Jump to content
celextel

PHP Intrusion Detection System for osCommerce

Recommended Posts

Hi

I have just installed this Add-On.

 

In Admin I select Tools, Banned IP. Then this is written on top of the page:

Warning: session_save_path() [function.session-save-path]: open_basedir restriction in effect. File(/tmp) is not within the allowed path(s): (/customers/mysite.com/mysite.com:/var/www/diagnostics:/usr/share/php) in /customers/mysite.com/mysite.com/httpd.www/admin/includes/functions/sessions.php on line 165

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /customers/mysite.com/mysite.com/httpd.www/admin/includes/functions/sessions.php:165) in /customers/mysite.com/mysite.com/httpd.www/admin/includes/functions/sessions.php on line 102

 

I am also not able to Insert (Ban) an IP (a lot of warnings appear)

 

The same warnings appear when i select the meny PHPIDS Log. This meny does work OK though.

 

Any ideas ?.

Share this post


Link to post
Share on other sites

Hi

I have just installed this Add-On.

 

In Admin I select Tools, Banned IP. Then this is written on top of the page:

Warning: session_save_path() [function.session-save-path]: open_basedir restriction in effect. File(/tmp) is not within the allowed path(s): (/customers/mysite.com/mysite.com:/var/www/diagnostics:/usr/share/php) in /customers/mysite.com/mysite.com/httpd.www/admin/includes/functions/sessions.php on line 165

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /customers/mysite.com/mysite.com/httpd.www/admin/includes/functions/sessions.php:165) in /customers/mysite.com/mysite.com/httpd.www/admin/includes/functions/sessions.php on line 102

 

I am also not able to Insert (Ban) an IP (a lot of warnings appear)

 

The same warnings appear when i select the meny PHPIDS Log. This meny does work OK though.

 

Any ideas ?.

 

You need to verify as to whether you have done the following:

Step-B: Admin

5. Important: Before going to the next step, browse admin/phpids_installer.php file after admin log-in. This installer would create the tables for PHPIDS Log and Banned IP. It would also insert the PHPIDS main configuration to database automatically. Delete this file after installation.

 

Check whether the TABLE_PHPIDS and TABLE_BANNED_IP exist in your MySQL db.

Share this post


Link to post
Share on other sites

You need to verify as to whether you have done the following:

Step-B: Admin

5. Important: Before going to the next step, browse admin/phpids_installer.php file after admin log-in. This installer would create the tables for PHPIDS Log and Banned IP. It would also insert the PHPIDS main configuration to database automatically. Delete this file after installation.

 

Check whether the TABLE_PHPIDS and TABLE_BANNED_IP exist in your MySQL db.

 

1. I did run the admin/phpids_installer.php. That file also gave the same warnings, but it also gave me the success-messages that the tables were created.

2. I have just re-checked the following:

The Banned IP I tried to insert does get inserted (inspite of all the warnings). I just had to re-load the page to see the results !

It works OK. Afterall, it's just "warnings", the code seems to work as it should.

3. I will later check the 2 MySQL-tables, to see if they are not exactly created as the phpids_installer.php told them to be.

 

So now it's not so critical. It would be nice to see my admin running without warnings.

Share this post


Link to post
Share on other sites

1. I did run the admin/phpids_installer.php. That file also gave the same warnings, but it also gave me the success-messages that the tables were created.

2. I have just re-checked the following:

The Banned IP I tried to insert does get inserted (inspite of all the warnings). I just had to re-load the page to see the results !

It works OK. Afterall, it's just "warnings", the code seems to work as it should.

3. I will later check the 2 MySQL-tables, to see if they are not exactly created as the phpids_installer.php told them to be.

 

So now it's not so critical. It would be nice to see my admin running without warnings.

 

We have this in 5 of our Live Shops and we do not have this type of problem in any of them. Check whether the tables have been created correctly.

 

Hope you have PHP 5 in your server. This would not work in PHP 4.

Share this post


Link to post
Share on other sites

We have this in 5 of our Live Shops and we do not have this type of problem in any of them. Check whether the tables have been created correctly.

 

Hope you have PHP 5 in your server. This would not work in PHP 4.

 

The problem is solved

The Add-on inculdes 3 files (admin/banned_ip.php and admin/phpids_installer.php and admin/phpids_report.php)

All 3 files has some error-reporting turned on.

 

Take a look at this:

<?php

/*

$Id: phpids_installer.php

PHP Intrusion Detection System for osCommerce

PHPIDS for osCommerce 1.6

Date: June 13, 2010

Created by celextel - www.celextel.com

Module to include PHPIDS into osCommerce to log and prevent intrusions

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

Copyright © 2010 osCommerce

Released under the GNU General Public License

*/

error_reporting(E_ALL);

ini_set('display_errors', '1');

 

require_once('includes/application_top.php');

 

// create phpids table if it does not exist

mysql_query("DESC ". TABLE_PHPIDS ."");

if (mysql_errno()) {

mysql_query("CREATE TABLE IF NOT EXISTS ". TABLE_PHPIDS ." (

.....

 

The first 2 commands are

error_reporting(E_ALL);

ini_set('display_errors', '1');

 

I removed those 2 commands from the 2 files in my admin/ and now there are no more warnings.

As you also can see, the following command mysql_query("DESC ". TABLE_PHPIDS .""); will generate an error (if the table is not present in the db) hence giving me an error/warning massages when executing.

 

Are any of the 2 commands needed ?, or may I just delete them both ?

Share this post


Link to post
Share on other sites

The problem is solved

The Add-on inculdes 3 files (admin/banned_ip.php and admin/phpids_installer.php and admin/phpids_report.php)

All 3 files has some error-reporting turned on.

 

I removed those 2 commands from the 2 files in my admin/ and now there are no more warnings.

As you also can see, the following command mysql_query("DESC ". TABLE_PHPIDS .""); will generate an error (if the table is not present in the db) hence giving me an error/warning massages when executing.

 

Are any of the 2 commands needed ?, or may I just delete them both ?

 

As such error reporting codes are not required. But we have kept them to find out the errors while testing at our end. It would also help you to trace the errors. Hiding errors does not solve the actual problem.

 

You need to make sure that you have set the correct folder path at:

Configuration > Sessions > Session Directory

in Admin.

 

Full path should be give here of the cache or tmp directory.

 

Make sure that this cache or tmp directory is writable [777].

 

Keep the error reporting code and correct this error.

Share this post


Link to post
Share on other sites

As such error reporting codes are not required. But we have kept them to find out the errors while testing at our end. It would also help you to trace the errors. Hiding errors does not solve the actual problem.

 

You need to make sure that you have set the correct folder path at:

Configuration > Sessions > Session Directory

in Admin.

 

Full path should be give here of the cache or tmp directory.

 

Make sure that this cache or tmp directory is writable [777].

 

Keep the error reporting code and correct this error.

 

My Cache was turned off.

I created the tmp directory (named it tmp and set permissions to 777), wrote the full path, and turned cache ON.

Now I can see files begin to appear in my tmp-directory = It works.

But I still get the warnings !

The problem is this command: ini_set('display_errors', '1');

I have not found this command in any other PHP-files. Are you absolutely sure you have this in your "normal" installation. It looks very much like something for debugging.

Edited by VAZ2121

Share this post


Link to post
Share on other sites

My Cache was turned off.

I created the tmp directory (named it tmp and set permissions to 777), wrote the full path, and turned cache ON.

Now I can see files begin to appear in my tmp-directory = It works.

But I still get the warnings !

The problem is this command: ini_set('display_errors', '1');

I have not found this command in any other PHP-files. Are you absolutely sure you have this in your "normal" installation. It looks very much like something for debugging.

 

Yes, we have this for debugging. You could remove it.

cache is different.

 

You have to set the full path in:

Configuration > Sessions > Session Directory

Share this post


Link to post
Share on other sites

Yes, we have this for debugging. You could remove it.

cache is different.

 

You have to set the full path in:

Configuration > Sessions > Session Directory

 

OK, thanks, I will remove this line. (In your next upload to the "contributions", remove the line in the 3 files - so others don't get confused - like me :-)

 

I have set the full path! It works fine.

 

Everything works 100% now

 

Thank you very much for your help. It's a great add-on (during the 4 days I have tried it, I have allready captured 2 intruders - and banned them).

Thanks (again), you are doing a great job with this add-on.

Share this post


Link to post
Share on other sites

Hi...i will soon see if this goes in the correct space, but have been reading through quite a few of these posts to find things similar and disimilar and copying and pasting code to see if it gets rid of the issue before me.

 

i followed the installation process uploading i would believe to the correct locations. CMOD'd that folder and txt file, and under Step B - Admin number 5 all of this worked a charm, i.e. i see everything in admin/configuration and admin/tools with tables created in IP ban and PHPids log

 

step C & D (incidentally run FWR Security Pro) so made sure that the code was correct in catalog/inculdes/application_top.php

 

it was with the testing that i came unstuck. I entered both of the variables for both TEST 1 & 2 and when i pushed enter nothing changed. I still viewed my normal default cart screen or variables of it.

In the process of following steps to make my cart safe i have in fact renamed my admin folder. I am assuming this (for i am NEW to this all) that this contribution can/does work with a renamed admin file? OR do i revert to calling it admin, reinstall the contribution and start again.

 

my cart is 2.2 vRC2a running on php version 5.2.5

 

i am going through the process of securing my cart having read in a previous post that having PHPIDS, Security Pro, Site Monitor and htaccess codes are a good start (not too sure of what the htaccess codes are but one thing at a time)

 

any help or guidance/direction would be greatly appreciated

 

kiwidownunder

Share this post


Link to post
Share on other sites

step C & D (incidentally run FWR Security Pro) so made sure that the code was correct in catalog/inculdes/application_top.php

 

it was with the testing that i came unstuck. I entered both of the variables for both TEST 1 & 2 and when i pushed enter nothing changed. I still viewed my normal default cart screen or variables of it.

In the process of following steps to make my cart safe i have in fact renamed my admin folder. I am assuming this (for i am NEW to this all) that this contribution can/does work with a renamed admin file? OR do i revert to calling it admin, reinstall the contribution and start again.

 

my cart is 2.2 vRC2a running on php version 5.2.5

 

any help or guidance/direction would be greatly appreciated

 

kiwidownunder

 

PHPIDS would work irrespective of the admin folder name as it does not access any of the files in admin.

 

1. Make sure you have done the following:

Step-E: Testing

Set the Show Intrusion Result value to true in the admin settings.

 

2. Make sure you do not have any XSS shield codes in htaccess file.

 

3. If you still do not see any result while doing the testing, you need to see in the admin whether any log entries are created for those test attacks.

 

4. Enable error reporting by adding the following codes to your index.php:

error_reporting(E_ALL);

ini_set('display_errors', '1');

at the top after

<?php

 

5. If you get the following error message:

Exception: PDOException: could not find driver

 

You need to request your hosting provider to add PDO driver.

 

You could give them the following info regarding this:

Info regarding PDO driver is at the following URL:

http://forum.php-ids.org/comments.php?DiscussionID=284

http://dev.mysql.com/tech-resources/articles/mysql-pdo.html

 

PDO requires the object-oriented capabilities of PHP 5, so PHP 5.0 or higher is a prerequisite. The PDO extension ships with binary versions of PHP 5.1 and 5.2 and is very simple to implement on most operating systems.

 

Compiling PHP from source is the one sure way to customize PHP to your exact specifications and ensure that you have not only PDO but also the drivers you need. However, the package managers of most current Linux distributions make it easy to add support—if it's not already there. Under openSuSE (10.2) for instance, the php5-pdo module provides support for PDO and the php5-mysql module provides the PDO driver for MySQL. If you are already using MySQL with PHP you already have the PDO driver. You only need check that you have the PDO module loaded.

Share this post


Link to post
Share on other sites

Hello, today I checked my banned IP page and found this IP: 127.0.0.1. It was banned by my system on 2010-08-21 at about 0230 hours. However on the PHPIDS log there was nothing corresponding to this, nor did I get an email notice about any type intrusion.

I googled 127.0.0.1 and see it is something known as a loopback address. From what I read, this is basically something not to get worked up over.

Some snippets of what I read are:

127.0.0.1 is a reserved IP address corresponding to the host computer. Known as the loopback address, 127.0.0.1 is used whenever a program needs to access a network service running on the same computer as itself.

Anyway, I was wondering what, if anything to do with the IP now on my banned IP list.

Thanks


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

Hello, today I checked my banned IP page and found this IP: 127.0.0.1. It was banned by my system on 2010-08-21 at about 0230 hours. However on the PHPIDS log there was nothing corresponding to this, nor did I get an email notice about any type intrusion.

I googled 127.0.0.1 and see it is something known as a loopback address. From what I read, this is basically something not to get worked up over.

Some snippets of what I read are:

127.0.0.1 is a reserved IP address corresponding to the host computer. Known as the loopback address, 127.0.0.1 is used whenever a program needs to access a network service running on the same computer as itself.

Anyway, I was wondering what, if anything to do with the IP now on my banned IP list.

Thanks

 

Banned IP module also functions as a stand alone module. Perhaps it has banned you when you were trying to access one of its protected folder. This might also happen when you use SiteMonitor.

 

Just leave that IP in the db and make it allowed so that it would not ban you again.

Share this post


Link to post
Share on other sites

Banned IP module also functions as a stand alone module. Perhaps it has banned you when you were trying to access one of its protected folder. This might also happen when you use SiteMonitor.

 

Just leave that IP in the db and make it allowed so that it would not ban you again.

 

I will do that. Thanks for the assistance.


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

Great add on!! quick question...when a customer checks out there ip address its being reported as a intrusion..is this normal?

Share this post


Link to post
Share on other sites

Great add on!! quick question...when a customer checks out there ip address its being reported as a intrusion..is this normal?

 

Since I installed this add on, the only time a customer checkout was flagged as an intrusion was when the customer added text to the checkout with the size he wanted, I think it was XXS (for extra extra small), plus a number and name to go on the product. I took it that the unusual combination of letters and numbers, all legitmate though, was read as a potential intrusion and that's why it was flagged. I chose to ignore that flag.


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

Since I installed this add on, the only time a customer checkout was flagged as an intrusion was when the customer added text to the checkout with the size he wanted, I think it was XXS (for extra extra small), plus a number and name to go on the product. I took it that the unusual combination of letters and numbers, all legitmate though, was read as a potential intrusion and that's why it was flagged. I chose to ignore that flag.

 

Yes, some comment strings were reported as intrusions. We need to ignore them. You could also include those variables under exclusions.

Edited by celextel

Share this post


Link to post
Share on other sites

I'm having trouble with this

 

4. Upload this "phpids" directory to the osCommerce catalog/includes/ directory. If you upload this to some other directory, you need to change oscBasePath to this path in the includes/modules/osc_phpids.php file.

 

I found the oscBasePath in that file, but I'm not sure what I change it to. This is what it is before the change. do I change phpids/lib to something? I do not have a catalog folder. My main directory is in the public_html/dir folder...so, do I put it in that folder? It looked like most people don't put it there. So, where would I put it? Thanks!

 

$oscBasePath = DIR_WS_INCLUDES;

$basePath = $oscBasePath . 'phpids/lib/';

 

$mail_from_name = STORE_NAME;

$mail_from_email = STORE_OWNER_EMAIL_ADDRESS;

$mail_from = 'From: ' . $mail_from_name .'<' . $mail_from_email . '>';

$mail_recipient = array(STORE_OWNER_EMAIL_ADDRESS, SEND_EXTRA_ORDER_EMAILS_TO);

$mail_subject = 'PHPIDS detects an intrusion attempt at ' . $_SERVER['HTTP_HOST'];

Share this post


Link to post
Share on other sites

I'm having trouble with this

 

4. Upload this "phpids" directory to the osCommerce catalog/includes/ directory. If you upload this to some other directory, you need to change oscBasePath to this path in the includes/modules/osc_phpids.php file.

 

I found the oscBasePath in that file, but I'm not sure what I change it to. This is what it is before the change. do I change phpids/lib to something? I do not have a catalog folder. My main directory is in the public_html/dir folder...so, do I put it in that folder? It looked like most people don't put it there. So, where would I put it? Thanks!

 

$oscBasePath = DIR_WS_INCLUDES;

$basePath = $oscBasePath . 'phpids/lib/';

 

$mail_from_name = STORE_NAME;

 

You need not change anything here if you upload "phpids" to the includes directory. includes directory could be either under the catalog folder or directly under the website root.

 

If you upload this to some other directory, you need to change the $oscBasePath value to the new path.

 

Example:

$oscBasePath = '/public_html/';

 

Do not make any other changes.

Edited by celextel

Share this post


Link to post
Share on other sites

Question on alerts, I had two alerts yesterday as follows:

 

REQUEST.BCSI-ACP

COOKIE.BCSI-ACP

 

Both for the same URL

 

I googled this and went to a post at the PHPIDs site, but the discussion was too technical for me to understand exactly what PHPIDS was flagging out. One poster said to another that type of alert was could be ignored.

 

Can you tell me why those actions were being flagged out by PHPIDS? The impact level was 7.

 

Thanks


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

Question on alerts, I had two alerts yesterday as follows:

 

REQUEST.BCSI-ACP

COOKIE.BCSI-ACP

 

Both for the same URL

 

I googled this and went to a post at the PHPIDs site, but the discussion was too technical for me to understand exactly what PHPIDS was flagging out. One poster said to another that type of alert was could be ignored.

 

Can you tell me why those actions were being flagged out by PHPIDS? The impact level was 7.

 

Thanks

 

You could ignore this as the impact score is not on the higher side. Some of the intrusion alerts by PHPIDS may not be actual intrusions. PHPIDS has got its own parameter for flagging certain requests as intrusions. We need to verify each of them.

Share this post


Link to post
Share on other sites

You could ignore this as the impact score is not on the higher side. Some of the intrusion alerts by PHPIDS may not be actual intrusions. PHPIDS has got its own parameter for flagging certain requests as intrusions. We need to verify each of them.

 

Thanks for the follow up and I will ignore that alert. This was a new type of alert for me, so I was not sure. Thank you.


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

First of all thanks for a great contribution.

 

Installed the contribution ok and ran the installer script.

 

I have an issue when testing. I have performed test one ok without issue. The test has completed and my ip logged.

I cannot perform test 2. When i put the code into the main catalogue url i get the following error.

 

Internet Explorer cannot read this webpage format

 

a 406 page error is generated.

 

I have checked the code incase i have misplaced anything but it all seems ok.

 

Any help would be much appreciated

 

Regards Andy

Share this post


Link to post
Share on other sites

First of all thanks for a great contribution.

 

Installed the contribution ok and ran the installer script.

 

I have an issue when testing. I have performed test one ok without issue. The test has completed and my ip logged.

I cannot perform test 2. When i put the code into the main catalogue url i get the following error.

 

Internet Explorer cannot read this webpage format

 

a 406 page error is generated.

 

I have checked the code incase i have misplaced anything but it all seems ok.

 

Any help would be much appreciated

 

Regards Andy

 

Enable error reporting in your index file and see as to what error message you are getting.

 

If you get the following error message:

Exception: PDOException: could not find driver

 

Then PDO driver file is missing in the configuration. You have to request the web hosting provider to enable this.

 

Info regarding this are at the following URL:

http://forum.php-ids.org/comments.php?DiscussionID=284

http://dev.mysql.com/tech-resources/articles/mysql-pdo.html

Share this post


Link to post
Share on other sites

Hi,

 

I have installed the PHPIDS version 1.6, when I have finished

installation and can't entry in my website.

It display the next message:

"

This page is not redirecting properly

Firefox has detected that the server is redirecting the request to this address in a way that will never end.

This problem is sometimes caused by disabling or refusing the receipt of cookies.

"

When I set to False the option 'PHPIDS Module' I work fine.

That is, that I can go to my website.

Why?

 

Thanks!!

 

Rafa Alepuz

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×