Jump to content
Jack_mcs

SiteMonitor

Recommended Posts

That would indicate the directories can't be read since glob is not returning an array. I suppose there could be something on your server preventing glob from working correctly. You could add print_r $tmpArray; to see the output but since the code is checking for that already, I don't think it will show you anything. You could try changing the initial directory set here

$aFiles = rglob(DIR_FS_CATALOG, '*');

to some sub-directory that you can manipulate, like

$aFiles = rglob('tmp', '*');

If that works, then you could expand the initial path until it fails.

 

 

OK, we are making progress! I made a dumb mistake and had set the source starting directory to the wrong place right before this last change. I have it switched back to DIR_FS_CATALOG, and this is the response:

 

Checked 20 directories containing a total of 140 files. Skipped 0 files. 2 suspected hacked files found.

Hacked Files Found

hack.php

imagemagic.php

 

This is correct because the hack.php file is one that I seeded, and the other contains a base64 encoding line. BUT, when I seeded the hack file deeper into the directory structure, it isn't finding them. So it is scanning the main directory, but it's not scanning files as it traverses the directory structure.

 

This is the current state of my rglob() function:

 

function rglob($sDir, $sPattern, $nFlags = NULL) //recursive function to get array of all files and directories
{
 $aFiles = glob("$sDir/$sPattern", $nFlags); //get the initial directory

  $tmpArray = glob("$sDir/*", GLOB_ONLYDIR);

 if (is_array($tmpArray) && ! empty($tmpArray))
 foreach ($tmpArray as $sSubDir) //recursive call

 {
   $aSubFiles = rglob($sSubDir, $sPattern, $nFlags);

array_merge($aFiles, (array)$aSubFiles);
 }

 return $aFiles;
}

Share this post


Link to post
Share on other sites

Hi again; I found this code to exclude a file, would this work on directories, as well? I have tried a couple variations with no luck. Here is the error I am getting for each directory that is linked:

 

Warning: is_dir() [function.is-dir.html]: Stat failed for /home/XXXSSS/public_html/mannix (errno=13 - Permission denied) in /home/XXXSSS/public_html/admin/includes/functions/sitemonitor_functions.php on line 173

 

Thanks again...

I'm sure there is a way around it but I don't know what it is without testing. Since it isn't anything to do with the contribution, it probably isn't something I will work on though.

Share this post


Link to post
Share on other sites

OK, we are making progress! I made a dumb mistake and had set the source starting directory to the wrong place right before this last change. I have it switched back to DIR_FS_CATALOG, and this is the response:

 

Checked 20 directories containing a total of 140 files. Skipped 0 files. 2 suspected hacked files found.

Hacked Files Found

hack.php

imagemagic.php

 

This is correct because the hack.php file is one that I seeded, and the other contains a base64 encoding line. BUT, when I seeded the hack file deeper into the directory structure, it isn't finding them. So it is scanning the main directory, but it's not scanning files as it traverses the directory structure.

 

You may want to ask your host if they know if glob will work on your server. There are a few that it won't. In that case, the code would have to be replaced with the standard fopen type code.

Share this post


Link to post
Share on other sites

You may want to ask your host if they know if glob will work on your server. There are a few that it won't. In that case, the code would have to be replaced with the standard fopen type code.

 

 

Actually, I'm my own host, maybe not the most knowledgeable sysadmin, but I am using several other scripts that have the glob function and they seem to run fine for what the script is asking glob to do. I'll keep working on it.

 

This is a great script. And a valuable service.

 

I had been hacked a couple of times using the same exploit, and one of the things that they did to sift off more identity information was add a script to the index.php page that would automatically turn on the Date of Birth question in the database config, which none of my customers require, so I created a piece of code that would email the admin whenever the DOB function was turned on. This is an instant notification and we don't have to wait for the scanner schedule. If you think this might be helpful, I can send you the code. It's just a simple include and an extra file.

 

I have saved the other hacked files for reference, and I'll also see if I can identify any additional signatures that you can use in your hacked file detection setup.

 

What would be really nice would be to create a text file that can be updated with the code signatures that other people have found. This can be similar to the spiders.txt setup. When a new exploit is found, it can be added to the txt file and updated on the sites easily.

Share this post


Link to post
Share on other sites

Thank you for the suggestions. You can post the DOB code here if you like. I may add it to the next version but that could be months and others may want to try it in the meantime. Regarding the txt file, my intention was to add an option in admin to allowing adding such text as well as being able to control what files should be excluded.

Share this post


Link to post
Share on other sites

I'm sure there is a way around it but I don't know what it is without testing. Since it isn't anything to do with the contribution, it probably isn't something I will work on though.

I am on the same server with different accounts. One account is fine, the Site Monitor works great, as well does the Hacker Code portion. However when i try the same thing in the other account which has all data directories linked. The osCommerce files are not linked and are what I want to monitor with this contribution like I do on the main account. I was hoping to do this with all of my stores. They all link back (just like public_html & www) to the main account files. In each instance the osCommerce files are unique & not linked.

 

My problem is on each of those linked directories I get the error codes as follows:

 

Warning: is_dir() [function.is-dir.html]: Stat failed for /home/cat/public_html/mannix (errno=13 - Permission denied) in /home/insp01/public_html/admin/includes/functions/sitemonitor_functions.php on line 173

 

Warning: is_dir() [function.is-dir.html]: Stat failed for /home/cat/public_html/mannix (errno=13 - Permission denied) in /home/insp01/public_html/admin/includes/functions/sitemonitor_functions.php on line 256

 

 

Warning: is_dir() [function.is-dir.html]: Stat failed for /home/cat/public_html/mannix (errno=13 - Permission denied) in /home/insp01/public_html/admin/includes/functions/sitemonitor_functions.php on line 173

 

And then it craps out. It does not seem to want to ignore the linked directories. Thanks


Tony Mazz

Share this post


Link to post
Share on other sites

I am on the same server with different accounts. One account is fine, the Site Monitor works great, as well does the Hacker Code portion. However when i try the same thing in the other account which has all data directories linked. The osCommerce files are not linked and are what I want to monitor with this contribution like I do on the main account. I was hoping to do this with all of my stores. They all link back (just like public_html & www) to the main account files. In each instance the osCommerce files are unique & not linked.

 

My problem is on each of those linked directories I get the error codes as follows:

 

Warning: is_dir() [function.is-dir.html]: Stat failed for /home/cat/public_html/mannix (errno=13 - Permission denied) in /home/insp01/public_html/admin/includes/functions/sitemonitor_functions.php on line 173

 

Warning: is_dir() [function.is-dir.html]: Stat failed for /home/cat/public_html/mannix (errno=13 - Permission denied) in /home/insp01/public_html/admin/includes/functions/sitemonitor_functions.php on line 256

 

 

Warning: is_dir() [function.is-dir.html]: Stat failed for /home/cat/public_html/mannix (errno=13 - Permission denied) in /home/insp01/public_html/admin/includes/functions/sitemonitor_functions.php on line 173

 

And then it craps out. It does not seem to want to ignore the linked directories. Thanks

 

This could be an issue with open_basedir restrictions in apache. If your stores are in separate accounts, that might be the reason. Maybe it won't play nice with symbolic links?

Share this post


Link to post
Share on other sites

Thank you for this module - SiteMonitor .

 

Please suggest on this warning message:

 

Checked 90 directories containing a total of 604 files. Skipped 686 files. 2 suspected hacked files found.

Hacked Files Found

admin/includes/classes/nusoap.php

includes/modules/payment/paypal_standard.php

 

 

Regarding found files:

paypal_standard.php is 42.72 kb date: 1/11/2008 ----> it has the same date as all other files in the folder

 

nusoap.php ---> I want to make sure, isn't a part of the original oscomm 2.2 rc2

 

Thank you!

Edited by oscommerce21

Share this post


Link to post
Share on other sites

Jack, thanks a lot.

 

A little suggestion, if I may:

 

you can put a link to this forum in

 

SiteMonitor

Admin

Configure

 

dialog page, so people can find this forum and watch for updates, get help and help others. You can even use this very wording as a hyperlink

 

 

"SiteMonitor: watch for updates, get help and help others"

 

Thanks for your time and commitment.

Edited by oscommerce21

Share this post


Link to post
Share on other sites

Please suggest on this warning message:

 

Checked 90 directories containing a total of 604 files. Skipped 686 files. 2 suspected hacked files found.

It means those files have code in them that hackers uses. Such code can also be used legitimately so you have to check the files manually to be sure they are OK.

Share this post


Link to post
Share on other sites

Jack, thanks a lot.

 

A little suggestion, if I may:

 

you can put a link to this forum in

Thank you for the suggestion.

Share this post


Link to post
Share on other sites

If someone is able to hack into your site, they can alter your files to send them your customers information. I've seen this happen several times, thus the genesis of this contribution. This contribution will create a record of your files so that they can be checked at a later date. If any files have been added or deleted, or the size, timestamp or permissions were changed, you are notified via email. The script can be ran manually, but the best way is to set up a cron job so that the files are checked automatically.

 

The contribution can be found here.

 

Jack

 

Reference file creation failed.

 

 

Warning: opendir(/home/username/public_html) [function.opendir]: failed to open dir: No such file or directory in /home/free/public_html/admin/includes/functions/sitemonitor_functions.php on line 162

 

Warning: readdir(): supplied argument is not a valid Directory resource in /home/free/public_html/admin/includes/functions/sitemonitor_functions.php on line 164

Reference file creation failed.

 

Please help to understand whaT IT MEANS AND WHAT TO DO.

 

Thanks!

Share this post


Link to post
Share on other sites

It means those files have code in them that hackers uses. Such code can also be used legitimately so you have to check the files manually to be sure they are OK.

 

Does it mean, admin/includes/classes/nusoap.php is a part of 2.2 rc2?

 

Did anyone see it before?

Share this post


Link to post
Share on other sites

Warning: opendir(/home/username/public_html) [function.opendir]: failed to open dir: No such file or directory in /home/free/public_html/admin/includes/functions/sitemonitor_functions.php on line 162

If your username is not actually username, then you will need to change that.

Share this post


Link to post
Share on other sites

Does it mean, admin/includes/classes/nusoap.php is a part of 2.2 rc2?

 

Did anyone see it before?

It doesn't have anything to do with what version the shop is. SiteMonitor is just saying that file has code in it that is similar to what hackers use. I doubt that it has been hacked though. I think it is just the normal code for that file. The only way to be sure though it to compare it with a known good file, assuming you don't know what to look for in the file.

Share this post


Link to post
Share on other sites

Reference file creation failed.

 

 

Warning: opendir(/home/username/public_html) [function.opendir]: failed to open dir: No such file or directory in /home/free/public_html/admin/includes/functions/sitemonitor_functions.php on line 162

 

Warning: readdir(): supplied argument is not a valid Directory resource in /home/free/public_html/admin/includes/functions/sitemonitor_functions.php on line 164

Reference file creation failed.

 

Please help to understand whaT IT MEANS AND WHAT TO DO.

 

Thanks!

 

 

I have a similar problem ... I installed version 1.9 today and the first time I tried to configure it, I got the following error page: "Forbidden You do not have permission to access this document."

 

Then after informing my webhost about this, they made a few changes with their firewall as they thought that may have been the problem

 

So I tried it again and got the following error message ""Cannot change the mode of file (/xxx/xxx/xxxxxx/MYSITEcom/xxxxxx/admin/sitemonitor_configure.php)"

 

Then we went through changing file permissions, etc. and deleted the .htaccess file from that directory but still got the same error message listed immediately above.

 

One thing I noticed when I loaded the thing for the first time, was that there was an automatically assigned user name and password in the configuration page and I also noticed a post earlier that indicated that these should be empty, but I think that was in reference to another problem, with the previous version.

 

Also, (I'm guessing this is because of the afore mentioned error message), when I try to run the update in the admin page, I get the error message "file creation failed."

 

So can someone help me figure this out? Is it the user name and password automatically generated by the sitemonitor_configure_setup.php file, or could it be something else?

Edited by westindiestrader

Share this post


Link to post
Share on other sites

As mentioned previously here and in the text on the page, you only need those settings if you are using the curl login option. Try clearing them and see what happens.

Share this post


Link to post
Share on other sites

As mentioned previously here and in the text on the page, you only need those settings if you are using the curl login option. Try clearing them and see what happens.

 

 

ok, only thing is I don't know what you mean by "curl login option" and how to turn it off or on

 

--edit--

 

I just tried clearing the user name and password and still got the same error message "Cannot change the mode of file (/var/www/vhosts/westindiestrader.com/httpdocs/admin/sitemonitor_configure.php)"

 

has anyone ever experienced this error message?

Edited by westindiestrader

Share this post


Link to post
Share on other sites

ok, only thing is I don't know what you mean by "curl login option" and how to turn it off or on

 

--edit--

 

I just tried clearing the user name and password and still got the same error message "Cannot change the mode of file (/var/www/vhosts/westindiestrader.com/httpdocs/admin/sitemonitor_configure.php)"

 

has anyone ever experienced this error message?

You may have to give the file 777 permissions to start with.


The Coopco Underwear Shop

 

If you live to be 100 years of age, that means you have lived for 36,525 days. Don't waste another, there aren't many left.

Share this post


Link to post
Share on other sites

That was done already and still got the same error message

OK, not sure if this will help. When I change the configure information, I have to have it in the configure file, delete the rference file amd run the delete reference file in my admin. The permissions need to be set at 777 for many of the files due to ownership issues.


The Coopco Underwear Shop

 

If you live to be 100 years of age, that means you have lived for 36,525 days. Don't waste another, there aren't many left.

Share this post


Link to post
Share on other sites

OK, not sure if this will help. When I change the configure information, I have to have it in the configure file, delete the rference file amd run the delete reference file in my admin. The permissions need to be set at 777 for many of the files due to ownership issues.

 

ok the only problem with that is there was no reference file with the installation and although I understand the contrib is supposed to automatically generate a reference file after deleting it, it fails to do that.

Share this post


Link to post
Share on other sites

ok the only problem with that is there was no reference file with the installation and although I understand the contrib is supposed to automatically generate a reference file after deleting it, it fails to do that.

Perhaps try uploading the sitemonitor_log.txt file.


The Coopco Underwear Shop

 

If you live to be 100 years of age, that means you have lived for 36,525 days. Don't waste another, there aren't many left.

Share this post


Link to post
Share on other sites

Is there a thread that discusses how a site can get compromised. For starters, we're changing the passwords for cPanel, FTP, and Admin. Is it possible emails containing passwords can get intercepted? Should we communicate this information another way?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×