Jump to content
celextel

PHP Intrusion Detection System for osCommerce

Recommended Posts

PHP Intrusion Detection System for osCommerce

Module to include PHPIDS into osCommerce to Log and Prevent Intrusions

http://addons.oscommerce.com/info/7368

 

PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.

Share this post


Link to post
Share on other sites

Additional Note:

 

This module [front end] automatically creates the database during its first call.

 

Access the website pages and do the testing as mentioned by us, after installing the catalog portion, before going to the admin for accessing the log report.

Share this post


Link to post
Share on other sites

This module [front end] automatically creates the database during its first intrusion [test] call.

Share this post


Link to post
Share on other sites

Is it really only for osC 2.1? That's quite ancient. Can you describe a bit more of what it does -- does it only look at user form input with attempts at injecting PHP or MySQL code, or does it detect unauthorized changes to files coming from other sources (such as a compromised password or server)? Does it detect attempts to run arbitrary PHP scripts from the browser? Does it detect injection attacks via URL Query Strings? What are its selling points compared to other security measures already available for osC (in other words, why should I use yours instead of theirs)? Does it work in conjunction with other security measures (filling a gap in security), or does it replace others?

Share this post


Link to post
Share on other sites

Is it really only for osC 2.1? That's quite ancient. Can you describe a bit more of what it does -- does it only look at user form input with attempts at injecting PHP or MySQL code, or does it detect unauthorized changes to files coming from other sources (such as a compromised password or server)? Does it detect attempts to run arbitrary PHP scripts from the browser? Does it detect injection attacks via URL Query Strings? What are its selling points compared to other security measures already available for osC (in other words, why should I use yours instead of theirs)? Does it work in conjunction with other security measures (filling a gap in security), or does it replace others?

 

1. This works well in osC v2.2. We have tested this only on osC v2.2.

v2.1 was selected by mistake while doing the contribution upload. We are unable to change it now. We could do another upload under v2.2 if required.

 

2. Please visit the following websites to know more about its functioning:

http://php-ids.org/downloads/

http://www.h-online.com/security/features/Getting-started-with-the-PHPIDS-intrusion-detection-system-746233.html

 

3. Yes, it does the following:

form input with attempts at injecting PHP or MySQL code

[ii] Detects attempt to run arbitrary PHP scripts from the browser

[iii] Detects injection attacks via URL Query Strings

 

4. PHPIDS is an unique Intrusion Detection System which is already popular. We have not seen this type of software elsewhere. We also do not have this type of software in the existing osCommerce contributions.

 

5. Yes, this works in conjunction with other security measures. This might not replace any other contribution.

 

PHPIDS enables you to see who’s attacking your site and how and all without the tedious trawling of log files or searching hacker forums for your domain.

 

Web applications are regularly threatened by attacks that try to exploit programming weaknesses. The PHP-based, open source PHPIDS solution detects attempted intrusions and raises the alarm when a threat is identified.

 

PHPIDS helps protect PHP-based applications from Cross-Site-Scripting, SQL-Injection and other attacks. The simplest scenario involves logging attacks to establish whether a site is being targeted and requires further protective measures. Installing PHPIDS is usually only a matter of a few simple steps.

Edited by celextel

Share this post


Link to post
Share on other sites

FAQ:

 

What kinds of attacks are detected by the PHPIDS

 

Currently the PHPIDS detects all sorts of XSS, SQL Injection, header injection, directory traversal, RFE/LFI, DoS and LDAP attacks. Through special conversion algorithms the PHPIDS is even able to detect heavily obfuscated attacks – this covers several charsets like UTF-7, entities of all forms – such as JavaScript Unicode, decimal- and hex-entities as well as comment obfuscation, obfuscation through concatenation, shell code and many other variants.

 

Furthermore the PHPIDS is able to detect yet unknown attack patterns with the PHPIDS Centrifuge component. This component does in depth string analysis and measurement and detects about 85% to 90% of all tested vectors given a minimum length of 25 characters.

 

What’s required to run the PHPIDS

You need at least PHP 5.1.6 to use all features of the PHPIDS. Depending on which kind of logging and caching you chose you might need a database that is able to work together with PDO. SimpleXML is required if you wish to use the XML based filter rules – if your system doesn’t provide SimpleXML you can use the fallback JSON based rules. A nice to have for the generic attack detection is Unicode support for the PCRE engine. The PHP packages shipped with current distributions should fulfill all requirements out-of-the-box.

 

How to work with the impact?

The impact indicates the severity of the attack. The PHPIDS brings around 50 filter rules to detect attacks and each one of them has an impact – the more rules match on the incoming data, the more likely it’s an attack and the higher ranks the resulting impact.

 

The impact can be received by using the $result->getImpact() on the result object.

 

You can store the impact as session value, if you want to track an attackers activity for some time and wish to react later – when session impact has risen to 50 or 100. A usual very first attack impact is around 5 – 10 – sometimes 15 -20. A typical XSS probing monitored by session based impact usually results in an impact of 50 – 150. So it’s pretty easy to separate the false alerts from the real attacks using session based impact.

 

What can be done in case the impact is very high?

There are several ways to react on high (around 15) or very high (around 25-50) impact – first and easiest would be a hard redirect – the suspicious user could be redirected to a warning page which tells him that the application considered his input malicious and asks him to stop. Meanwhile all important parameters of the user can be logged and used for forensics. Another effective way would be to destroy the users session.

 

What about performance issues?

The PHPIDS is being developed under constant profiling with xdebug and performance measurements to make sure that your application will not become noticeably slower. Only request parameters are checked whose values inhabits characters besides a-Z, 0-9, @ and _.

 

Furthermore modules like the HTML parser are only included and used in case there is input coming in with a key matching the ones given in the Config.ini / via $monitor->setHtml() for content with HTML allowed. So the performance hungry components normally won’t be loaded during about 95% of all requests.

Edited by celextel

Share this post


Link to post
Share on other sites

PHP Intrusion Detection System for osCommerce

Module to include PHPIDS into osCommerce to Log and Prevent Intrusions

http://addons.oscommerce.com/info/7368

 

PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.

 

Please find this contribution at the following URL:

http://addons.oscommerce.com/info/7374

All future versions would be posted only in this page.

 

We have to move this under osCommerce Online Merchant v2.2 as we have tested this only under v2.2.

 

NEW!!

 

PHPIDS for osCommerce 1.1

Just added two more exception variables which PayPal is using during the payment process. We had to include the first two exception variables as PHPIDS was creating hundreds of IDS log file entries even though those requests made by osCommerce were not intrusions.

 

You could ban an IP with high Impact score automatically.

Share this post


Link to post
Share on other sites

NEW!!

 

PHPIDS for osCommerce 1.2

 

Setting to show result [for testing purposes] and to set value for IP ban have been added to the main configuration.

 

This module would ban an IP automatically if

(i) banned file exists in the modules directory,

(ii) impact score is more than the set value for ip ban and

(iii) set value for show result is false.

 

Added contribution link to the PHPIDS Log Report file in the admin.

 

Read Me HTML file updated.

Share this post


Link to post
Share on other sites

this sounds like a great addition to security however id suggest seeing if it can be setup so that the log file it writes to is outside the public_html, for added security

Share this post


Link to post
Share on other sites

Ive also found that Test #2 will return a 404 error is your running Mod Security, suPHP and Suhosin on the server:

 

Not Acceptable

 

An appropriate representation of the requested resource /index.html could not be found on this server.

 

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Edited by alba

Share this post


Link to post
Share on other sites

Just to clarify, no, that's not a 404 you're getting. It's a 406. The 404 comes from not having your own error document (e.g., /406.shtml) for error 406. It's stupid to configure Apache that way (report a 404 when it can't find your error handler), but that's how most servers have it. Read http://www.catskilltech.com/freeSW/SMF/faqs/index.html#errorpages

Share this post


Link to post
Share on other sites

this sounds like a great addition to security however id suggest seeing if it can be setup so that the log file it writes to is outside the public_html, for added security

 

You could keep the PHPIDS directory itself outside the public_html. This is possible. You need to just change the $oscBasePath value to the new path [example '/home/'] in our module.

Share this post


Link to post
Share on other sites

Just to clarify, no, that's not a 404 you're getting. It's a 406. The 404 comes from not having your own error document (e.g., /406.shtml) for error 406. It's stupid to configure Apache that way (report a 404 when it can't find your error handler), but that's how most servers have it. Read http://www.catskilltech.com/freeSW/SMF/faqs/index.html#errorpages

 

Thanks for the clarification.

Share this post


Link to post
Share on other sites

So I installed it, but when I go to do the test I get:

 

PDOException: could not find driver

 

Any ideas?

Edited by pmfjoe

Share this post


Link to post
Share on other sites

So I installed it, but when I go to do the test I get:

 

PDOException: could not find driver

 

Any ideas?

 

Perhaps you have missed something in the installation process. Please go through each of the step carefully once again.

 

Did you Grant write access [chmod 777] to the "tmp" folder [phpids/lib/IDS/tmp] and also to phpids_log.txt log file which is inside the "tmp" folder?

Share this post


Link to post
Share on other sites

Hi All.

I get this after installing:

Parse error: syntax error, unexpected '{' in /a/path/to/shop/here/includes/modules/osc_phpids.php on line 80

Any idea whats wrong?

//Micke

Share this post


Link to post
Share on other sites

Hi All.

I get this after installing:

Any idea whats wrong?

//Micke

 

Did you make any change to osc_phpids.php? If so, please download this contribution once again and copy this file to your server without making any modification to this file.

 

If you still get the same error, then please go through each of the step carefully once again. As such there should not be any problem if you have uploaded the PHPIDS directory correctly apart from the files in this contribution.

Share this post


Link to post
Share on other sites

Did you make any change to osc_phpids.php? If so, please download this contribution once again and copy this file to your server without making any modification to this file.

 

If you still get the same error, then please go through each of the step carefully once again. As such there should not be any problem if you have uploaded the PHPIDS directory correctly apart from the files in this contribution.

 

I changed PHP version to PHP 5.2.6 and now the page loads.

Must have done something wrong though - I have set:

$show_result = 'true';

but no message is showing when I add to the url:

?id=1&test=">XXX
and when I look at the admin log report it says:
1146 - Table 'databasename_2.phpids_intrusions' doesn't exist

 

select id, ip, name, impact, value, page, created from phpids_intrusions order by id

 

[TEP STOP]

I'll go through the steps all over again.

Share this post


Link to post
Share on other sites

I changed PHP version to PHP 5.2.6 and now the page loads.

Must have done something wrong though - I have set:

$show_result = 'true';

but no message is showing when I add to the url: and when I look at the admin log report it says:

I'll go through the steps all over again.

 

Please check without doing any modifications to our file. DB table gets created automatically during the first test call if all the files are in place.

Share this post


Link to post
Share on other sites

Please check without doing any modifications to our file. DB table gets created automatically during the first test call if all the files are in place.

 

I have done the installation procedure from the beginning - not changing any files.

The database is not created and I can not see any messages after setting:

$show_result = 'true';

and "attacking" with the URL parameters in the installation instructions.

Would it do any good to create the database table manually in phpMyAdmin?

Share this post


Link to post
Share on other sites

I have done the installation procedure from the beginning - not changing any files.

The database is not created and I can not see any messages after setting:

$show_result = 'true';

and "attacking" with the URL parameters in the installation instructions.

Would it do any good to create the database table manually in phpMyAdmin?

 

Perhaps PHPIDS directory is not in the right place.

 

You should rename "phpids-0.6.3.1" directory as "phpids" [not Caps]. [You should do simple zipping and not to a folder.]

 

Make sure that this renamed directory has the following directories directly in it:

docs

lib

nbproject

tests

 

Keep

$show_result = 'false';

and do the test-1 and test-2.

 

Go to the MySQL DB and see whether the new table has been created. No need to create it manually.

 

If still this does not work, you should add the following code to the index file at the top

error_reporting(E_ALL);
ini_set('display_errors', '1');

after

<?php

and see as to what is wrong.

 

Avoid doing this [error_reporting] in a Live Shop.

Edited by celextel

Share this post


Link to post
Share on other sites

Got it working! :)

The problem was I had another contribution installed called FWR Security Pro. I disabled it and the installation worked like a charm!

I have turned FWR Security Pro on again and now I'll see what happens. I hope these two contributions can interact in a good way.

If you think I'm wrong - please tell me.

Share this post


Link to post
Share on other sites

Got it working! :)

The problem was I had another contribution installed called FWR Security Pro. I disabled it and the installation worked like a charm!

I have turned FWR Security Pro on again and now I'll see what happens. I hope these two contributions can interact in a good way.

If you think I'm wrong - please tell me.

 

Glad to know about this. Perhaps you could use only one of this. We do not have any problem with our module as we do not have FWR Security Pro in our websites. We have to see whether these two could exist together.

Share this post


Link to post
Share on other sites

NEW!!

 

PHPIDS for osCommerce 1.3

 

1. Version Checker and IP look up link added to admin PHPIDS Log Report file.

2. File Log has been disabled by default now. It is not required as DB Log is enabled.

3. Added few more exception variables which osCommerce is using during the checkout and other process.

4. Some functions [tep] have been modified.

5. Added more explanatory notes to the module file.

6. You could use this now with Security Pro of FWR with a small modification.

Share this post


Link to post
Share on other sites

hi celextel, i really aprecited your contributions, thank you very much.

 

I've been trying to install this addons to my live webstore. http://www.harcomas I'm using oscommerce 2.2.

When i loggin to my admin page i got an error

1146 - Table 'xxxxx_xxx.phpids_intrusions' doesn't exist

select id, ip, name, impact, value, page, created from phpids_intrusions order by id 

 

what should i do?

 

I felt i was run according to the instructions but i got error, should i restart my brain??

 

needed your advice celextel.. thanks

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×