Jump to content
Jack_mcs

SiteMonitor

Recommended Posts

 

I had to chmod 777 the superior directory so the sitemonitor_reference_0.txt can be written. Is that a good idea?

777 is never a good idea but some hosts are setup to use it and be secure. Most, I think, though are not so you may want to check with them to be sure.

Share this post


Link to post
Share on other sites

Hello. I've got v3.0 of the Site Monitor software installed on my 2.2 site and had no particular problems doing so up to step 5. However when I try to run the configuration utility for the first time and update the settings in step 5, I get a 406 error which produces the following error mesages in IE and Firefox...

 

IE

 

Internet Explorer cannot read this webpage format

HTTP 406

What you can try:

Go back to the previous page.

More information

 

FireFox:

 

Not Acceptable

An appropriate representation of the requested resource /carthome/admin/sitemonitor_configure_setup.php could not be found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

 

Other relevant info: Permissions on sitemonitor_configure_setup.php 644 Permissions on sitemonitor_configure_0.txt 755 Permissions on /carthome/admin/ 755

 

I've double-checked everything several times. From what I can tell, I've done nothing wrong. Yet the site monitor setup utility fails every time in both browsers. Can anyone tell me what I have overlooked?

 

Thanks.

Edited by websissy

Share this post


Link to post
Share on other sites

Hello. I've got v3.0 of the Site Monitor software installed on my 2.2 site and had no particular problems doing so up to step 5. However when I try to run the configuration utility for the first time and update the settings in step 5, I get a 406 error which produces the following error mesages in IE and Firefox...

Hmm, I've never seen a 406 error, even outside of this contribution. I don't see how the code from it can cause that but I suppose it is possible, maybe due to the php version. But my guess is it is a server issue more than a coding one. But if it is the code, I've no way to duplicate it so I can't even begin to test it, which means I don't have any way to help with it.

Share this post


Link to post
Share on other sites

Jack, if this is helpful at all, this site is running OSC v2.2 RC2a. It's also using a non-standard (locally assigned) name for the admin directory

 

Here's what the sitemonitor_configure_0.txt looks like as I uploaded it. The name of the admin directory and the shoproot directory have been changed in this code.. to mask our real filenames and locations:

 

<?php
/************** THE OPTIONS AND SETTINGS ****************/
$always_email = 1; //set to 1 to always email the results
$verbose = 1; //set to 1 to see the results displayed on the page (for when running manually)
$logfile = 1; //set to 1 to see to track results in a log file
$logfile_size = 100000; //set the maximum size of the logfile
$logfile_location = 'sitemonitor_logs'; //enter the name of the directory to store the log files. The directory is required to be in the admin directory
$logfile_delete = 30; //set of days to wait before a previous log file is deleted - leave blank to never delete
$reference_reset = 3; //delete the reference file this many days apart
$quarantine = 0; //set to 1 to move new files found to the quarantine directory
$to = [email=""]'sheila@ourdomainname.com'[/email]; //where email is sent to
$from = 'From: [email="webmaster@ourdomainname.com"]webmaster@ourdomainname.com'[/email]; //where email is sent from
$start_dir = '/home/ourdomaindir/public_html/shoproot/'; //your shops root
$admin_dir = 'http://ourdomainname.com/shoproot/manage/'; //your shops admin
$admin_username = 'LeadAdmin'; //your admin username
$admin_password = 'adminpassword'; //your admin password
$excludeList = array('cgi-bin'); //don't check these directories - change to your liking - must be set prior to first run
$hackIgnoreList = array('jpg', 'jpeg','gif','png','txt','zip'); //don't check these types of files - change to your liking
$hackCodeSegments = array('error_reporting(0)', 'base64_decode','<iframe','gzdecode','eval','ob_start("security_update")', 'Goog1e_analist_up', 'eval(gzinflate(base64_decode', 'Web Shell', [email=""]'@eval'[/email], ' header;', 'shell_exec', 'system','SetCookie','Meher Assel', 'nt02', '<script src','r57shell','createCSS','auto_append_file'); //enter any hacker code that you would like to check for
?>

 

I'm running PHP v5.2.17.

 

There's nothing especially unique about our site's permissions. In fact to eliminate that possibility while trying to figure out the cause of this problem, I ran check permissions and allowed it to update all permissions to the defaults it recommends.

 

Can you at least tell me the name and intended directory location of the file the sitemonitor_configure_setup.php utility is trying to create? It seems to fail as soon as I click the update button in sitemonitor -> configure

 

Finally, if I pay you to install this addon will you devote the effort to figure out what is wrong and how to fix it?

 

P.S. it may be helpful to know we have several security-related addons installed on the site (over a dozen) yet, this is the ONLY one I've had this sort of trouble with...

 

Thanks!

 

Best,

websissy

Share this post


Link to post
Share on other sites

Jack, if this is helpful at all, this site is running OSC v2.2 RC2a. It's also using a non-standard (locally assigned) name for the admin directory

 

Here's what the sitemonitor_configure_0.txt looks like as I uploaded it. The name of the admin directory and the shoproot directory have been changed in this code.. to mask our real filenames and locations:

 

I'm running PHP v5.2.17.

 

There's nothing especially unique about our site's permissions. In fact to eliminate that possibility while trying to figure out the cause of this problem, I ran check permissions and allowed it to update all permissions to the defaults it recommends.

 

Can you at least tell me the name and intended directory location of the file the sitemonitor_configure_setup.php utility is trying to create? It seems to fail as soon as I click the update button in sitemonitor -> configure

 

Finally, if I pay you to install this addon will you devote the effort to figure out what is wrong and how to fix it?

 

P.S. it may be helpful to know we have several security-related addons installed on the site (over a dozen) yet, this is the ONLY one I've had this sort of trouble with...

The code writes the confiugre file to the admin directory. The configue file is named sitemonitor_configure_x.txt, where x is the instance number. When someone pays me to install something, I guarantee it is installed correctly and will spend some time trying to find the reason if it fails. But I, no one, can spend unlimited time on troubleshooting a problem for the cost of an installation so I couldn't say for sure that would fix the problem, especially since this contribution requires a server setup with certain settings and I wouldn't have access to those.

Share this post


Link to post
Share on other sites

I have a hunch I know what's going on here. After experiencing a series of hacker attacks and server invasions involving OSC sites they hosted, our webhost finally got to the point a few months ago where they restricted certain things some php programs try to do and blocked PHP's ability to do them. For instance, they now deny ANY use of the exec command by PHP apps to avoid having a program that's running at an owner-privileged level from executing certain system commands. Another thing they may also do is to block the ability of programs to create completely new files out in the server's directory space where none existed before (e.g. in your case, creating what amounts to a brand new sitemonitor_configure.php file (okay, granted it's named sitemonitor_configure_1.txt; but the behavior is still the same) where none existed before. Even you have to admit that's a fairly unusual behavior.

 

They've done this in part by restricting access to certain php and shell functions. I suspect that's the underlying cause of this 406 error problem. As soon as the SiteMonitor programs try to create a completely new file in this manner, permission is being denied and the result is this 406 error we're seeing. Since these are deliberate server-security meaasures designed to block certain questionable behaviors, I suspect I'm not going to be very successful in convincing them to be more permissive in this case.

 

In short, I suspect the way you're handling the sitemonitor_configure.php file may be being treated as an invader/hacker-type behavior.

 

Question, beyond the site_monitor_configure_#.txt (which apparently gets created in shoproot/ADMINDIR/includes and the reference file (which gets created precisely WHERE, please? And can you show me what a new empty reference file looks like?) does the SiteMonitor software engage in creating files out in the server's file space like this in ANY other places? Or if I were to provide those (correctly configured) files manually is it possible the software will go along and be happy and not engage in any more 'naughty' behavior of the same type? The bottom line is if SiteMonitor makes a practice/habit of creating files out in the server-controlled directories, then if my hunch is right, it's never going to work on my server. But if it's only these two files that it creates in this way, then I've at least got a shot at making it work correctly except during the configuration and setup process.

 

You know the software. Is this something SiteMonitror does a lot throughout its code? If that's the case I might as well give up and abandon my efforts to install your addon right now. If it's not, then I may be able to work around it and still get the benefit from your code.

 

I eagerly await your reply.

 

Thanks.

Edited by websissy

Share this post


Link to post
Share on other sites

Question,beyond the site_monitor_configure_#.txt (which apparently gets created in shoproot/admin/includes and the reference file (which gets created WHERE, please?) does the SiteMonitor software engage in creating files out in the server's file space like this in other places? Or if I were to create those (correctly configured) files manually is it possible that the software will go along fine and not engage in any other 'naughty' behavior of the same type? The bottom line is if SiteMonitor makes a practice of creating files out in the server-controlled directories, then if my hunch is right, it's never going to work on my server. But if it's only the two files that it creates in this way, then I've at least got a shot at making it work correctly except during the configuration and setup process.

 

You know the software. is this something SiteMonitror does a lot throughout its code? If that's the case I might as well give up and abandon my efforts to install your addon right now. If it's not, then I might be able to work around it and still get the benefit from your code.

All of the files that get created ar placed in the admin directory, with the possible exception of the logs if you set the location option elsewhere. The configure file doesn't get changed once it is setup, which you can do manually, unless you make some change, of course. The reference file has to be created by the program. If you never have any changes detected, then you can use the original reference file but it is unlikely that would happen. Be sure to disable the automatic reference updae option if you don't want that to happen. The log files get created quite often, in most cases, and the names are based on the dae so you can't pre-create them. You can turn off the log option though to get around that but you would lose the log option, of course.

 

The decision is yours, of course, but, personally, I wouldn't host somewhere where I had to make concessions, especially with regards to security, based on how my host has the server setup.

Share this post


Link to post
Share on other sites

Thanks for the candid reply, Jack.

 

After pondering this situation carefully, I decided to remove SiteMonitor and rely on the web host's built-in security protections plus all the other security addons I've installed on this site to protect us as well. I began by building my own list of potential security addons. Then I carefully read spooks white-paper on how to secure an OSC site: http://forums.oscomm...howtopic=313323. Then I studied the white-paper on "How to protect an OSC site using .htaccess" by Fimble: http://addons.oscommerce.com/info/6066 And then I went back though my own list and adjusted it based on what these "recognized experts" had to say. Your patches were on my original list and survived that 'cuts' process too.

 

As it is, the list of security features I've installed includes 14 distinct security addons varying from fairly simple to very sophisticated. That's not to say we're invulnerable to attack. NO site is! But we're as hardened as I could make the site using my 43 years in IT plus the wisdom and insights of some very smart OSC gurus to guide me. So, even without SiteMonitor's protections, we're not exactly running naked in the woods here. Frankly if I was an attacker and encountered all the security barriers we've raised to protect this site, I'd give up and go elsewhere looking for an easier site to crack.

 

That's what I'm hoping anyway. We'll see.

 

Frankly, I'd love to be able to install and run SiteMonitor too, Jack. However, I'm unwilling to begin jumping through burning hoops backwards while blindfolded in order to get there.

 

Thanks VERY much for your help!

Edited by websissy

Share this post


Link to post
Share on other sites

Hi Jack - great contribution works great for my OS2.2. Thank you! i am having issues with my 2.3 as follows: (i have read almost all the posts and went through the suggestions of switching the paths, changing admin folder permission to 777 etc but still no go; not sure what is wrong):

 

Your username is invalid. Please change it and try again.: System -> /home3/USERNAME/public_html/SUBDOMAIN/ - SiteMonitor -> /home3/USERNAME/public_html/SUBDOMAIN/

 

If you look at the path... both are correct... this is exactly what is showing up on my cpanel->filemanager. the admin username password that sitemonitor is pulling is my DB username and password; i have changed it to admin username/passwd and still no go...

 

Please note that the SUBDOMAIN is a freshly installed OS2.3 with no modules installed. this is the first module that i wanted to install before anything.

your input in this would save my lots of hours...

 

look forward to your response. regards!

Share this post


Link to post
Share on other sites

Hi Jack - great contribution works great for my OS2.2. Thank you! i am having issues with my 2.3 as follows: (i have read almost all the posts and went through the suggestions of switching the paths, changing admin folder permission to 777 etc but still no go; not sure what is wrong):

 

Your username is invalid. Please change it and try again.: System -> /home3/USERNAME/public_html/SUBDOMAIN/ - SiteMonitor -> /home3/USERNAME/public_html/SUBDOMAIN/

 

If you look at the path... both are correct... this is exactly what is showing up on my cpanel->filemanager. the admin username password that sitemonitor is pulling is my DB username and password; i have changed it to admin username/passwd and still no go...

 

Please note that the SUBDOMAIN is a freshly installed OS2.3 with no modules installed. this is the first module that i wanted to install before anything.

your input in this would save my lots of hours...

 

look forward to your response. regards!

You need to upgrade to the latest version. See the several recent posts on this.

Share this post


Link to post
Share on other sites

You need to upgrade to the latest version. See the several recent posts on this.

 

Let me rephrase... my one subdomain works great using the newest sitemonitor.

 

I am having issues with my newly installed subdomain with the newest sitemonitor version 3.0. this new subdomain is OS2.3 and i user sitemonitor 3.0 for OS2.3 as well...

Share this post


Link to post
Share on other sites

 

Let me rephrase... my one subdomain works great using the newest sitemonitor.

 

I am having issues with my newly installed subdomain with the newest sitemonitor version 3.0. this new subdomain is OS2.3 and i user sitemonitor 3.0 for OS2.3 as well...

If you would read the previous posts as suggested, you will see where I stated that the error you are having is not possible since that code is no longer used.

Share this post


Link to post
Share on other sites

If you would read the previous posts as suggested, you will see where I stated that the error you are having is not possible since that code is no longer used.

 

 

when sitemonitor is unzipped following folder shows up:

oscommerce_2.3

oscommerce_MS2_or_RC2

UpdateDocs

 

i installed the files from oscommerce_2.3 (twice to confirm); please advise if this is incorrect.

 

for my other website; running OS2.2 i used oscommerce MS2_or_RC2; running fine.

 

thanks,

Share this post


Link to post
Share on other sites

i installed the files from oscommerce_2.3 (twice to confirm); please advise if this is incorrect.

 

for my other website; running OS2.2 i used oscommerce MS2_or_RC2; running fine.

I've no way to know if it is correct since it depends upon which oscommerce version you are using but I think it is fairly easy to interpret.

Share this post


Link to post
Share on other sites

qahsan786,

Please read post 1870 and 1877 - 1880 on this thread. The problem with the invalid username message on OSC2.3 is because the latest code is not in the download on addons.oscommerce.com. The fixed code that you need is in post 1870. This has caused some confusion for myself and others.

Share this post


Link to post
Share on other sites

qahsan786,

Please read post 1870 and 1877 - 1880 on this thread. The problem with the invalid username message on OSC2.3 is because the latest code is not in the download on addons.oscommerce.com. The fixed code that you need is in post 1870. This has caused some confusion for myself and others.

Or just download the latest version.

Share this post


Link to post
Share on other sites

Or just download the latest version.

Sorry Jack, you lost me with that comment. Where should we download the latest version from? On addons.oscommerce.com the latest version is 3.0 dated 5th Sept 2011. That version does not contain the updated code you posted to this forum thread on 8th Sept. Can you see why we are confused?

Share this post


Link to post
Share on other sites

Sorry Jack, you lost me with that comment. Where should we download the latest version from? On addons.oscommerce.com the latest version is 3.0 dated 5th Sept 2011. That version does not contain the updated code you posted to this forum thread on 8th Sept. Can you see why we are confused?

 

osc_david... thanks so much for your input on this. i will work on it in a little bit and let you know. Also, thanks for bringing that up in regards to the latest download version is missing something that is posted on post1870, 1877-1880. i am sure it has fixed your issue and will fix mine as well. thanks again.

Share this post


Link to post
Share on other sites

 

osc_david... thanks so much for your input on this. i will work on it in a little bit and let you know. Also, thanks for bringing that up in regards to the latest download version is missing something that is posted on post1870, 1877-1880. i am sure it has fixed your issue and will fix mine as well. thanks again.

 

@osc_david: your pointer to look at post1870/1877-1880 solved the issue of invalid username on OS2.3.1 & Sitemonitor ver3.0

Please note that sitemonitor version 3.0 is missing the updated file sitemonitor_admin.php; post 1877 has the updated file, please copy paste and everything will work as it should.

 

@jack_mcs: please note that your full package for sitemonitor3.0 is missing the updated file of sitemonitor_admin.php

 

thanks so much! peace~

Share this post


Link to post
Share on other sites

Sorry Jack, you lost me with that comment. Where should we download the latest version from? On addons.oscommerce.com the latest version is 3.0 dated 5th Sept 2011. That version does not contain the updated code you posted to this forum thread on 8th Sept. Can you see why we are confused?

No, I'm the one to apologize. I compared the code posted here with my version for 3.0 and it is close to identical. But when I download the zip file and compae to those files, that one file is incorrect. So, somehow, all of the files were updated, excpet for that one. I've no idea how that could have happened but it obviously did and I do apologize for any confusion and aggravation this mistake caused anyone.

 

To be clear, David's post regarding the previously posted code is correct.

Share this post


Link to post
Share on other sites

No, I'm the one to apologize. I compared the code posted here with my version for 3.0 and it is close to identical. But when I download the zip file and compae to those files, that one file is incorrect. So, somehow, all of the files were updated, excpet for that one. I've no idea how that could have happened but it obviously did and I do apologize for any confusion and aggravation this mistake caused anyone.

 

To be clear, David's post regarding the previously posted code is correct.

 

Jack_mcs... no need to apologize... your contribution in the OSCommerce is an award winning... + on the top your dedication towards the post and answering peoples issues/questions is even more than anything. i am sure, like me, we love your contribution and cant thank enough. I am sure people wont be posting any future issues related to invalid username anymore as it is already resolved. Thanks again for all your help. peace~

Share this post


Link to post
Share on other sites

Looking for security before I go live with this site and wonder if the odd file issue above has been added ie the full package or should I download the version 3 and go over the fixes... Many thanks to all you clever clever coders... I am new and ever so grateful...

Share this post


Link to post
Share on other sites

Looking for security before I go live with this site and wonder if the odd file issue above has been added ie the full package or should I download the version 3 and go over the fixes... Many thanks to all you clever clever coders... I am new and ever so grateful...

No, a correct version has not been uploaded yet.

Share this post


Link to post
Share on other sites

Hi Jack, hope your well

 

I have just tried to run sitemonitor on my site which I have not done for quite a while, shame on me...

 

Anyway it is now not working as it should. I have installed some contributions over a period of time and I am not sure if this has affected sitemonitor.

 

Firstly how can I find out which version of sitemonitor I installed as I no longer have the files used and secondly how can I upgrade to the latest version?

 

If I know which version I used I can manually check for any code mismatches and then I would like to upgrade to the latest version as I have that installed on another site and it does give you more information.

 

For reference what is happening is when I run "Manually Execute Sitemonitor" and click update it is not finding any new files or deleted files. I have just installed a contribution and expected it to show these files which it did not.

When I run "Manually Check for Hacked Files" this is running as expected and did show then new files

When I run "Delete Reference File" the site returns to a blank white screen and I have to click the back button to get back to my site

When I run "Execute Sitemonitor" this also returns to a blank empty screen and I again have to click the back button to get back to my site.

 

I do not know how long ago it was that the contribution worked properly, sorry.

 

Michael

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×