Jump to content
celextel

PHP Intrusion Detection System for osCommerce

Recommended Posts

Looks like the add-on is reporting and attack that has been thwarte.

 

You could ban the ip address using you htaccess file, pop this in google

 

Block a specific IP address from accessing your website

 

HTH

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

@ geoffreywalton

 

Hi Geoffrey,

 

Thank you very much for reply. The past whole week I can say something going on my website, but I have no idea how to check where they had done.

 

Several things I found very strange includes:

 

1.

when I add new addons, I tested in three others as well, the one I got PHP Intrution warning, had been changed back while the other three test one has no attack remain the same.

I delete that complete catelog and reinstall a backup one

 

2.

I had set up secured by htpasswd, but it keeps said that I had wrong attempt login, and after 2 times try, I had been block and need to wait another 5 minutes. I am pretty sure I had the password input correctly but it just kept tell me wrong password and block....

 

3.

after I set up new admin with new password, and I made sure I logoff, and delete the internet cookie, and refresh, it showed that I logoff completely.

 

after after few hour or next day when I refresh the computer again, it just automatically log me in that I don't even need to type in user and password.

 

I had a rental and a sale catalog under my domain, and both has the same problem as mentioned 2 and 3.

 

4.

Because the strange things happend and PHP warning everyday, so I installed the supertracker and who's online enhancement.

I couldnt make who's online show any informaiton, but supertracker with last ten visitor, I can see I have few visitors never expected, such as from China, Africa, and Turkey.... I google and also you reply from the other thread, I know that China one is definately the bad one (PHP intrution waning as well...)

 

What should I do now?

How can I check what files possible be modified?

 

Many thanks in advance.

 

Lyn

Share this post


Link to post
Share on other sites

Looks like the add-on is reporting and attack that has been thwarte.

 

You could ban the ip address using you htaccess file, pop this in google

 

Block a specific IP address from accessing your website

 

HTH

 

G

 

 

Geoffrey,

 

you mentioned that "You could ban the ip address using you htaccess file, pop this in google",

 

can you please tell me how I can ban the ip using the htaccess?

I had addon: "Secure your site with an IP Trap", it allowed me to ban the IP from admin, but I found that when I insert new IP, it doesn't update the catelog/banned/IP_Trapped, I had to mannually type in the IP_Trapped.txt every time.

 

how can I pop it in google?

 

what material or any other websites that I can learn more about security (oscommerce security)?

 

Many thanks in advance.

 

Lyn

Share this post


Link to post
Share on other sites

Hi, i've checked the IP, in my case there is a lot of log showing that it is: "COOKIE._pk_ref_12_45c0" or "REQUEST._pk_ref_12_45c0" - bolded numbers are changing. IP seems to be an IP of hosting service or other are from my country so probally its generated by visitors. So could it be some problem with php update or some cookies issue?

 

Best regards.

Share this post


Link to post
Share on other sites

@@ce7

 

go to google and seach for

 

Block a specific IP address from accessing your website

 

THere is some info and links on securing your web site in my profile

 

HTH

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

@@ce7

 

go to google and seach for

 

Block a specific IP address from accessing your website

 

THere is some info and links on securing your web site in my profile

 

HTH

 

G

 

 

Hi Geoffery,

 

Thank you very much for your reply. I will have a look your profile information now.

PS. The supertrackers addon on sales site, like rental site before, it disappear again. I have to delete and recover a backup one!

 

And do you have any suggestion about that I can not log off completely?

Every time I make sure I log off and even delete the cookies, but after couple hours or next day, I type in the admin login, it just automatically login without asking me user name and password!!!

 

this is the supertracker result I get for today:

Customer IP Address/Country: 180.76.6.37 (China)http://www.mickgrip.com.au/rental/a1sec/images/geo_flags/flags/cn.gif[/img] - 180.76.6.37 Region: Beijing City: Beijing Customer Browser: Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html) Customer Name: Guest Referred By: Direct Access / Bookmark Landing Page: /rental/rental.php?cPath=79&page=1&sort=2a Last Page Viewed: /rental/rental.php Time Arrived: 01/08/2013 01:46:26 Last Click: 01/08/2013 01:46:26 Time on Site: 0hrs 0mins 0 seconds Number of Clicks: 1 Added to Cart: false Completed Purchase: false

Customer IP Address/Country: 199.21.99.94 (United States)http://www.mickgrip.com.au/rental/a1sec/images/geo_flags/flags/us.gif[/img] - spider-199-21-99-94.yandex.com Region: California City: Palo Alto Customer Browser: Mozilla/5.0 (compatible; YandexBot/3.0; http://yandex.com/bots) Customer Name: Guest Referred By: Direct Access / Bookmark Landing Page: /rental/product_info.php?products_id=260 Last Page Viewed: /rental/product_info.php Time Arrived: 01/07/2013 18:28:11 Last Click: 01/07/2013 18:28:11 Time on Site: 0hrs 0mins 0 seconds Number of Clicks: 1 Added to Cart: false Completed Purchase: false

Edited by ce7

Share this post


Link to post
Share on other sites

@@ce7

 

I suspect you licked on remember my password at some stage.

 

Baidu is a Chinese spider so if you do not sell to the Chinese you can block them.

 

Cheers

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

@@ce7

 

I suspect you licked on remember my password at some stage.

 

Baidu is a Chinese spider so if you do not sell to the Chinese you can block them.

 

Cheers

 

G

 

 

Hi Geoffery,

 

Thanks for reply.

 

About the password thing, it really bother me. Everytime I logoff, and double check after I go to IE/Tools/Option and delete the browsing history, I delete everything include password (which I did not ask browser to remember the password.), it all showed me that I had log off comepletely.

 

However after couple hours or next day I touch computer again, just type in the admin login.php, it doesn't ask me to type user name or password, I automatically login the admin backend....

 

I had install site monitor, but honestly I dont really know how it works. I had PHP Intrusion and IP trap install, I will try to install the virus threat scanner next.

 

Lyn

Share this post


Link to post
Share on other sites

VT will not stop the auto log in

 

If you use FF try this link

 

http://kb.iu.edu/data/atdd.html

 

otherwise try something like this in Google

 

IE remember password disable

 

HTH

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

Hi

 

My customer has got this add on installed but she says is getting loads of emails every day, she said in a space of 3 hours she has had 20 emails from this add on

 

Is there a way to stop the emails being sent or slow them down or send them to a txt file instead

 

Kind regards

 

Ian

Share this post


Link to post
Share on other sites

@@ianhaney

 

Yes, if you read the first post in this thread, the action taken on detecting a threat is configurable.

 

HTH

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

Hi,

 

I know it is stupid, but I cannot install DB, I cannot run phpids_installer.php.

When I run it directly I get errors like:

Warning: mysql_query(): Access denied for user 'UNKNOWN_USER'@'localhost' (using password: NO) in /var/www/vhost/medinetclinic.es/home/html/tienda/admin_de_la_tienda/phpids_installer.php on line 20 Warning: mysql_query(): A link to the server could not be established in /var/www/vhost/medinetclinic.es/home/html/tienda/admin_de_la_tienda/phpids_installer.php on line 20 Warning: mysql_query(): Access denied for user 'UNKNOWN_USER'@'localhost' (using password: NO) in /var/www/vhost/medinetclinic.es/home/html/tienda/admin_de_la_tienda/phpids_installer.php on line 33 Warning: mysql_query(): A link to the server could not be established in /var/www/vhost/medinetclinic.es/home/html/tienda/admin_de_la_tienda/phpids_installer.php on line 33 New Table for PHPIDS Log Report Created!

 

What I do is:

In my internet explorer, I run ....http://tienda.medinetclinic.es/admin_de_la_tienda/phpids_installer.php

 

What I am doing bad?

 

Regards

Share this post


Link to post
Share on other sites

Because I had the same problem of "elsantu", I write my solution. I manually inserted the SQL entries watching the older osc 2.2 installation and I got the phpids folder from the older version (v.0.6.4) of phpids because phpids.org is not more available.

 

banned_ip:

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";

CREATE TABLE IF NOT EXISTS `banned_ip` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `ip_address` varchar(15) NOT NULL,
  `ip_status` int(1) NOT NULL DEFAULT '0',
  `reason` tinytext,
  `created` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 COMMENT='Banned IP addresses that are not allowed to access website' AUTO_INCREMENT=378 ;

INSERT INTO `banned_ip` (`id`, `ip_address`, `ip_status`, `reason`, `created`) VALUES
(65, '180.76.6.29', 0, NULL, '2011-11-11 04:19:43');

php_intrusions:

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";

CREATE TABLE IF NOT EXISTS `phpids_intrusions` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `name` varchar(128) NOT NULL,
  `value` text NOT NULL,
  `page` varchar(255) NOT NULL,
  `tags` varchar(128) NOT NULL,
  `ip` varchar(15) NOT NULL,
  `impact` int(11) NOT NULL,
  `origin` varchar(15) NOT NULL,
  `created` datetime NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 COMMENT='PHPIDS Log' AUTO_INCREMENT=24937 ;

configuration:

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";

CREATE TABLE IF NOT EXISTS `configuration` (
  `configuration_id` int(11) NOT NULL AUTO_INCREMENT,
  `configuration_title` varchar(255) COLLATE utf8_unicode_ci NOT NULL,
  `configuration_key` varchar(255) COLLATE utf8_unicode_ci NOT NULL,
  `configuration_value` text COLLATE utf8_unicode_ci NOT NULL,
  `configuration_description` varchar(255) COLLATE utf8_unicode_ci NOT NULL,
  `configuration_group_id` int(11) NOT NULL,
  `sort_order` int(5) DEFAULT NULL,
  `last_modified` datetime DEFAULT NULL,
  `date_added` datetime NOT NULL,
  `use_function` varchar(255) COLLATE utf8_unicode_ci DEFAULT NULL,
  `set_function` varchar(255) COLLATE utf8_unicode_ci DEFAULT NULL,
  PRIMARY KEY (`configuration_id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci AUTO_INCREMENT=501 ;

INSERT INTO `configuration` (`configuration_id`, `configuration_title`, `configuration_key`, `configuration_value`, `configuration_description`, `configuration_group_id`, `sort_order`, `last_modified`, `date_added`, `use_function`, `set_function`) VALUES
(491, 'Security Check Extended Last Run', 'MODULE_SECURITY_CHECK_EXTENDED_LAST_RUN_DATETIME', '1461007874', 'The date and time the last extended security check was performed.', 6, NULL, NULL, '2016-04-18 21:28:04', NULL, NULL),
(492, 'Sort Order', 'MODULE_BOXES_CATEGORIES_SUPERFISH_SORT_ORDER', '1002', 'Sort order of display. Lowest is displayed first.', 6, 0, NULL, '2016-04-22 13:50:45', NULL, NULL),
(493, 'English Title', 'MODULE_BOXES_CATEGORIES_SUPERFISH_FRONT_TITLE_ENGLISH', '', 'Enter the title that you want in the header in english. Leave this blank for no header or title.', 6, 10, NULL, '2016-04-22 13:50:45', NULL, NULL),
(494, 'PHPIDS Module', 'PHPIDS_MODULE', 'true', 'Enable PHPIDS', 888002, 1, NULL, '2016-05-04 22:08:05', NULL, 'tep_cfg_select_option(array(''true'', ''false''), '),
(495, 'IP Ban Module', 'PHPIDS_IP_BAN_MODULE', 'true', 'Enable IP Ban', 888002, 2, NULL, '2016-05-04 22:08:05', NULL, 'tep_cfg_select_option(array(''true'', ''false''), '),
(496, 'Show Intrusion Result', 'PHPIDS_SHOW_RESULT', 'false', 'Show Intrusion Results on Screen - Enable only during Testing.', 888002, 4, NULL, '2016-05-04 22:08:05', NULL, 'tep_cfg_select_option(array(''true'', ''false''), '),
(497, 'E-mail Log Impact Score', 'PHPIDS_MAIL_LOG_IMPACT', '8', 'Default is 8. Intrusion E-mails are sent when the Impact Score is greater or equal to this set value. You could change this to a lesser or higher value as per your requirement.', 888002, 6, NULL, '2016-05-04 22:08:05', NULL, NULL),
(498, 'DB Log Impact Score', 'PHPIDS_DB_LOG_IMPACT', '4', 'Default is 4. Intrusion logs are created in the database when the Impact Score is greater or equal to this set value. You could change this to a lesser or higher value as per your requirement.', 888002, 7, NULL, '2016-05-04 22:08:05', NULL, NULL),
(499, 'IP Ban Impact Score', 'PHPIDS_IP_BAN_IMPACT', '70', 'Default is 70. IP gets banned automatically when the Impact Score is greater or equal to this set value. You could change this to a lesser or higher value as per your requirement.', 888002, 8, NULL, '2016-05-04 22:08:05', NULL, NULL),
(500, 'Variable Exclusions', 'PHPIDS_EXCLUSIONS', 'REQUEST.__utmz, COOKIE.__utmz, REQUEST.custom, POST.custom, REQUEST.osCsid, COOKIE.osCsid, REQUEST.verify_sign, POST.verify_sign, REQUEST.s_pers, COOKIE.s_pers, REQUEST.enquiry, POST.enquiry', 'List of safe Variables to exclude from intrusion report. Separated by comma and space. Example: REQUEST.__utmz, COOKIE.__utmz<br>', 888002, 12, NULL, '2016-05-04 22:08:05', NULL, 'tep_cfg_textarea(');

and configuration_group

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";

CREATE TABLE IF NOT EXISTS `configuration_group` (
  `configuration_group_id` int(11) NOT NULL AUTO_INCREMENT,
  `configuration_group_title` varchar(64) COLLATE utf8_unicode_ci NOT NULL,
  `configuration_group_description` varchar(255) COLLATE utf8_unicode_ci NOT NULL,
  `sort_order` int(5) DEFAULT NULL,
  `visible` int(1) DEFAULT '1',
  PRIMARY KEY (`configuration_group_id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci AUTO_INCREMENT=888003 ;

INSERT INTO `configuration_group` (`configuration_group_id`, `configuration_group_title`, `configuration_group_description`, `sort_order`, `visible`) VALUES
(888002, 'PHPIDS', 'PHPIDS for osCommerce', 30, 1);

You should check the configuration_group_id value on sql structure of configuration_group that must be unique. The value 8888002 on my case, shouldn't be already set on configuration_group_id field value; if this is your case, you must change it and the "auto_increment" value of create table instrucion line too. I hope to explain it well. Please remember to delete phpids_installer.php as mentioned in the read_me file of phpids addon.

Ciao!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×