffrey,

you mentioned that "You could ban the ip address using you htaccess file, pop this in google",

can you please tell me how I can ban the ip using the htaccess?
I had addon: "Secure your site with an IP Trap", it allowed me to ban the IP from admin, but I found that when I insert new IP, it doesn't update the catelog/banned/IP_Trapped, I had to mannually type in the IP_Trapped.txt every time.

how can I pop it in google?

what material or any other websites that I can learn more about security (oscommerce security)?

Many thanks in advance.

Lyn

#254   LeanderPL

LeanderPL
  • Members
  • 6 posts
  • Real Name:LeanderPL
  • Gender:Male

Posted 07 January 2013 - 11:25

Hi, i've checked the IP, in my case there is a lot of log showing that it is: "COOKIE._pk_ref_12_45c0" or "REQUEST._pk_ref_12_45c0" - bolded numbers are changing. IP seems to be an IP of hosting service or other are from my country so probally its generated by visitors. So could it be some problem with php update or some cookies issue?

Best regards.

#255   geoffreywalton

geoffreywalton

    Available for Hire

  • Community Sponsor
  • 8,211 posts
  • Real Name:Geoffrey Walton
  • Gender:Male
  • Location:Norfolk, UK (close to the centre of the universe)

Posted 07 January 2013 - 12:26

@ce7

go to google and seach for

Block a specific IP address from accessing your website

THere is some info and links on securing your web site in my profile

HTH

G
  • ce7 likes this
Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.

For links mentioned in old answers that are no longer here follow this link Useful Threads.

If this post was useful, click the Like This button over there ======>>>>>.

#256   ce7

ce7
  • Members
  • 244 posts
  • Real Name:lyn

Posted 08 January 2013 - 00:24

@ce7

go to google and seach for

Block a specific IP address from accessing your website

THere is some info and links on securing your web site in my profile

HTH

G



Hi Geoffery,

Thank you very much for your reply. I will have a look your profile information now.
PS. The supertrackers addon on sales site, like rental site before, it disappear again. I have to delete and recover a backup one!

And do you have any suggestion about that I can not log off completely?
Every time I make sure I log off and even delete the cookies, but after couple hours or next day, I type in the admin login, it just automatically login without asking me user name and password!!!

this is the supertracker result I get for today:
Customer IP Address/Country: 180.76.6.37 (China)[img]http://www.mickgrip....ags/cn.gif[/img] - 180.76.6.37 Region: Beijing City: Beijing Customer Browser: Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com...rch/spider.html) Customer Name: Guest Referred By: Direct Access / Bookmark Landing Page: /rental/rental.php?cPath=79&page=1&sort=2a Last Page Viewed: /rental/rental.php Time Arrived: 01/08/2013 01:46:26 Last Click: 01/08/2013 01:46:26 Time on Site: 0hrs 0mins 0 seconds Number of Clicks: 1 Added to Cart: false Completed Purchase: false
Customer IP Address/Country: 199.21.99.94 (United States)[img]http://www.mickgrip....ags/us.gif[/img] - spider-199-21-99-94.yandex.com Region: California City: Palo Alto Customer Browser: Mozilla/5.0 (compatible; YandexBot/3.0; http://yandex.com/bots) Customer Name: Guest Referred By: Direct Access / Bookmark Landing Page: /rental/product_info.php?products_id=260 Last Page Viewed: /rental/product_info.php Time Arrived: 01/07/2013 18:28:11 Last Click: 01/07/2013 18:28:11 Time on Site: 0hrs 0mins 0 seconds Number of Clicks: 1 Added to Cart: false Completed Purchase: false

Edited by ce7, 08 January 2013 - 00:27.


#257   geoffreywalton

geoffreywalton

    Available for Hire

  • Community Sponsor
  • 8,211 posts
  • Real Name:Geoffrey Walton
  • Gender:Male
  • Location:Norfolk, UK (close to the centre of the universe)

Posted 08 January 2013 - 08:21

@ce7

I suspect you licked on remember my password at some stage.

Baidu is a Chinese spider so if you do not sell to the Chinese you can block them.

Cheers

G
Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.

For links mentioned in old answers that are no longer here follow this link Useful Threads.

If this post was useful, click the Like This button over there ======>>>>>.

#258   ce7

ce7
  • Members
  • 244 posts
  • Real Name:lyn

Posted 08 January 2013 - 12:24

@ce7

I suspect you licked on remember my password at some stage.

Baidu is a Chinese spider so if you do not sell to the Chinese you can block them.

Cheers

G


Hi Geoffery,

Thanks for reply.

About the password thing, it really bother me. Everytime I logoff, and double check after I go to IE/Tools/Option and delete the browsing history, I delete everything include password (which I did not ask browser to remember the password.), it all showed me that I had log off comepletely.

However after couple hours or next day I touch computer again, just type in the admin login.php, it doesn't ask me to type user name or password, I automatically login the admin backend....

I had install site monitor, but honestly I dont really know how it works. I had PHP Intrusion and IP trap install, I will try to install the virus threat scanner next.

Lyn

#259   geoffreywalton

geoffreywalton

    Available for Hire

  • Community Sponsor
  • 8,211 posts
  • Real Name:Geoffrey Walton
  • Gender:Male
  • Location:Norfolk, UK (close to the centre of the universe)

Posted 08 January 2013 - 13:13

VT will not stop the auto log in

If you use FF try this link

http://kb.iu.edu/data/atdd.html

otherwise try something like this in Google

IE remember password disable

HTH

G
Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.

For links mentioned in old answers that are no longer here follow this link Useful Threads.

If this post was useful, click the Like This button over there ======>>>>>.

#260   ianhaney

ianhaney
  • Members
  • 859 posts
  • Real Name:Ian Haney
  • Gender:Male

Posted 30 August 2013 - 18:06

Hi

My customer has got this add on installed but she says is getting loads of emails every day, she said in a space of 3 hours she has had 20 emails from this add on

Is there a way to stop the emails being sent or slow them down or send them to a txt file instead

Kind regards

Ian