ogwinilo Posted January 22, 2010 Share Posted January 22, 2010 I have just installed Sitemonitor on a new oscommerce installation and Sitemonitor picks up the following files as possibly infected: includes/classes/nusoap.php includes/modules/payment/paypal_standard.php mynewadmin/includes/classes/nusoap.php I wonder if I can just do away with them since it would be difficult to pick up exactly what's the problem. I know I can do away with Paypal Standard since i'll be using Paypal's express checkout. What i'm not sure about are the other two, what's their function in the greater scheme of things. what would be implications if i were to take delete them? Felix Link to comment Share on other sites More sharing options...
chadcloman Posted January 22, 2010 Share Posted January 22, 2010 The algorithm that searches for potential hacks is very simple: it just looks for the following strings in your files: error_reporting(0) base64_decode <iframe While these are cause for suspicion, some files actually use them and cause false positives. So here is what I suggest: 1) Check the files you list above, to see if they're legitimate. 2) If so, modify this file: catalog/admin/includes/functions/sitemonitor_functions.php OLD CODE: $excludeFileArray = array(); $excludeFileArray[] = 'sitemonitor_functions.php'; NEW CODE: $excludeFileArray = array(); $excludeFileArray[] = 'sitemonitor_functions.php'; $excludeFileArray[] = 'nusoap.php'; $excludeFileArray[] = 'paypal_standard.php'; Check out Chad's News. Link to comment Share on other sites More sharing options...
ogwinilo Posted January 23, 2010 Author Share Posted January 23, 2010 Thanks, truly appreciated, will do The algorithm that searches for potential hacks is very simple: it just looks for the following strings in your files: error_reporting(0) base64_decode <iframe While these are cause for suspicion, some files actually use them and cause false positives. So here is what I suggest: 1) Check the files you list above, to see if they're legitimate. 2) If so, modify this file: catalog/admin/includes/functions/sitemonitor_functions.php OLD CODE: $excludeFileArray = array(); $excludeFileArray[] = 'sitemonitor_functions.php'; NEW CODE: $excludeFileArray = array(); $excludeFileArray[] = 'sitemonitor_functions.php'; $excludeFileArray[] = 'nusoap.php'; $excludeFileArray[] = 'paypal_standard.php'; Link to comment Share on other sites More sharing options...
germ Posted January 23, 2010 Share Posted January 23, 2010 Thanks, truly appreciated, will do The paypal file has this legitimate code which would cause a "false positive": // remove headers from the signature $signed = file_get_contents(MODULE_PAYMENT_PAYPAL_STANDARD_EWP_WORKING_DIRECTORY . '/' . $random_string . 'signed.txt'); $signed = explode("\n\n", $signed); $signed = base64_decode($signed[1]); I don't have a copy of the nusoap file. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
germ Posted January 23, 2010 Share Posted January 23, 2010 Allowing a file solely by name is not reliable. For instance, includes/classes/nusoap.php is probably a legitimate file, whereas images/nusoap.php would most likely be a hack file. I don't know if Site Monitor allows at least part of the path in the exclusion. That's Jack's baby not mine. If it doesn't it's not reliable in that respect. It's a very old hack trick to put a file named something you'd expect to see, but place it in a folder where it doesn't belong. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
chadcloman Posted January 23, 2010 Share Posted January 23, 2010 I don't know if Site Monitor allows at least part of the path in the exclusion. That's Jack's baby not mine. The Site Monitor code uses the file's basename, so all files with that name (regardless of location) are excluded from the check. Check out Chad's News. Link to comment Share on other sites More sharing options...
germ Posted January 23, 2010 Share Posted January 23, 2010 The Site Monitor code uses the file's basename, so all files with that name (regardless of location) are excluded from the check. Hence, it is not reliable in that aspect of the program. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
tigergirl Posted January 23, 2010 Share Posted January 23, 2010 Don't know if I missed something but if you exclude a file from the site monitor check, if the file does get hacked, you wouldn't know about it via sitemonitor. Doesn't that kind of defeat the purpose of site monitor? I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire Link to comment Share on other sites More sharing options...
germ Posted January 23, 2010 Share Posted January 23, 2010 Don't know if I missed something but if you exclude a file from the site monitor check, if the file does get hacked, you wouldn't know about it via sitemonitor. Doesn't that kind of defeat the purpose of site monitor? I believe it works on several levels, such as file size, last mod, etc. If exclusion by name also excludes it from the other checks then the purpose is defeated. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
chadcloman Posted January 23, 2010 Share Posted January 23, 2010 Don't know if I missed something but if you exclude a file from the site monitor check, if the file does get hacked, you wouldn't know about it via sitemonitor. Doesn't that kind of defeat the purpose of site monitor? This particular exclusion list is only for the "Check for Hacked Files" operation. The primary purpose of Site Monitor is to check for modified files, which is not affected by this exclusion list. Check out Chad's News. Link to comment Share on other sites More sharing options...
tigergirl Posted January 23, 2010 Share Posted January 23, 2010 This particular exclusion list is only for the "Check for Hacked Files" operation. The primary purpose of Site Monitor is to check for modified files, which is not affected by this exclusion list. I see, so yes you'd still be aware of it through the other checks site monitor does. Thanks for explaining. I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.