243 replies to this topic

[marcsinfo]

Hi,

After verifying once again, I have found a typo, I may have hit a key when pasting in the application_top.php file, sorry and thanks again for this great contribution.

Marc

[VAZ2121]

There is a hack to the PHPIDS

A hacker has written a script directly to hit this add-on.

Here is the story...
The PHPIDS sends me a mail about any attempt to hack the site. Today I received this:

The following attack has been detected by PHPIDS

IP: 78.177.107.5 
Date: 2011-01-15T21:29:58+00:00 
Impact: 138 
Affected tags: xss csrf id rfe lfi sqli 
Affected parameters: REQUEST.file_contents=%3CHTML%3E+%0D%0A%3CHEAD%3E+%0D%0A+++%3CTITLE%3EHacked+By+SaMuRa%21%3C%2FTITLE%3E+%0D%0A+%3Ccenter%3E%3Cimg+src%3Dhttp%3A%2F%2Fwww.turkhackteam.net%2Fimages%2Fthtson.jpg%3E+%0D%0A+%3Cstyle%3E+%0D%0A%23legend%7Bwidth%3A+100%25%3B+position%3A+fixed%3B+background-color%3A222%3B+bottom%3A+0%3B+font-size%3A+13px%3B+left%3A+0%3B+border-top%3A%0D%0A1px+solid+white%3B+height%3A+20px%3B+padding%3A+5px%3Bcolor%3A%23gold%3Bfont-family%3Aarial%3B%7D%0D%0Aa%7Bcolor%3Awgite%3Btext-decoration%3Anone%3B%7D%0D%0Aa%3Ahover%7Bcolor%3A%23ccc%3B%7D%0D%0A%3C%2Fstyle%3E+%0D%0A+++%3Cdiv+id%3D%27legend%27%3E%3Ccenter%3E%3Cb%3ESaMuRa%21+-+Egoist+Group+-+TurkHackTeam.OrG%2FNet%3C%2Fb%3E%3C%2Fcenter%3E%3C%2Fdiv%3E+%0D%0A%3CBODY+TEXT%3D%22%239C9C9C%22+BGCOLOR%3D%22%23000000%22+LINK%3D%22%238B51FF%22+ALINK%3D%22%23FFF8FF%22%0D%0A+%3Cbody+bgcolor%3D%22%23000000%22%3E+%0D%0A++++++%3C%2Fspan%3E%3Cfont+color%3D%22White%22+size%3D%225%22%3E+%3C%2Fspan%3E%3Cfont+%0D%0A
 %3E%3CFONT+FACE%3D%22tahoma%22+color%3D%22%23999999%22%3E++++%0D%0A%3Ccenter%3E%3Cbr%3E%3C%2Fspan%3E%3Cspan+style%3D%22font-weight%3Abold%3B+text-shadow%3Awhite+0px+0px+8px%3B+color%3Awhite%22%3E%3Cfont+color%3Dred%3EHacked+By+SaMuRa%21+-+Black-Box+-+Dejavue+-+CaLLouS%3Cbr%3E%3C%2Ffont%3E%3C%2Fspan+%0D%0A%3E%0D%0A%3CP%3E%3CTABLE+BORDER%3D0+WIDTH%3D%22100%25%22+HEIGHT%3D%22100%25%22%3E+%0D%0A+%3Ccenter%3E%3Cb%3E%3Cb%3E%3Cfont+color%3D%22red%22+size%3D%222%22%3E%3Cb%3E%22+Biz+eskimeyenlerdeniz%2C+Hayatta+oldugumuz+surece+her+donem+bizim+donemimiz%21+%22%0D%0A+%3C%2Fb%3E%3C%2Ffont%3E%3C%2Fb%3E%3C%2Fb%3E%3C%2Fcenter%3E%3Cb%3E%3Cb%3E%3Cb%3E+%0D%0A%3Cbr%3E%0D%0A%3Cbr%3E%0D%0A%3Cbr%3E%0D%0A%3Ccenter%3E%3Cb%3E%3Cb%3E%3Cfont+color%3D%22white%22+size%3D%222%22%3E%3Cb%3E%3C+www.facebook.com%2Fhackingplatform+%3E%0D%0A%3Ccenter%3E%3Cb%3E%3Cb%3E%3Cfont+color%3D%22white%22+size%3D%222%22%3E%3Cb%3E-------------------------------------------+%0D%0A+%3C%2Fb%3E%3C%2Ffont%3E%3C%2Fb%3E%3C%2Fb%3
 E%3C%2Fcenter%3E%3Cb%3E%3Cb%3E%3Cb%3E+%0D%0A++++++++%3C%2Fb%3E%3C%2Ffont%3E%3C%2Ffont%3E%3C%2Ffont%3E%3C%2Ffont%3E%3C%2Ffont%3E%3C%2Fp%3E+%0D%0A%3Cbr%3E%3C%2Fspan%3E%3Cfont+color%3D%22white%22+size%3D%222%22%3C%2Ffont%3E%3Cbr%3E+, POST.file_contents=%3CHTML%3E+%0D%0A%3CHEAD%3E+%0D%0A+++%3CTITLE%3EHacked+By+SaMuRa%21%3C%2FTITLE%3E+%0D%0A+%3Ccenter%3E%3Cimg+src%3Dhttp%3A%2F%2Fwww.turkhackteam.net%2Fimages%2Fthtson.jpg%3E+%0D%0A+%3Cstyle%3E+%0D%0A%23legend%7Bwidth%3A+100%25%3B+position%3A+fixed%3B+background-color%3A222%3B+bottom%3A+0%3B+font-size%3A+13px%3B+left%3A+0%3B+border-top%3A%0D%0A1px+solid+white%3B+height%3A+20px%3B+padding%3A+5px%3Bcolor%3A%23gold%3Bfont-family%3Aarial%3B%7D%0D%0Aa%7Bcolor%3Awgite%3Btext-decoration%3Anone%3B%7D%0D%0Aa%3Ahover%7Bcolor%3A%23ccc%3B%7D%0D%0A%3C%2Fstyle%3E+%0D%0A+++%3Cdiv+id%3D%5C%27legend%5C%27%3E%3Ccenter%3E%3Cb%3ESaMuRa%21+-+Egoist+Group+-+TurkHackTeam.OrG%2FNet%3C%2Fb%3E%3C%2Fcenter%3E%3C%2Fdiv%3E+%0D%0A%3CBODY+TEXT%3D%5C%22%239C9C9C%
 5C%22+BGCOLOR%3D%5C%22%23000000%5C%22+LINK%3D%5C%22%238B51FF%5C%22+ALINK%3D%5C%22%23FFF8FF%5C%22%0D%0A+%3Cbody+bgcolor%3D%5C%22%23000000%5C%22%3E+%0D%0A++++++%3C%2Fspan%3E%3Cfont+color%3D%5C%22White%5C%22+size%3D%5C%225%5C%22%3E+%3C%2Fspan%3E%3Cfont+%0D%0A%3E%3CFONT+FACE%3D%5C%22tahoma%5C%22+color%3D%5C%22%23999999%5C%22%3E++++%0D%0A%3Ccenter%3E%3Cbr%3E%3C%2Fspan%3E%3Cspan+style%3D%5C%22font-weight%3Abold%3B+text-shadow%3Awhite+0px+0px+8px%3B+color%3Awhite%5C%22%3E%3Cfont+color%3Dred%3EHacked+By+SaMuRa%21+-+Black-Box+-+Dejavue+-+CaLLouS%3Cbr%3E%3C%2Ffont%3E%3C%2Fspan+%0D%0A%3E%0D%0A%3CP%3E%3CTABLE+BORDER%3D0+WIDTH%3D%5C%22100%25%5C%22+HEIGHT%3D%5C%22100%25%5C%22%3E+%0D%0A+%3Ccenter%3E%3Cb%3E%3Cb%3E%3Cfont+color%3D%5C%22red%5C%22+size%3D%5C%222%5C%22%3E%3Cb%3E%5C%22+Biz+eskimeyenlerdeniz%2C+Hayatta+oldugumuz+surece+her+donem+bizim+donemimiz%21+%5C%22%0D%0A+%3C%2Fb%3E%3C%2Ffont%3E%3C%2Fb%3E%3C%2Fb%3E%3C%2Fcenter%3E%3Cb%3E%3Cb%3E%3Cb%3E+%0D%0A%3Cbr%3E%0D%0A%3Cbr%3E%0D%0A%3Cbr%3
 E%0D%0A%3Ccenter%3E%3Cb%3E%3Cb%3E%3Cfont+color%3D%5C%22white%5C%22+size%3D%5C%222%5C%22%3E%3Cb%3E%3C+www.facebook.com%2Fhackingplatform+%3E%0D%0A%3Ccenter%3E%3Cb%3E%3Cb%3E%3Cfont+color%3D%5C%22white%5C%22+size%3D%5C%222%5C%22%3E%3Cb%3E-------------------------------------------+%0D%0A+%3C%2Fb%3E%3C%2Ffont%3E%3C%2Fb%3E%3C%2Fb%3E%3C%2Fcenter%3E%3Cb%3E%3Cb%3E%3Cb%3E+%0D%0A++++++++%3C%2Fb%3E%3C%2Ffont%3E%3C%2Ffont%3E%3C%2Ffont%3E%3C%2Ffont%3E%3C%2Ffont%3E%3C%2Fp%3E+%0D%0A%3Cbr%3E%3C%2Fspan%3E%3Cfont+color%3D%5C%22white%5C%22+size%3D%5C%222%5C%22%3C%2Ffont%3E%3Cbr%3E+, 
Request URI: %2Fproduct_info.php%2Fadmin%2Ffile_manager.php%2Flogin.php%3Faction%3Dsave

I receive a lot of those mails. This is however a bit different, so I decided to take a look at it.
I started the Admin, and would see the PHPIDS Log.
Now something happened. The code that this hacker wrote, started to execute in my Admin !!!
So there is no execution-filter in viewing the Log. The hacker has used this exploit in the PHPIDS !!!!.

I have checked all my files, nothing has changed. This was a mild hack, it only displayed a message in my Admin.

Regards, Stig

[design4dotcom]

I've looked through this post and didn't find anything that related to our problem. We installed this mod two weeks ago on OS 2.2 and since that time, we have received a DELUGE of emails. No error codes, so I'm assuming the mod is installed correctly.

Here is a sample email.
The following attack has been detected by PHPIDS

IP: 74.179.238.17
Date: 2011-01-13T17:28:13-06:00
Impact: 14
Affected tags: xss csrf id rfe lfi
Affected parameters:
COOKIE.__gutp=entrystamp%3D1294961008%7Csid%3D744d342d840d08c84bd807750173d6
7f%7Cstamp%3D1294961281%7Creferrer%3Dhttp%3A%2F%2Finfo.bellperformance.com%2
Fx-tra-lube-oil-treatment%2F%7Contime%3D246,
Request URI: /index.php?cPath=23_28
Origin: 174.121.10.217

or this one.

The following attack has been detected by PHPIDS

IP: 208.87.234.180 (71.43.111.162)
Date: 2011-01-14T09:42:24-06:00
Impact: 14
Affected tags: xss csrf rfe dos
Affected parameters:
COOKIE.__gutp=entrystamp%3D1294949465%7Csid%3D61d87f99248116c748031e0728a30d
09%7Cstamp%3D1294949775%7Contime%3D99,
Request URI: /specials.php
Origin: 174.121.10.217


They just keep coming! Are these hacks? Honestly, I didn't expect that many. Or is there something else going on?

Thank you SO MUCH

[celextel]

design4dotcom, on 19 January 2011, 13:07, said:

I've looked through this post and didn't find anything that related to our problem. We installed this mod two weeks ago on OS 2.2 and since that time, we have received a DELUGE of emails. No error codes, so I'm assuming the mod is installed correctly.

Here is a sample email.
The following attack has been detected by PHPIDS

IP: 74.179.238.17
Date: 2011-01-13T17:28:13-06:00
Impact: 14
Affected tags: xss csrf id rfe lfi
Affected parameters:
COOKIE.__gutp=entrystamp%3D1294961008%7Csid%3D744d342d840d08c84bd807750173d6
7f%7Cstamp%3D1294961281%7Creferrer%3Dhttp%3A%2F%2Finfo.bellperformance.com%2
Fx-tra-lube-oil-treatment%2F%7Contime%3D246,
Request URI: /index.php?cPath=23_28
Origin: 174.121.10.217

or this one.

The following attack has been detected by PHPIDS

IP: 208.87.234.180 (71.43.111.162)
Date: 2011-01-14T09:42:24-06:00
Impact: 14
Affected tags: xss csrf rfe dos
Affected parameters:
COOKIE.__gutp=entrystamp%3D1294949465%7Csid%3D61d87f99248116c748031e0728a30d
09%7Cstamp%3D1294949775%7Contime%3D99,
Request URI: /specials.php
Origin: 174.121.10.217


They just keep coming! Are these hacks? Honestly, I didn't expect that many. Or is there something else going on?

Thank you SO MUCH

These are not hacks. It seems to be generated by a module for tracking the referrer in your website. You could include these values [COOKIE.__gutp and so on] under exclusions in PHPIDS admin.

[design4dotcom]

Wow, thank you. that WORKED!!!

[altoid]

I was looking for the PHP IDS website at "http://php-ids.org/"

Got this message auf Deutsch:

Dieser Server ist nicht mehr in Betrieb.
Bitte teilen Sie dem Betreiber mit, dass er seinen DNS auf die neue IP 46.4.40.248 umstellt.

schokokeks.org

A little googling came up with the revised site it seems.

"http://phpids.org/" I hope that's a valid site.

Edited by altoid, 14 February 2011, 23:14.

[celextel]

altoid, on 14 February 2011, 23:09, said:

I was looking for the PHP IDS website at "http://php-ids.org/"

Got this message auf Deutsch:

Dieser Server ist nicht mehr in Betrieb.
Bitte teilen Sie dem Betreiber mit, dass er seinen DNS auf die neue IP 46.4.40.248 umstellt.

schokokeks.org

A little googling came up with the revised site it seems.

"http://phpids.org/" I hope that's a valid site.

URL seems to have changed.

You could do the download of PHPIDS 0.6.5 (ZIP) at the following URL:
http://phpids.org/downloads/

[altoid]

celextel, on 15 February 2011, 04:58, said:

URL seems to have changed.

You could do the download of PHPIDS 0.6.5 (ZIP) at the following URL:
http://phpids.org/downloads/

I will check that out. It looks like they still need to update some links on their new site. Some links there take you to the inactive URL.

Thanks

[altoid]

altoid, on 15 February 2011, 11:00, said:

I will check that out. It looks like they still need to update some links on their new site. Some links there take you to the inactive URL.

Thanks

Hello, I downloaded and installed the latest version of PHPIDS 0.6.5. In the testing mode test 1 works as it should, showing the result at the tope but test 2 resulted in "http 406 not acceptable" error and not showing the results at the top.

[celextel]

altoid, on 25 February 2011, 00:50, said:

Hello, I downloaded and installed the latest version of PHPIDS 0.6.5. In the testing mode test 1 works as it should, showing the result at the tope but test 2 resulted in "http 406 not acceptable" error and not showing the results at the top.

Please refer to first page of this thread in regard to this.

[altoid]

celextel, on 25 February 2011, 02:37, said:

Please refer to first page of this thread in regard to this.

Thank you for the reference. I believe that means my hosts server is capturing this input and generating the 406 error page. Which, on the face of it, is a layer of protection I might want unless there are other factors involved.
Anyway, thanks again I do appreciate the help.

[celextel]

altoid, on 25 February 2011, 03:10, said:

Thank you for the reference. I believe that means my hosts server is capturing this input and generating the 406 error page. Which, on the face of it, is a layer of protection I might want unless there are other factors involved.
Anyway, thanks again I do appreciate the help.

It should show the test result even for 406. Please create a support request with your host in regard to this.

[altoid]

celextel, on 25 February 2011, 03:18, said:

It should show the test result even for 406. Please create a support request with your host in regard to this.

I will do that and post back here what the outcome is. Thanks for the follow up.

[Code Red]

First of all, thanks for this great contribution - it's scary to see the number of times a website is attacked per day!

It mostly seems to be working fine, just a couple of issues -

1. The auto-ban function doesn't seem to work. I have the config settings as follows -

PHPIDS Module 	true 	 
IP Ban Module 	true
Show Intrusion Result 	false 
E-mail Log Impact Score 	8 
DB Log Impact Score 	4 
IP Ban Impact Score 	15

However, despite attack impacts in excess of 38, none of the hacker's IPs have been automatically banned. I've added a "ban all" option to the log page to save doing them all individually, but obviously I'd rather the site did it automatically, as frequently the same IP will make several attempts and I'd prefer them blocked in the first instance. Has anyone else experienced this problem?


2. Frequently the IP address recorded is 127.0.0.1, which is no use to block obviously. However, sometimes the email report I get does log the actual IP address alongside the localhost address, for example -

IP: 87.111.138.205 (127.0.0.1) 
Date: 2011-03-01T14:42:58+00:00 
Impact: 38 
Affected tags: xss csrf id rfe sqli lfi 
Affected parameters: REQUEST.asc=eval%28base64_decode%28%5C%27ZXJyb3JfcmVwb3J0aW5nKDApO3NldF90aW1lX2xpbWl0KDApOw0KJH...etc etc (shortened for your viewing pleasure!)
Request URI: /index.php 
Origin: 92.48.117.50

But when I check the log, it's been recorded just as 127.0.0.1... if the email message sent to me can log the real IP address, can the script be modified to pick this up and write it to the log?


Just a couple of issues, but aside from that, this is great work and I'm very grateful!

[celextel]

Code Red, on 01 March 2011, 22:40, said:

First of all, thanks for this great contribution - it's scary to see the number of times a website is attacked per day!

It mostly seems to be working fine, just a couple of issues -

1. Please refer to page 9 of this thread. We have mentioned as follows:
Changing the code in banned.php

$ip_2ban_address = $_SERVER['REMOTE_ADDR'];

to

$ip_2ban_address = tep_get_ip_address();

would be a better option. Most of the IPs should get banned automatically. We should not have this problem.

2. We have not done any code changes to PHPIDS core module. Please make a request in regard to this in that forum.

Edited by celextel, 02 March 2011, 03:05.

[Code Red]

celextel, on 02 March 2011, 03:04, said:

Changing the code in banned.php

$ip_2ban_address = $_SERVER['REMOTE_ADDR'];

to

$ip_2ban_address = tep_get_ip_address();

would be a better option. Most of the IPs should get banned automatically. We should not have this problem.

Actually, it was the opposite which fixed it! The code was already using tep_get_ip_address, changing it to $_SERVER['REMOTE_ADDR'] did the trick - IPs are now automatically banned, thankyou!

[celextel]

Code Red, on 02 March 2011, 12:00, said:

Actually, it was the opposite which fixed it! The code was already using tep_get_ip_address, changing it to $_SERVER['REMOTE_ADDR'] did the trick - IPs are now automatically banned, thankyou!

You are correct. It should be:
change

$ip_2ban_address = tep_get_ip_address();

to

$ip_2ban_address = $_SERVER['REMOTE_ADDR'];

Edited by celextel, 03 March 2011, 04:06.

[altoid]

celextel, on 25 February 2011, 03:18, said:

It should show the test result even for 406. Please create a support request with your host in regard to this.

This is a follow up to the 406 issue. I contacted my host support and didn't get much resolved. They said:

Quote

Ok Steve, I did check with Tier 2, unfortunately, since this addon isn't our product, we can't be sure what is stopping this certain function from working. If you could check back with the developer and show him that phpinfo page I shared with you earlier, he might have a better idea for what on our server is preventing this certain aspect of the addon from working.

Celextel, I am content to let this go as is and not dwell on the issue anymore. If a 406 is thrown for such attempts, then the intruder can't even make to my site with such parameters in the url. I would say that's a positive thing in it's own right.

I thank you for the great support for this add on.

[altoid]

Just a note to anyone who may follow this forum.

Last night there was an attempt on my site involving base64 coding that PHPIDS flagged out.

Affected parameters: REQUEST.author_name=%5Bphp%5Deval%28base64_decode%28%
....and then the base64 string, not included here.....
Request URI: /links.php/contact.php

The impact score was 74

This was the first such attempt on this site that I am aware of, so I ran Site Monitor and WinGrep just to be sure. All is OK.

[celextel]

NEW!!

PHPIDS for osCommerce 1.7

for osCommerce Online Merchant v2.3.1

1. admin/phpids_report.php, admin/banned_ip.php and banned.php files modified [for osCommerce Online Merchant v2.3.1 only]. Do not update these 3 files if you are using osCommerce Online Merchant v2.2.

2. Added one more column to the PHPIDS table. Run the installer file to add this column.

3. PHPIDS 0.7 is ready.