Jump to content
celextel

PHP Intrusion Detection System for osCommerce

Recommended Posts

Celextel,

 

Yes, I'm still getting the error, which is

Fatal error: Class 'PDO' not found in /home/ior49618/public_html/catalog/includes/phpids/lib/IDS/Log/Database.php on line 170

 

The osc_phpids.php - yes I made the changes laid out in your documentation as well as setting line 75 to $show_result = 'true'; for the test.

 

My ISP is running PHP 5.2.5 on this host.

 

My application_top.php was as you've shown except that the

// include PHPIDS Module

include(DIR_WS_MODULES . 'osc_phpids.php');

was before the gzip compression section (because I don't have FWR Security Pro.

I moved it to follow the gzip bit, but the result is still the same.

 

Regards, Mark

 

1. We were getting error when we put our code before gzip compression code. Please put this after it.

 

2. Please upload the original osc_phpids.php without any modification and do the testing. As such we have not suggested any changes to osc_phpids.php. It is pre-configured and would pickup your configuration settings in the osCommerce automatically.

Share this post


Link to post
Share on other sites

If you have an earlier version of PHP (5.0.x) will this contribution still work? What features would not be available?

 

This should also work in the earlier versions of PHP. We have not tested it in the earlier version. Please test and let us know.

Share this post


Link to post
Share on other sites

Hi Celextel,

 

I uploaded the original osc_phpips.php file and still get the same result.

 

What I haven't mentioned which may be relevant is that I am running OSC under Joomla. The OSC part of the directory structure is www.iorarua.com/catalog/... which is where I've installed all the PHPIDS code. So, for instance, we have www.iorarua.com/catalog/includes/modules/osc_phpids.php.

 

Now, after the above test, before reverting to the original application_top.php so we can still use the site, I went to www.iorarua.com and got these errors at the top of the page.

 

Warning: include(/home/ior49618/public_html/plugins/system/oscommerce/modules/osc_phpids.php) [function.include]: failed to open stream: No such file or directory in /home/ior49618/public_html/catalog/includes/application_top.php on line 95

Warning: include() [function.include]: Failed opening '/home/ior49618/public_html/plugins/system/oscommerce/modules/osc_phpids.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/ior49618/public_html/catalog/includes/application_top.php on line 95

Warning: include(/home/ior49618/public_html/plugins/system/oscommerce/modules/banned_ip.php) [function.include]: failed to open stream: No such file or directory in /home/ior49618/public_html/catalog/includes/application_top.php on line 125

Warning: include() [function.include]: Failed opening '/home/ior49618/public_html/plugins/system/oscommerce/modules/banned_ip.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/ior49618/public_html/catalog/includes/application_top.php on line 125

 

If I then go to www.iorarua.com/catalog I get this:

 

1146 - Table 'ior49618_jo151.TABLE_BANNED_IP' doesn't exist

select ip_address from TABLE_BANNED_IP where ip_status='0'

[TEP STOP]

 

I checked my database and there is in fact a table "banned_ip" (as well as "phpids_intrusions")

 

Does any of this help?

Share this post


Link to post
Share on other sites

Hi Celextel,

 

I uploaded the original osc_phpips.php file and still get the same result.

 

Warning: include(/home/.../plugins/system/oscommerce/modules/osc_phpids.php) [function.include]: failed to open stream: No such file or directory in /home/.../catalog/includes/application_top.php on line 95

Warning: include(/home/.../plugins/system/oscommerce/modules/banned_ip.php) [function.include]: failed to open stream: No such file or directory in /home/.../catalog/includes/application_top.php on line 125

 

Does any of this help?

 

The first error code shows that you do not have our 2 module files in the following paths:

/home/.../plugins/system/oscommerce/modules/osc_phpids.php
/home/.../plugins/system/oscommerce/modules/banned_ip.php

[Avoid giving the full paths in the forums.]

 

Make these module files available in these paths and the problem may be sorted out.

 

If not, you have to figure it out yourself as it is not difficult.

 

It would be difficult for us to guide you as to how to configure our module in the osc under Joomla as we are not using Joomla.

 

Alternatively, you could integrate PHPIDS directly with Joomla. Please go through following URL in regard to this:

http://www.h-online.com/security/features/Serendipity-Joomla-Drupal-746342.html

Edited by celextel

Share this post


Link to post
Share on other sites

Hi Celextel,

 

I made those modules available in the indicated directory and got even more path-related errors.

 

Rather than go chasing my tail modifying paths, I think it would be prudent to take your second suggestion to back out and instal PHPIDS under Joomla as this is my main front-end.

 

I'll let you know how I go with that.

 

Thank you for all your help ... much appreciated.

 

Regards, Mark

Share this post


Link to post
Share on other sites

Hi Celextel,

 

Thank you for a great contribution.

 

I have a small issue that may be host related not PHPIDS But I'm not sure.

 

I get this error when running tests

 

500 Error - Internal Server Error
This error was caused due to an unexpected difficulty in fulfilling the user request. The most likely cause of this error is a crashed or error'd CGI script or program. Please verify that the program is properly compiled and/or operational and carry out any necessary debugging.
If you are not responsible for this resource, please send a bug-report to the address listed below describing your problem. Please include in the report the date, time, your e-mail address, the website on which this error occured and what you were attempting to do when this error occured. Your compliance is appreciated.

 

I get the e-mails - PHPIDS detects an intrusion attempt at ics-supply.com just fine

 

The PHPIDS Log Report is working listing all tests

 

The tmp directory and .txt file has 777 permission

 

On the second test the impact score is 36

 

I set the

$ip_ban_impact = 20;

to test but am not getting an automatic ban.

 

Running php 5.2.12

 

Thanks again for the contribution!

Share this post


Link to post
Share on other sites

**UPDATE**

 

On test 2 I got banned after 4 tries.

 

The message

"If you feel you have reached this page in error, please Contact Us and provide your IP Address."

 

Directs you to the Contact Us page which I am now banned from :)

Share this post


Link to post
Share on other sites

Hi,

 

I am thinking of installing this, but first need a little more info:

 

1) should I first remove the original IP Trap contribution?

2) Is this compatible with the Anti Hacker Account Mods Contribution by Spooks?

 

Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

**UPDATE**

 

On test 2 I got banned after 4 tries.

 

The message

"If you feel you have reached this page in error, please Contact Us and provide your IP Address."

 

Directs you to the Contact Us page which I am now banned from :)

 

>> 500 Error - Internal Server Error

This is not related to PHPIDS. You could create a support request with the web host to do the needful in regard to this [error handling].

 

>> On test 2 I got banned after 4 tries.

This should have happened at the first instance itself.

Perhaps this problem would get solved if the error handling is configured by the server admin properly.

Share this post


Link to post
Share on other sites

Hi,

 

I am thinking of installing this, but first need a little more info:

 

1) should I first remove the original IP Trap contribution?

2) Is this compatible with the Anti Hacker Account Mods Contribution by Spooks?

 

Thanks

 

1. Yes, IP Trap contribution is not needed and you could remove it before installing PHPIDS.

 

2. You could have PHPIDS along with Anti Hacker Account Mods Contribution by Spooks. There should not be any compatibility issues.

Share this post


Link to post
Share on other sites

>> 500 Error - Internal Server Error

This is not related to PHPIDS. You could create a support request with the web host to do the needful in regard to this [error handling].

 

>> On test 2 I got banned after 4 tries.

This should have happened at the first instance itself.

Perhaps this problem would get solved if the error handling is configured by the server admin properly.

 

Thanks for the reply celextel.

 

I figured it was the host. This is my test account and the tech support should be called "your fault". I'll try with the host of my live shop.

 

Thanks again for the great contribution and for providing support!

Share this post


Link to post
Share on other sites

Hello and thanks for your contribution; I have installed and testing and it is working great, THANKS!

 

I have just 1 small questions.

I believe you said that your add on doesn't work with Anti-XSS but I'm reading your "read me" html

 

-Finally the ANTI Cross Site Scripting Attacks from Pixclinic on June 2008 is an easy to implement addon that will help your shop by adding a short and simple set of rules into the .htaccess file.

ANTI Cross Site Scripting attacks

http://addons.oscommerce.com/info/6044

 

should I install it? I mean should I add these lines to the .htaccess?

Edited by pablito21050

Share this post


Link to post
Share on other sites

Hello and thanks for your contribution; I have installed and testing and it is working great, THANKS!

 

I have just 1 small questions.

I believe you said that your add on doesn't work with Anti-XSS but I'm reading your "read me" html

 

-Finally the ANTI Cross Site Scripting Attacks from Pixclinic on June 2008 is an easy to implement addon that will help your shop by adding a short and simple set of rules into the .htaccess file.

ANTI Cross Site Scripting attacks

http://addons.oscommerce.com/info/6044

 

should I install it? I mean should I add these lines to the .htaccess?

 

>> Anti XSS [XSS Shield]

PHPIDS would not work fully if you use this as some of the query strings get sanitized.

You do not require this if you use Security Pro as both of them have almost same functions.

 

That Read Me file quoted by us [in our Read Me HTML file] is of IP Containment and Management System.

Share this post


Link to post
Share on other sites

>> Anti XSS [XSS Shield]

PHPIDS would not work fully if you use this as some of the query strings get sanitized.

You do not require this if you use Security Pro as both of them have almost same functions.

 

That Read Me file quoted by us [in our Read Me HTML file] is of IP Containment and Management System.

 

Oh ok, thanks for your answer.

Share this post


Link to post
Share on other sites

Hi again,

 

Install was a breeze - thanks for a great mod.

 

2 questions please.

 

1) when I get myself banned, the emails go to all email addresses on my site - where do I look at the email function?

 

2) when banned initially I get the correct Banned page, but then if I try to move around the site I get the following

Not Found

 

The requested URL /FILENAME_BANNED was not found on this server.

 

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

 

Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Hi again,

 

Install was a breeze - thanks for a great mod.

 

2 questions please.

 

1) when I get myself banned, the emails go to all email addresses on my site - where do I look at the email function?

 

2) when banned initially I get the correct Banned page, but then if I try to move around the site I get the following

 

Thanks

 

question 2)

tool/banned ip/ remove (your banned IP)

Edited by pablito21050

Share this post


Link to post
Share on other sites

Hi,

 

Sorry I didnt explain well..

 

What I meant was that I was getting the error message rather than a page telling me I was banned, I know how to remove the ban.

 

Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Hi,

 

Sorry I didnt explain well..

 

What I meant was that I was getting the error message rather than a page telling me I was banned, I know how to remove the ban.

 

Thanks

 

 

ok, sorry for that.

Share this post


Link to post
Share on other sites

OK, I think I found an error.

 

In includes/modules/banned_ip.php

 

Change (at line 18) :

 

tep_redirect(tep_href_link(FILENAME_BANNED));

 

to:

 

 tep_redirect(tep_href_link('banned.php'));

 

It seems to work fine for me now.

 

Thanks

 

(Still have the duplicate email issue though)


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

OK, I think I found an error.

 

In includes/modules/banned_ip.php

 

Change (at line 18) :

 

tep_redirect(tep_href_link(FILENAME_BANNED));

 

to:

 

 tep_redirect(tep_href_link('banned.php'));

 

It seems to work fine for me now.

 

Thanks

 

(Still have the duplicate email issue though)

 

Thanks for bringing this to our notice.

 

We have to add the following code to includes/filenames.php in the last before ?>

define('FILENAME_BANNED', 'banned.php');

 

Alternatively you could also correct the FILENAME_BANNED to 'banned.php' as you have done.

 

IP Containment and Management System does not generate any emails.

 

PHPIDS only generates emails during each of the intrusion.

 

Emails are sent to Store Owner "E-Mail Address" and also to the email id which you have set for "Send Extra Order Emails To". If you do want PHPIDS emails to the second one, change the following setting in includes/modules/osc_phpids.php

$mail_recipient = array(STORE_OWNER_EMAIL_ADDRESS, SEND_EXTRA_ORDER_EMAILS_TO);

 

to

$mail_recipient = array(STORE_OWNER_EMAIL_ADDRESS);

Share this post


Link to post
Share on other sites

Thanks for the fast reply.

 

The contribution works so well, and the install was straight forward.

 

One small change I have made is that I have taken the HTML element of the "Blocked.php" file from the IP trap contribution and included it in the banned.php file, so now rather than a "plain" banned page people who get banned will get the banned page with "Stop" image and black and red text etc.

 

If anyone is interested I will post the code for the new banned.php here

 

Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Hi Again,

 

The system is working great and has alerted me to a couple of intrusions?

 

However looking at these I think they may be something to do with Paypal?

 

the names are REQUEST.s_pers and COOKIE.s_pers and the values are a long string of numbers with s_favsn_paypalglobal_1= in the code.

 

They give me an impact score of 16

 

Is this something I need to worry about? Reading about this as best I can, is it something to do with a mozilla bug?

 

Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Hi Again,

 

The system is working great and has alerted me to a couple of intrusions?

 

However looking at these I think they may be something to do with Paypal?

 

the names are REQUEST.s_pers and COOKIE.s_pers and the values are a long string of numbers with s_favsn_paypalglobal_1= in the code.

 

They give me an impact score of 16

 

Is this something I need to worry about? Reading about this as best I can, is it something to do with a mozilla bug?

 

Thanks

 

Please find more info regarding this in the PHPIDS Forum at:

http://forum.php-ids.org/comments.php?DiscussionID=239

 

You need not worry about this. It seems to be a mozilla bug related to PayPal UK website.

 

If you get this frequently, you could add these as exception variables in the includes/modules/osc_phpids.php.

 

The updated code should be as follows:

$useExeptions = isset($useExeptions) ? explode('|', $useExeptions) : array('REQUEST.__utmz', 'COOKIE.__utmz', 'REQUEST.custom', 'POST.custom', 'REQUEST.comments', 'POST.comments', 'REQUEST.osCsid', 'COOKIE.osCsid', 'REQUEST.verify_sign', 'POST.verify_sign', 'REQUEST.s_pers', 'COOKIE.s_pers');

Share this post


Link to post
Share on other sites

Thanks for That Celextel,

 

I have had this logged about 15 times today - so I have made the code changes you suggested.

 

Is there a quick way to clear the log?

 

Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Hi,

 

Just installed on my second web-site and now I am getting the following error when trying to carry out the first test:

 

Fatal error: Class 'PDO' not found in /home/Username/public_html/includes/phpids/lib/IDS/Log/Database.php on line 170

 

Line 170 is

$this->handle = new PDO(

 

I have checked the installation several times and cant see where the error may be, so I have had to revert my application_top.php back to the pre-mod condition.

 

Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×