258 replies to this topic

[modem2.0]

I found the issue of my problem... My Wamp MySQL server is not running on the default port, and the script is not using the OSC configuration. Once I changed the port on osc_phpids.php in the modules folder it worked flawlessly.

[modem2.0]

Hi,

I'm having this contribution installed, and I'm also using the contribution customer Must Accept Terms and Conditions (MATC) http://addons.oscommerce.com/info/5750
But now I have lots on entries in the table PHPIDS Log related to REQUEST.conditions and POST.conditions in the create_account.php file and with all the conditions written.

Is there a way to fix this?

[modem2.0]

modem2.0, on 18 April 2012 - 01:20 PM, said:

Hi,

I'm having this contribution installed, and I'm also using the contribution customer Must Accept Terms and Conditions (MATC) http://addons.oscommerce.com/info/5750
But now I have lots on entries in the table PHPIDS Log related to REQUEST.conditions and POST.conditions in the create_account.php file and with all the conditions written.

Is there a way to fix this?

Anyone??

[chandrika]

Hi,
I have just discovered that my installation of phpids, was causing a problem with my paypal IPN notifications. Sometimes they were getting sent, sometimes not and checking the error logs on the server for paypals ipn notification url (173.0.81.1) I found

[Wed May 23 06:18:54 2012] [error] [client 173.0.81.1] PHP Fatal error:  Class 'PDO' not found in /home/****/public_html/includes/phpids/lib/IDS/Log/Database.php on line 172

I have disabled phpids for a while and ipn notifications are now ok. I use paypal standard module for payments.

I see there is an option in admin phpids, for variable exclusions and thinking that maybe there is something I can enter there that might stop phpids blocking paypal ipns. The ipn notification script in my oscommerce is at /ext/modules/payment/paypal/standard_ipn.php

I could post that page if someone may be able to tell me whether there is a variable there i could exclude? What do you think?

[cooch]

modem2.0, on 28 April 2012 - 07:41 PM, said:

Anyone??

Did you ever get this fixed?

[modem2.0]

cooch, on 30 May 2012 - 05:54 PM, said:

Did you ever get this fixed?

Never.

But now I also have the PDO issue in the create account...

Edited by modem2.0, 14 August 2012 - 03:57 PM.

[ce7]

Hi there,

I had installed this addon, till step E Test, TEST-1, I got a warning as below:

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /includes/modules/osc_phpids.php:199) in /includes/functions/sessions.php on line 102

And the TEST-2, I did not see any test result, the page just showed HTTP 406 Not Acceptable.

Is it normal or what I did wrong?

Many thanks  in advance.

Lyn

[broadstreetbully]

kept getting a "missing table" error in my admin after correct installation....uninstalled after reading about all the issues and scripts built specifically for this addon...

[ce7]

Hi, I just got an attack:

IP: 184.82.78.125
Date: 2012-11-08T10:12:16+11:00
Impact: 14
Affected tags: xss csrf id rfe lfi
Affected parameters: REQUEST.excerpt=%5B...%5D+that+is+the+end+of+this+article.+Here+you%E2%80%99ll+find+some+sites+that+we+think+you%E2%80%99ll+appreciate%2C+just+click+the+links+over%5B...%5D%E2%80%A6, POST.excerpt=%5B...%5D+that+is+the+end+of+this+article.+Here+you%E2%80%99ll+find+some+sites+that+we+think+you%E2%80%99ll+appreciate%2C+just+click+the+links+over%5B...%5D%E2%80%A6,
Request URI: /mg/product_info.php?products_id=212/trackback

anyone knows what should I do, and if my website has affected, if so what steps should I go futher? Many thanks in advance.

Lyn

[LeanderPL]

ce7, on 08 November 2012 - 02:35 AM, said:

Hi, I just got an attack:

IP: 184.82.78.125
Date: 2012-11-08T10:12:16+11:00
Impact: 14
Affected tags: xss csrf id rfe lfi
Affected parameters: REQUEST.excerpt=%5B...%5D+that+is+the+end+of+this+article.+Here+you%E2%80%99ll+find+some+sites+that+we+think+you%E2%80%99ll+appreciate%2C+just+click+the+links+over%5B...%5D%E2%80%A6, POST.excerpt=%5B...%5D+that+is+the+end+of+this+article.+Here+you%E2%80%99ll+find+some+sites+that+we+think+you%E2%80%99ll+appreciate%2C+just+click+the+links+over%5B...%5D%E2%80%A6,
Request URI: /mg/product_info.php?products_id=212/trackback

anyone knows what should I do, and if my website has affected, if so what steps should I go futher? Many thanks in advance.

Lyn

I've got it to. For different IPs it started to send notifications somewhere about 21 december, almost 100 per day. What to do now? Is it a hack attack on shop?

Entering PHPLDS plugin in Admin Panel gives popup with "9537246810"...

Edited by LeanderPL, 30 December 2012 - 11:46 AM.

[geoffreywalton]

Looks like the add-on is reporting and attack that has been thwarte.

You could ban the ip address using you htaccess file, pop this in google

Block a specific IP address from accessing your website

HTH

G

[ce7]

@ geoffreywalton

Hi Geoffrey,

Thank you very much for reply. The past whole week I can say something going on my website, but I have no idea how to check where they had done.

Several things I found very strange includes:

1.
when I add new addons, I tested in three others as well, the one I got PHP Intrution warning, had been changed back while the other three test one has no attack remain the same.
I delete that complete catelog and reinstall a backup one

2.
I had set up secured by htpasswd, but it keeps said that I had wrong attempt login, and after 2 times try, I had been block and need to wait another 5 minutes. I am pretty sure I had the password input correctly but it just kept tell me wrong password and block....

3.
after I set up new admin with new password, and I made sure I logoff, and delete the internet cookie, and refresh, it showed that I logoff completely.

after after few hour or next day when I refresh the computer again, it just automatically log me in that I don't even need to type in user and password.

I had a rental and a sale catalog under my domain, and both has the same problem as mentioned 2 and 3.

4.
Because the strange things happend and PHP warning everyday, so I installed the supertracker and who's online enhancement.
I couldnt make who's online show any informaiton, but supertracker with last ten visitor, I can see I have few visitors never expected, such as from China, Africa, and Turkey.... I google and also you reply from the other thread, I know that China one is definately the bad one (PHP intrution waning as well...)

What should I do now?
How can I check what files possible be modified?

Many thanks in advance.

Lyn

[ce7]

geoffreywalton, on 30 December 2012 - 11:20 PM, said:

Looks like the add-on is reporting and attack that has been thwarte.

You could ban the ip address using you htaccess file, pop this in google

Block a specific IP address from accessing your website

HTH

G

Geoffrey,

you mentioned that "You could ban the ip address using you htaccess file, pop this in google",

can you please tell me how I can ban the ip using the htaccess?
I had addon: "Secure your site with an IP Trap", it allowed me to ban the IP from admin, but I found that when I insert new IP, it doesn't update the catelog/banned/IP_Trapped, I had to mannually type in the IP_Trapped.txt every time.

how can I pop it in google?

what material or any other websites that I can learn more about security (oscommerce security)?

Many thanks in advance.

Lyn

[LeanderPL]

Hi, i've checked the IP, in my case there is a lot of log showing that it is: "COOKIE._pk_ref_12_45c0" or "REQUEST._pk_ref_12_45c0" - bolded numbers are changing. IP seems to be an IP of hosting service or other are from my country so probally its generated by visitors. So could it be some problem with php update or some cookies issue?

Best regards.

[geoffreywalton]

@ce7

go to google and seach for

Block a specific IP address from accessing your website

THere is some info and links on securing your web site in my profile

HTH

G

[ce7]

geoffreywalton, on 07 January 2013 - 12:26 PM, said:

@ce7

go to google and seach for

Block a specific IP address from accessing your website

THere is some info and links on securing your web site in my profile

HTH

G

Hi Geoffery,

Thank you very much for your reply. I will have a look your profile information now.
PS. The supertrackers addon on sales site, like rental site before, it disappear again. I have to delete and recover a backup one!

And do you have any suggestion about that I can not log off completely?
Every time I make sure I log off and even delete the cookies, but after couple hours or next day, I type in the admin login, it just automatically login without asking me user name and password!!!

this is the supertracker result I get for today:
Customer IP Address/Country: 180.76.6.37 (China)[img]http://www.mickgrip.com.au/rental/a1sec/images/geo_flags/flags/cn.gif[/img] - 180.76.6.37 Region: Beijing City: Beijing Customer Browser: Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html) Customer Name: Guest Referred By: Direct Access / Bookmark Landing Page: /rental/rental.php?cPath=79&page=1&sort=2a Last Page Viewed: /rental/rental.php Time Arrived: 01/08/2013 01:46:26 Last Click: 01/08/2013 01:46:26 Time on Site: 0hrs 0mins 0 seconds Number of Clicks: 1 Added to Cart: false Completed Purchase: false
Customer IP Address/Country: 199.21.99.94 (United States)[img]http://www.mickgrip.com.au/rental/a1sec/images/geo_flags/flags/us.gif[/img] - spider-199-21-99-94.yandex.com Region: California City: Palo Alto Customer Browser: Mozilla/5.0 (compatible; YandexBot/3.0; http://yandex.com/bots) Customer Name: Guest Referred By: Direct Access / Bookmark Landing Page: /rental/product_info.php?products_id=260 Last Page Viewed: /rental/product_info.php Time Arrived: 01/07/2013 18:28:11 Last Click: 01/07/2013 18:28:11 Time on Site: 0hrs 0mins 0 seconds Number of Clicks: 1 Added to Cart: false Completed Purchase: false

Edited by ce7, 08 January 2013 - 12:27 AM.

[geoffreywalton]

@ce7

I suspect you licked on remember my password at some stage.

Baidu is a Chinese spider so if you do not sell to the Chinese you can block them.

Cheers

G

[ce7]

geoffreywalton, on 08 January 2013 - 08:21 AM, said:

@ce7

I suspect you licked on remember my password at some stage.

Baidu is a Chinese spider so if you do not sell to the Chinese you can block them.

Cheers

G

Hi Geoffery,

Thanks for reply.

About the password thing, it really bother me. Everytime I logoff, and double check after I go to IE/Tools/Option and delete the browsing history, I delete everything include password (which I did not ask browser to remember the password.), it all showed me that I had log off comepletely.

However after couple hours or next day I touch computer again, just type in the admin login.php, it doesn't ask me to type user name or password, I automatically login the admin backend....

I had install site monitor, but honestly I dont really know how it works. I had PHP Intrusion and IP trap install, I will try to install the virus threat scanner next.

Lyn

[geoffreywalton]

VT will not stop the auto log in

If you use FF try this link

http://kb.iu.edu/data/atdd.html

otherwise try something like this in Google

IE remember password disable

HTH

G