Jump to content
celextel

PHP Intrusion Detection System for osCommerce

Recommended Posts

Hi again,

 

RE: Grant write access [chmod 777] to the "tmp" folder [phpids/lib/IDS/tmp] and also to phpids_log.txt log file which is inside the "tmp" folder.

 

My hosting has the "tmp" folder set to 755 and the phpids_log.txt log file set to 644.

It seems to be working fine with these settings. (writes to log file)

 

1. Should they be changed to 777?

 

Also regarding exclusions:

REQUEST.__utmz, COOKIE.__utmz

 

2. What are these for?

 

Thanks,

jk

Share this post


Link to post
Share on other sites

Hi again,

 

RE: Grant write access [chmod 777] to the "tmp" folder [phpids/lib/IDS/tmp] and also to phpids_log.txt log file which is inside the "tmp" folder.

 

My hosting has the "tmp" folder set to 755 and the phpids_log.txt log file set to 644.

It seems to be working fine with these settings. (writes to log file)

 

1. Should they be changed to 777?

 

Also regarding exclusions:

REQUEST.__utmz, COOKIE.__utmz

 

2. What are these for?

 

Thanks,

jk

 

You could leave the chmod setting as mentioned by you if PHPIDS is working fine.

 

PHPIDS was reporting these values [REQUEST.__utmz, COOKIE.__utmz] as intrusions when we first tested in our osCommerce based website by creating hundreds of log entries. These values either be of basic osCommerce or of one of the contributions which we have installed.

Share this post


Link to post
Share on other sites

We have not done much modification to banned.php as that contribution is of someone else. Your following suggestion seems to be a better option:

$ip_2ban_address = $_SERVER['REMOTE_ADDR'];

in lieu of

$ip_2ban_address = tep_get_ip_address();

We would also use this modified code in our websites. Hope this solves that issue. Thanks for your suggestion.

 

Based on what I read here, I have modified my banned.php file accordingly because the code change above is apparently a better way. I hope I correctly understood what the concept.

I tested in my shop after modification and the banned.php activates when appropriate.

Thanks


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

I had some activity in my shop last evening that has PHP IDS installed. If you could help me understand the results I'd appreaciate that.

 

Apparently the url that caused PHPIDS was /account_history_info.php?order_id=496

Two actions occurred there: REQUEST.alpha and COOKIE.alpha

 

The "impact" scored 37.

 

Based on what occurred then, the visitor was taken to /banned.php

 

What caused that to happen involves a lot of text, I am not sure what is appropriate to put here though.

 

It starts with:

 

2648453f7149000089e4f34c29c9050065560000, RANDOM_ID=1f29b62ae4d14ab48b19062cba0bafa5, SiteDisplayed=&languageDisplayed=,

 

in the middle is:

 

LANCOMEAUTH=D5145B2191FB89DC157786991E8D2AC7EDB670CA5BB67F39E61410624922A5296624DE4EB756DF14DBD5598D570820A2AF5EA61225A055934ED2DC508120B9D5F8A8E4459F5C1FDDDEAD9D372460122DC08E796835DFE92355DEEEC19FEA9BD71F6A81575477F8C35E0BF9B461B0BF163AE85B07C229322A453479BE64D59443F7DAAEED57CCC74B97541E4EA79A25085A8A246A82CE61DB1C3E6D6279404BC0, UDMID=841451712, NETMIND_PERMSID=1539218442-1291756643

 

I have not seen anything like this before so on the side of caution I put the IP on the banned list.

 

The vistor came back a couple hours later and tried to access "/" with the same input and was taken to banned.php again.

 

I ran Site Monitor after I noticed this activity and no files in the shop were reported as modified in any way.

 

Can you help me understand what the visitors intention was?

 

Thanks


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

Based on what I read here, I have modified my banned.php file accordingly because the code change above is apparently a better way. I hope I correctly understood what the concept.

I tested in my shop after modification and the banned.php activates when appropriate.

Thanks

Yes, this code seems to be a better option.

Share this post


Link to post
Share on other sites

I had some activity in my shop last evening that has PHP IDS installed. If you could help me understand the results I'd appreaciate that.

 

Apparently the url that caused PHPIDS was /account_history_info.php?order_id=496

Two actions occurred there: REQUEST.alpha and COOKIE.alpha

 

The "impact" scored 37.

 

Based on what occurred then, the visitor was taken to /banned.php

 

What caused that to happen involves a lot of text, I am not sure what is appropriate to put here though.

 

It starts with:

 

2648453f7149000089e4f34c29c9050065560000, RANDOM_ID=1f29b62ae4d14ab48b19062cba0bafa5, SiteDisplayed=&languageDisplayed=,

 

in the middle is:

 

LANCOMEAUTH=D5145B2191FB89DC157786991E8D2AC7EDB670CA5BB67F39E61410624922A5296624DE4EB756DF14DBD5598D570820A2AF5EA61225A055934ED2DC508120B9D5F8A8E4459F5C1FDDDEAD9D372460122DC08E796835DFE92355DEEEC19FEA9BD71F6A81575477F8C35E0BF9B461B0BF163AE85B07C229322A453479BE64D59443F7DAAEED57CCC74B97541E4EA79A25085A8A246A82CE61DB1C3E6D6279404BC0, UDMID=841451712, NETMIND_PERMSID=1539218442-1291756643

 

I have not seen anything like this before so on the side of caution I put the IP on the banned list.

 

The vistor came back a couple hours later and tried to access "/" with the same input and was taken to banned.php again.

 

I ran Site Monitor after I noticed this activity and no files in the shop were reported as modified in any way.

 

Can you help me understand what the visitors intention was?

 

Thanks

 

This may be of a spider [may be a rogue spider]. Please check the IP for its country and its owner. You could also check the IP's credibility in Projecy Honey Pot.

 

We use KISS FileSafe at the following URL for monitoring the website files through a cron job:

http://addons.oscommerce.com/info/7546

 

KISS FileSafe seems to be better than Site Monitor.

Share this post


Link to post
Share on other sites

This may be of a spider [may be a rogue spider]. Please check the IP for its country and its owner. You could also check the IP's credibility in Projecy Honey Pot.

 

We use KISS FileSafe at the following URL for monitoring the website files through a cron job:

http://addons.oscommerce.com/info/7546

 

KISS FileSafe seems to be better than Site Monitor.

 

Thanks for responding, Honey Pot states the IP is from the USA and there is no associated bad behavior from this IP. Perhaps the PHPIDs alert was for a benign reason after all. It is curious that the action that started this was from an account history inquiry on the site. That only should happen when a customer inquires of his/her own purchasing history.

Thanks again and I will look into KISS FileSafe.


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

Dear Forum, Just recuperating and getting my store back on line after a hack.

I have installed PHPIDS on oscomerse 2.2rc2a with eveything testing out OK in admin.

When I get to test 1 the following appears.

Can you help with eliminating the error code at the bottom?

Cache on.

The 2 directory's permissive set to 777

SQL database sees and is reading the incursions.

Ocurances appear in admin phpids log.

Email works.

except for the error everything appears to be working.

____________

 

Total impact: 8

Affected tags: xss, csrf

 

Variable: REQUEST.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

Variable: GET.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/venetian/public_html/includes/modules/osc_phpids.php:199) in /home/venetian/public_html/includes/functions/sessions.php on line 102

__________________

 

When I try test 2 I get the following.

_____________

Forbidden

 

You don't have permission to access /admin/banned_ip.php on this server.

 

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

 

_____________

 

This is probably something to do with an add on I have added and not removed properly in the past but do not know where to look.

I have mainly been using .htaccess for this.

I deleted everything out of this file and still have the same results.

I added what I believe is the error reporting code to /index.php

 

error_reporting(E_ALL);

ini_set('display_errors', '1');

 

at the start prior to the above results but they do not show up on screen.

 

Your help would be appreciated if you have the time to assist.

 

Auzy Jack

Share this post


Link to post
Share on other sites

Dear Forum, Just recuperating and getting my store back on line after a hack.

I have installed PHPIDS on oscomerse 2.2rc2a with eveything testing out OK in admin.

When I get to test 1 the following appears.

Can you help with eliminating the error code at the bottom?

Cache on.

The 2 directory's permissive set to 777

SQL database sees and is reading the incursions.

Ocurances appear in admin phpids log.

Email works.

except for the error everything appears to be working.

____________

 

Total impact: 8

Affected tags: xss, csrf

 

Variable: REQUEST.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

Variable: GET.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/venetian/public_html/includes/modules/osc_phpids.php:199) in /home/venetian/public_html/includes/functions/sessions.php on line 102

__________________

 

When I try test 2 I get the following.

_____________

Forbidden

 

You don't have permission to access /admin/banned_ip.php on this server.

 

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

 

_____________

 

This is probably something to do with an add on I have added and not removed properly in the past but do not know where to look.

I have mainly been using .htaccess for this.

I deleted everything out of this file and still have the same results.

I added what I believe is the error reporting code to /index.php

 

error_reporting(E_ALL);

ini_set('display_errors', '1');

 

at the start prior to the above results but they do not show up on screen.

 

Your help would be appreciated if you have the time to assist.

 

Auzy Jack

 

1. Remove error reporting and set the Show Intrusion Result value to false and do the first test. If you are not getting any error message and if the log entries are getting created about the intrusion in db, then it is okay.

 

2. We are not trying to access /admin/banned_ip.php in Test-2. It should access banned_ip.php only. You need to make sure that you have gone through all the steps mentioned in the Read_Me.htm carefully.

 

Apart from this, you could also install KISS FileSafe at the following URL for monitoring the website files through a cron job:

http://addons.oscommerce.com/info/7546

Edited by celextel

Share this post


Link to post
Share on other sites

1. Remove error reporting and set the Show Intrusion Result value to false and do the first test. If you are not getting any error message and if the log entries are getting created about the intrusion in db, then it is okay.

 

2. We are not trying to access /admin/banned_ip.php in Test-2. It should access banned_ip.php only. You need to make sure that you have gone through all the steps mentioned in the Read_Me.htm carefully.

 

Apart from this, you could also install KISS FileSafe at the following URL for monitoring the website files through a cron job:

http://addons.oscommerce.com/info/7546

__________________

celextel thank you for answering my post,

 

Your suggestion 1. worked no problem with test 1 threat registering in admin phpids log and emailing me the IP incursion.

As to part 2 I posted the wrong error message (sorry). The message I sent you was from when I tried to add a IP in admin tools banned IP.

 

Running test 2 I get the following error on screen.

 

Not Acceptable

 

An appropriate representation of the requested resource / could not be found on this server.

 

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

 

_____________

 

I checked the read me text section again and believe that the files and folders are installed correctly.

(not the first time I have made a mistake though)

Previously I used cpanel to add an extra password to my /admin directory but that has been removed for over 24 hours and does not seem to have been the problem.

Reasenatanly added SecurityPro_1_0_2, IP Trap update, IP_C_M_S_1, htaccess Protection Scripts_as well as blacklist 2010 to htaccess prior to installing phpids as suggested in other forums in the past but only securityPro, part of the htaccess Protection Scripts_as well as part of the blacklist 2010 to htaccess remain installed.

As previously mentioned all entries other then original .htaccess where temporarily removed entirely for phpids testing.

 

Does the error message above from test 2 suggest where I could head next?

Admin IP bane module set to false at present.

 

Kindest regaurds

Auzy Jack

Share this post


Link to post
Share on other sites

__________________

celextel thank you for answering my post,

 

Your suggestion 1. worked no problem with test 1 threat registering in admin phpids log and emailing me the IP incursion.

As to part 2 I posted the wrong error message (sorry). The message I sent you was from when I tried to add a IP in admin tools banned IP.

 

Running test 2 I get the following error on screen.

 

Not Acceptable

 

An appropriate representation of the requested resource / could not be found on this server.

 

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

 

_____________

 

I checked the read me text section again and believe that the files and folders are installed correctly.

(not the first time I have made a mistake though)

Previously I used cpanel to add an extra password to my /admin directory but that has been removed for over 24 hours and does not seem to have been the problem.

Reasenatanly added SecurityPro_1_0_2, IP Trap update, IP_C_M_S_1, htaccess Protection Scripts_as well as blacklist 2010 to htaccess prior to installing phpids as suggested in other forums in the past but only securityPro, part of the htaccess Protection Scripts_as well as part of the blacklist 2010 to htaccess remain installed.

As previously mentioned all entries other then original .htaccess where temporarily removed entirely for phpids testing.

 

Does the error message above from test 2 suggest where I could head next?

Admin IP bane module set to false at present.

 

Kindest regaurds

Auzy Jack

 

You need to create a support request with your web hosting provider for doing the needful in regard to error handling.

 

We are quoting earlier replies regarding this issue in this thread itself:

--------------------------------------------------------------------------------

Page: 1

Posted 03 May 2010 - 08:07 AM

Just to clarify, no, that's not a 404 you're getting. It's a 406. The 404 comes from not having your own error document (e.g., /406.shtml) for error 406. It's stupid to configure Apache that way (report a 404 when it can't find your error handler), but that's how most servers have it. Read http://www.catskilltech.com/freeSW/SMF/faqs/index.html#errorpages

--------------------------------------------------------------------------------

Page: 8

Posted 29 October 2010 - 09:53 PM

After they do the needful in regard to the error handling, if you get the following error message:

Exception: PDOException: could not find driver

 

Then PDO driver file is missing in the configuration. You have to request the web hosting provider to enable this.

 

Info regarding this are at the following URL:

http://forum.php-ids.org/comments.php?DiscussionID=284

http://dev.mysql.com/tech-resources/articles/mysql-pdo.html

--------------------------------------------------------------------------------

Share this post


Link to post
Share on other sites

Hi Celextel,

 

During testing, had 2 "situations"

 

1. Trying to Insert a new IP (in admin/PHPIDS) and getting this:

Notice: Undefined variable: ipInfo in public_html\RENAMED ADMIN FOLDER\banned_ip.php on line 153

Notice: Trying to get property of non-object in public_html\RENAMED ADMIN FOLDER\banned_ip.php on line 153

 

The code referenced was:

$contents[] = array('text' => '<br />' . TABLE_HEADING_REASON . '<br />' . tep_draw_textarea_field('reason', 'soft', '40', '6', $ipInfo->reason));

 

CHANGED TO: (replaced $ipInfo->reason with ''

because there IS no reason yet - it's a new insert)

$contents[] = array('text' => '<br />' . TABLE_HEADING_REASON . '<br />' . tep_draw_textarea_field('reason', 'soft', '40', '6', ''));

 

Result: No more error/Notice for Insert new IP

 

 

2. Trying to Edit/Update existing IP (in admin/PHPIDS) and getting this:

 

Notice: Undefined variable: ip_status in public_html\RENAMED ADMIN FOLDER\banned_ip.php on line 53

 

The code referenced was:

if (tep_not_null($ip_status)) {

 

CHANGED: commented out

/* if (tep_not_null($ip_status)) {

tep_db_query("update " . TABLE_BANNED_IP . " set ip_status = '0' where id = '" . (int)$_GET['ipID'] . "'");

}

*/

 

Reasoning for commenting out:

The IP status can be toggled (not really part of the Update process in the right side box)

 

Result: No more error/Notice for Update IP

 

Having learned the hard way not to ASSume

Is there a reason for NOT changing the code that I'm unaware of?

jk

Edited by jfkafka

Share this post


Link to post
Share on other sites

Hi Celextel,

 

During testing, had 2 "situations"

 

1. Trying to Insert a new IP (in admin/PHPIDS) and getting this:

Notice: Undefined variable: ipInfo in public_html\RENAMED ADMIN FOLDER\banned_ip.php on line 153

Notice: Trying to get property of non-object in public_html\RENAMED ADMIN FOLDER\banned_ip.php on line 153

 

The code referenced was:

$contents[] = array('text' => '<br />' . TABLE_HEADING_REASON . '<br />' . tep_draw_textarea_field('reason', 'soft', '40', '6', $ipInfo->reason));

 

CHANGED TO: (replaced $ipInfo->reason with ''

because there IS no reason yet - it's a new insert)

$contents[] = array('text' => '<br />' . TABLE_HEADING_REASON . '<br />' . tep_draw_textarea_field('reason', 'soft', '40', '6', ''));

 

Result: No more error/Notice for Insert new IP

 

 

2. Trying to Edit/Update existing IP (in admin/PHPIDS) and getting this:

 

Notice: Undefined variable: ip_status in public_html\RENAMED ADMIN FOLDER\banned_ip.php on line 53

 

The code referenced was:

if (tep_not_null($ip_status)) {

 

CHANGED: commented out

/* if (tep_not_null($ip_status)) {

tep_db_query("update " . TABLE_BANNED_IP . " set ip_status = '0' where id = '" . (int)$_GET['ipID'] . "'");

}

*/

 

Reasoning for commenting out:

The IP status can be toggled (not really part of the Update process in the right side box)

 

Result: No more error/Notice for Update IP

 

Having learned the hard way not to ASSume

Is there a reason for NOT changing the code that I'm unaware of?

jk

 

Please test without making any changes to the code.

 

Make sure you have gone through each of the steps mentioned under "Step-B: Admin" of our Read_Me File. You might have missed something.

 

Make sure your 'banned_ip' db table has the fields 'reason' and 'ip_status'. You need to verify and update the table or remove that table and do the re-installation.

Share this post


Link to post
Share on other sites

You need to create a support request with your web hosting provider for doing the needful in regard to error handling.

 

We are quoting earlier replies regarding this issue in this thread itself:

--------------------------------------------------------------------------------

Page: 1

Posted 03 May 2010 - 08:07 AM

Just to clarify, no, that's not a 404 you're getting. It's a 406. The 404 comes from not having your own error document (e.g., /406.shtml) for error 406. It's stupid to configure Apache that way (report a 404 when it can't find your error handler), but that's how most servers have it. Read http://www.catskilltech.com/freeSW/SMF/faqs/index.html#errorpages

--------------------------------------------------------------------------------

Page: 8

Posted 29 October 2010 - 09:53 PM

After they do the needful in regard to the error handling, if you get the following error message:

Exception: PDOException: could not find driver

 

Then PDO driver file is missing in the configuration. You have to request the web hosting provider to enable this.

 

Info regarding this are at the following URL:

http://forum.php-ids.org/comments.php?DiscussionID=284

http://dev.mysql.com/tech-resources/articles/mysql-pdo.html

--------------------------------------------------------------------------------

 

celextel,

I have sent a ticket to my server regarding error handling, no response to date.

My server already has PDO and what appears to be the driver version.

Extracted from admin, tools, server info.

 

_______________________________________

PDO

PDO support enabled

PDO drivers sqlite, sqlite2, mysql

 

 

pdo_mysql

PDO Driver for MySQL, client library version 5.0.91

______________________________________

 

 

I'm still unable to input a IP in admin, tools, banned IP.

Waiting on server to get back.

 

Regards Auzy Jack

Share this post


Link to post
Share on other sites

 

 

Make sure you have gone through each of the steps mentioned under "Step-B: Admin" of our Read_Me File. You might have missed something.

 

Make sure your 'banned_ip' db table has the fields 'reason' and 'ip_status'. You need to verify and update the table or remove that table and do the re-installation.

 

Hi,

 

Thanks for your rapid response.

 

Have rechecked Step B. All is in accordance with instructions.

 

Make sure your 'banned_ip' db table has the fields 'reason' and 'ip_status'.

Affirmative

and is being written to with your original code,

as well as, my slightly altered version.

 

I then put your original banned_ip.php back in admin

Tried to insert new IP

 

Result: (same as before)

 

Notice: Undefined variable: ipInfo in public_html\RENAMED ADMIN FOLDER\banned_ip.php on line 153

Notice: Trying to get property of non-object in public_html\RENAMED ADMIN FOLDER\banned_ip.php on line 153

 

IP Address Date & Time Reason

555.555.555.555 2010-12-16 07:15:36 testing insert

 

Next tried to Update IP

Result: same as before - white page (not finishing the page refresh)

Notice: Undefined variable: ip_status in public_html/RENAMED ADMIN FOLDER/banned_ip.php on line 51

 

Warning: Cannot modify header information - headers already sent by (output started at public_html/RENAMED ADMIN FOLDER/banned_ip.php:51) in public_html/RENAMED ADMIN FOLDER/includes/functions/general.php on line 265

 

I had to hit browser Back arrow to get back to admin page (banned_ip.php?ipID=12&action=edit)

Result: update was saved but generated error caused the above Notice & Warning on white page

 

IP Address Date & Time Reason

555.555.555.555 2010-12-16 07:15:36 testing update

 

Conclusion:

With

error_reporting(E_ALL);

ini_set('display_errors', '1');

 

Insert and Edit/Update DO WORK (save info) but

cause Error Notices:

Undefined variable: ipInfo ($ipInfo->reason) [for Insert]

Undefined variable: ip_status [for Update]

 

Please forgive me for being so obtuse, but

Are you saying when PHPIDS_for_osCommerce_1_6 is correctly installed/configured:

a. These error/notices should not be invoked

With

error_reporting(E_ALL);

ini_set('display_errors', '1');

 

b. It's ok to ignore Error/Notice because the data is being saved,

turn off error reporting, ini_set('display_errors', '0')

 

c. These variables are supposed to be initialized,

my copy of banned_ip.php (original download of PHPIDS_for_osCommerce_1_6) may be defective

 

d. None of the above

 

Thank you for helping me understand,

jk

Share this post


Link to post
Share on other sites

celextel,

I have sent a ticket to my server regarding error handling, no response to date.

My server already has PDO and what appears to be the driver version.

Extracted from admin, tools, server info.

 

_______________________________________

PDO

PDO support enabled

PDO drivers sqlite, sqlite2, mysql

 

 

pdo_mysql

PDO Driver for MySQL, client library version 5.0.91

______________________________________

 

 

I'm still unable to input a IP in admin, tools, banned IP.

Waiting on server to get back.

 

Regards Auzy Jack

 

celextel,

I received a response on my ticket with the service provider who sent a 406.shtml file for inclusion in my site.

On preforming test no. 2. I receive the following message (Please note I have replaced my IP number with xxx).

 

(none)xxx.xxx.xxx.xxx/?test=%22%3E%3Cscript%3Eeval(window.name)%3C/script%3Ewww.venetianglass.com.auMozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729)406

 

All it appears to tell me now is that I sent test and what is running on my browser.

 

Any Ideas?

 

I had another attach this morning from the Ukraine (second visit this week. Inserted his web address as his IP and get through a deny access 91.211.*.* in .htaccess)

impact 124.

Your phpids is definitely working with the new incursion logged and entered in the banned IP file.

 

Your time is appreciated.

Share this post


Link to post
Share on other sites

celextel,

I received a response on my ticket with the service provider who sent a 406.shtml file for inclusion in my site.

On preforming test no. 2. I receive the following message (Please note I have replaced my IP number with xxx).

 

(none)xxx.xxx.xxx.xxx/?test=%22%3E%3Cscript%3Eeval(window.name)%3C/script%3Ewww.venetianglass.com.auMozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729)406

 

All it appears to tell me now is that I sent test and what is running on my browser.

 

Any Ideas?

 

I had another attach this morning from the Ukraine (second visit this week. Inserted his web address as his IP and get through a deny access 91.211.*.* in .htaccess)

impact 124.

Your phpids is definitely working with the new incursion logged and entered in the banned IP file.

 

Your time is appreciated.

 

You need to inform the hosting provider to configure the server correctly.

Share this post


Link to post
Share on other sites

Hi,

 

Thanks for your rapid response.

 

Have rechecked Step B. All is in accordance with instructions.

 

Make sure your 'banned_ip' db table has the fields 'reason' and 'ip_status'.

Affirmative

and is being written to with your original code,

as well as, my slightly altered version.

 

I then put your original banned_ip.php back in admin

Tried to insert new IP

 

Result: (same as before)

 

Notice: Undefined variable: ipInfo in public_html\RENAMED ADMIN FOLDER\banned_ip.php on line 153

Notice: Trying to get property of non-object in public_html\RENAMED ADMIN FOLDER\banned_ip.php on line 153

 

IP Address Date & Time Reason

555.555.555.555 2010-12-16 07:15:36 testing insert

 

Next tried to Update IP

Result: same as before - white page (not finishing the page refresh)

Notice: Undefined variable: ip_status in public_html/RENAMED ADMIN FOLDER/banned_ip.php on line 51

 

Warning: Cannot modify header information - headers already sent by (output started at public_html/RENAMED ADMIN FOLDER/banned_ip.php:51) in public_html/RENAMED ADMIN FOLDER/includes/functions/general.php on line 265

 

I had to hit browser Back arrow to get back to admin page (banned_ip.php?ipID=12&action=edit)

Result: update was saved but generated error caused the above Notice & Warning on white page

 

IP Address Date & Time Reason

555.555.555.555 2010-12-16 07:15:36 testing update

 

Conclusion:

With

error_reporting(E_ALL);

ini_set('display_errors', '1');

 

Insert and Edit/Update DO WORK (save info) but

cause Error Notices:

Undefined variable: ipInfo ($ipInfo->reason) [for Insert]

Undefined variable: ip_status [for Update]

 

Please forgive me for being so obtuse, but

Are you saying when PHPIDS_for_osCommerce_1_6 is correctly installed/configured:

a. These error/notices should not be invoked

With

error_reporting(E_ALL);

ini_set('display_errors', '1');

 

b. It's ok to ignore Error/Notice because the data is being saved,

turn off error reporting, ini_set('display_errors', '0')

 

c. These variables are supposed to be initialized,

my copy of banned_ip.php (original download of PHPIDS_for_osCommerce_1_6) may be defective

 

d. None of the above

 

Thank you for helping me understand,

jk

 

Yes, when PHPIDS_for_osCommerce_1_6 is correctly installed/configured, you would not get any errors.

 

We have this [original download of PHPIDS_for_osCommerce_1_6] in 5 of our Live websites working fine without any problem. We have kept the error reporting to identify the problems. You could turn that off, if you are unable to identify the problem and if the log entries are taking place.

Share this post


Link to post
Share on other sites

Hi!

 

I've just installed the latest version (after removing the old one according to instructions) and I'm not sure it's working.

 

All installed and code checked to see if I'd done it correctly the first time, and on to the testing stage.

 

When I add "?id=1&test=">XXX" to the main index url, it simply takes me to a "page not found". Is this because either PHPIDS or FWR Security PRO (also latest update) is stripping out the "bad" code, or have I installed it incorrectly?

 

This is my main index page:

 

http://www.ariadnetheweaver.org/index.php

 

and what I was clicking on (after changing "Show Intrusion Result" to "true"

 

http://www.ariadnetheweaver.org/index.php?id=1&test=">XXX

 

simply gets me "the page cannot be found" generic error page.

 

I'm hoping this is good news.. but want to make sure I've not done something wrong (I've followed the instructions very carefully!)

Share this post


Link to post
Share on other sites

Hi!

 

I've just installed the latest version (after removing the old one according to instructions) and I'm not sure it's working.

 

All installed and code checked to see if I'd done it correctly the first time, and on to the testing stage.

 

When I add "?id=1&test=">XXX" to the main index url, it simply takes me to a "page not found". Is this because either PHPIDS or FWR Security PRO (also latest update) is stripping out the "bad" code, or have I installed it incorrectly?

 

This is my main index page:

 

http://www.ariadnetheweaver.org/index.php

 

and what I was clicking on (after changing "Show Intrusion Result" to "true"

 

http://www.ariadnetheweaver.org/index.php?id=1&test=">XXX

 

simply gets me "the page cannot be found" generic error page.

 

I'm hoping this is good news.. but want to make sure I've not done something wrong (I've followed the instructions very carefully!)

 

If PHPIDS module file is not called before the module file of Security PRO (latest update), PHPIDS would not work as the query strings get sanitized. Both can co-exist if you move new Security Pro code just after the PHPIDS code in the application_top.php file.

Share this post


Link to post
Share on other sites

Hi

 

yes, I made sure that Security PRO is called after PHPIDS (I did say I read the instructions very carefully, and that's in there). Haven't changed that. I don't think that can be the problem. When I input ANY string of letters after the URL for testing, it just takes me to a page that says "that page doesn't exist", which I guess is good - I've checked that adding stuff to basket, using the search facility etc does still work.

Share this post


Link to post
Share on other sites

Hi

 

yes, I made sure that Security PRO is called after PHPIDS (I did say I read the instructions very carefully, and that's in there). Haven't changed that. I don't think that can be the problem. When I input ANY string of letters after the URL for testing, it just takes me to a page that says "that page doesn't exist", which I guess is good - I've checked that adding stuff to basket, using the search facility etc does still work.

 

If everything is okay, you would not get "that page doesn't exist". Please go through other posts in this thread. You need to inform the hosting provider to configure the server correctly for error handling.

Share this post


Link to post
Share on other sites

Hi,

 

First I woul like to thank everyone who contributed to this great contribution.

 

I'm trying to install this contribution butat step B-5 after brwosing to "admin/phpids_installer.php" I get the following error message.

 

Warning: Cannot modify header information - headers already sent by (output started at

"path to this folder and file" admin/phpids_installer.php:33)

in "path to this folder and file" admin/phpids_installer.php on line 133

 

And also in my admin panel there is no more functionality available, only menu items, nothing selectable.

 

I followed the instructions carefully, I'm working on a purchassed template 2.2 Rc1 PHP 5.2.1.4

 

When replacing the modified file admin/include/boxes/tools.php with the original one I could get back my acces to all the admin functionality.

 

When doing the tests, everything was working fine and was reported as excpected.

 

But when I click on Banned IP in control pane I get a 404 error and it's looking for FILENAME_BANNED_IP, same thing for the PHPIDS logs but this time it's looking for FILENAME_PHPIDS.

 

My question is can it be fixed from there or do I have to reinstall everything?

 

I think it was due to my admin/include/boxes/tools.php which I had to correct for the PHPIDS logs and Banned IP menu items to appear.

 

Help would be greatly appreciated.

 

Thanks.

 

Season's greetings.

 

Marc

Share this post


Link to post
Share on other sites

Hi,

 

After restoring my site to the state it was before the first installation of PHPIDS, I have redone the installation with my corrected tools.php file.

 

But during install I got the same error message.

 

Warning: Cannot modify header information - headers already sent by (output started at

"path to this folder and file" admin/phpids_installer.php:33)

in "path to this folder and file" admin/phpids_installer.php on line 133

 

And this time the PHPIDS logs and Banned IP menu was complete and functional, all tests seem to be good.

 

But when ever I enable PHPIDS module, I can't connect to my site from any IP address (eventualy fail because of too many redirections), my IP address is not in the Banned IP list.

 

Any help, would be appreciated.

 

Thanks.

 

Marc

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×