The e-commerce.

Looks like the add-on is reporting and attack that has been thwarte.


You could ban the ip address using you htaccess file, pop this in google


Block a specific IP address from accessing your website





@ geoffreywalton


Hi Geoffrey,


Thank you very much for reply. The past whole week I can say something going on my website, but I have no idea how to check where they had done.


Several things I found very strange includes:



when I add new addons, I tested in three others as well, the one I got PHP Intrution warning, had been changed back while the other three test one has no attack remain the same.

I delete that complete catelog and reinstall a backup one



I had set up secured by htpasswd, but it keeps said that I had wrong attempt login, and after 2 times try, I had been block and need to wait another 5 minutes. I am pretty sure I had the password input correctly but it just kept tell me wrong password and block....



after I set up new admin with new password, and I made sure I logoff, and delete the internet cookie, and refresh, it showed that I logoff completely.


after after few hour or next day when I refresh the computer again, it just automatically log me in that I don't even need to type in user and password.


I had a rental and a sale catalog under my domain, and both has the same problem as mentioned 2 and 3.



Because the strange things happend and PHP warning everyday, so I installed the supertracker and who's online enhancement.

I couldnt make who's online show any informaiton, but supertracker with last ten visitor, I can see I have few visitors never expected, such as from China, Africa, and Turkey.... I google and also you reply from the other thread, I know that China one is definately the bad one (PHP intrution waning as well...)


What should I do now?

How can I check what files possible be modified?


Many thanks in advance.




Looks like the add-on is reporting and attack that has been thwarte.


You could ban the ip address using you htaccess file, pop this in google


Block a specific IP address from accessing your website









you mentioned that "You could ban the ip address using you htaccess file, pop this in google",


can you please tell me how I can ban the ip using the htaccess?

I had addon: "Secure your site with an IP Trap", it allowed me to ban the IP from admin, but I found that when I insert new IP, it doesn't update the catelog/banned/IP_Trapped, I had to mannually type in the IP_Trapped.txt every time.


how can I pop it in google?


what material or any other websites that I can learn more about security (oscommerce security)?


Many thanks in advance.




Hi, i've checked the IP, in my case there is a lot of log showing that it is: "COOKIE._pk_ref_12_45c0" or "REQUEST._pk_ref_12_45c0" - bolded numbers are changing. IP seems to be an IP of hosting service or other are from my country so probally its generated by visitors. So could it be some problem with php update or some cookies issue?


Best regards.




go to google and seach for


Block a specific IP address from accessing your website


THere is some info and links on securing your web site in my profile





go to google and seach for


Block a specific IP address from accessing your website


THere is some info and links on securing your web site in my profile







Hi Geoffery,


Thank you very much for your reply. I will have a look your profile information now.

PS. The supertrackers addon on sales site, like rental site before, it disappear again. I have to delete and recover a backup one!


And do you have any suggestion about that I can not log off completely?

Every time I make sure I log off and even delete the cookies, but after couple hours or next day, I type in the admin login, it just automatically login without asking me user name and password!!!


this is the supertracker result I get for today:

Customer IP Address/Country: (China)http://www.mickgrip.com.au/rental/a1sec/images/geo_flags/flags/cn.gif[/img] - Region: Beijing City: Beijing Customer Browser: Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html) Customer Name: Guest Referred By: Direct Access / Bookmark Landing Page: /rental/rental.php?cPath=79&page=1&sort=2a Last Page Viewed: /rental/rental.php Time Arrived: 01/08/2013 01:46:26 Last Click: 01/08/2013 01:46:26 Time on Site: 0hrs 0mins 0 seconds Number of Clicks: 1 Added to Cart: false Completed Purchase: false

Customer IP Address/Country: (United States)http://www.mickgrip.com.au/rental/a1sec/images/geo_flags/flags/us.gif[/img] - spider-199-21-99-94.yandex.com Region: California City: Palo Alto Customer Browser: Mozilla/5.0 (compatible; YandexBot/3.0; http://yandex.com/bots) Customer Name: Guest Referred By: Direct Access / Bookmark Landing Page: /rental/product_info.php?products_id=260 Last Page Viewed: /rental/product_info.php Time Arrived: 01/07/2013 18:28:11 Last Click: 01/07/2013 18:28:11 Time on Site: 0hrs 0mins 0 seconds Number of Clicks: 1 Added to Cart: false Completed Purchase: false

I suspect you licked on remember my password at some stage.


Baidu is a Chinese spider so if you do not sell to the Chinese you can block them.





I suspect you licked on remember my password at some stage.


Baidu is a Chinese spider so if you do not sell to the Chinese you can block them.







Hi Geoffery,


Thanks for reply.


About the password thing, it really bother me. Everytime I logoff, and double check after I go to IE/Tools/Option and delete the browsing history, I delete everything include password (which I did not ask browser to remember the password.), it all showed me that I had log off comepletely.


However after couple hours or next day I touch computer again, just type in the admin login.php, it doesn't ask me to type user name or password, I automatically login the admin backend....


I had install site monitor, but honestly I dont really know how it works. I had PHP Intrusion and IP trap install, I will try to install the virus threat scanner next.




VT will not stop the auto log in


If you use FF try this link




otherwise try something like this in Google


IE remember password disable





My customer has got this add on installed but she says is getting loads of emails every day, she said in a space of 3 hours she has had 20 emails from this add on


Is there a way to stop the emails being sent or slow them down or send them to a txt file instead


Kind regards






Yes, if you read the first post in this thread, the action taken on detecting a threat is configurable.





Because I had the same problem of "elsantu", I write my solution. I manually inserted the SQL entries watching the older osc 2.2 installation and I got the phpids folder from the older version (v.0.6.4) of phpids because phpids.org is not more available.




  `ip_address` varchar(15) NOT NULL,
  `ip_status` int(1) NOT NULL DEFAULT '0',
  `reason` tinytext,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 COMMENT='Banned IP addresses that are not allowed to access website' AUTO_INCREMENT=378 ;

INSERT INTO `banned_ip` (`id`, `ip_address`, `ip_status`, `reason`, `created`) VALUES
(65, '', 0, NULL, '2011-11-11 04:19:43');



CREATE TABLE IF NOT EXISTS `phpids_intrusions` (
  `name` varchar(128) NOT NULL,
  `value` text NOT NULL,
  `page` varchar(255) NOT NULL,
  `tags` varchar(128) NOT NULL,
  `ip` varchar(15) NOT NULL,
  `impact` int(11) NOT NULL,
  `origin` varchar(15) NOT NULL,
  `created` datetime NOT NULL,
  PRIMARY KEY (`id`)



CREATE TABLE IF NOT EXISTS `configuration` (
  `configuration_id` int(11) NOT NULL AUTO_INCREMENT,
  `configuration_title` varchar(255) COLLATE utf8_unicode_ci NOT NULL,
  `configuration_key` varchar(255) COLLATE utf8_unicode_ci NOT NULL,
  `configuration_value` text COLLATE utf8_unicode_ci NOT NULL,
  `configuration_description` varchar(255) COLLATE utf8_unicode_ci NOT NULL,
  `configuration_group_id` int(11) NOT NULL,
  `sort_order` int(5) DEFAULT NULL,
  `last_modified` datetime DEFAULT NULL,
  `date_added` datetime NOT NULL,
  `use_function` varchar(255) COLLATE utf8_unicode_ci DEFAULT NULL,
  `set_function` varchar(255) COLLATE utf8_unicode_ci DEFAULT NULL,
  PRIMARY KEY (`configuration_id`)

INSERT INTO `configuration` (`configuration_id`, `configuration_title`, `configuration_key`, `configuration_value`, `configuration_description`, `configuration_group_id`, `sort_order`, `last_modified`, `date_added`, `use_function`, `set_function`) VALUES
(491, 'Security Check Extended Last Run', 'MODULE_SECURITY_CHECK_EXTENDED_LAST_RUN_DATETIME', '1461007874', 'The date and time the last extended security check was performed.', 6, NULL, NULL, '2016-04-18 21:28:04', NULL, NULL),
(492, 'Sort Order', 'MODULE_BOXES_CATEGORIES_SUPERFISH_SORT_ORDER', '1002', 'Sort order of display. Lowest is displayed first.', 6, 0, NULL, '2016-04-22 13:50:45', NULL, NULL),
(493, 'English Title', 'MODULE_BOXES_CATEGORIES_SUPERFISH_FRONT_TITLE_ENGLISH', '', 'Enter the title that you want in the header in english. Leave this blank for no header or title.', 6, 10, NULL, '2016-04-22 13:50:45', NULL, NULL),
(494, 'PHPIDS Module', 'PHPIDS_MODULE', 'true', 'Enable PHPIDS', 888002, 1, NULL, '2016-05-04 22:08:05', NULL, 'tep_cfg_select_option(array(''true'', ''false''), '),
(495, 'IP Ban Module', 'PHPIDS_IP_BAN_MODULE', 'true', 'Enable IP Ban', 888002, 2, NULL, '2016-05-04 22:08:05', NULL, 'tep_cfg_select_option(array(''true'', ''false''), '),
(496, 'Show Intrusion Result', 'PHPIDS_SHOW_RESULT', 'false', 'Show Intrusion Results on Screen - Enable only during Testing.', 888002, 4, NULL, '2016-05-04 22:08:05', NULL, 'tep_cfg_select_option(array(''true'', ''false''), '),
(497, 'E-mail Log Impact Score', 'PHPIDS_MAIL_LOG_IMPACT', '8', 'Default is 8. Intrusion E-mails are sent when the Impact Score is greater or equal to this set value. You could change this to a lesser or higher value as per your requirement.', 888002, 6, NULL, '2016-05-04 22:08:05', NULL, NULL),
(498, 'DB Log Impact Score', 'PHPIDS_DB_LOG_IMPACT', '4', 'Default is 4. Intrusion logs are created in the database when the Impact Score is greater or equal to this set value. You could change this to a lesser or higher value as per your requirement.', 888002, 7, NULL, '2016-05-04 22:08:05', NULL, NULL),
(499, 'IP Ban Impact Score', 'PHPIDS_IP_BAN_IMPACT', '70', 'Default is 70. IP gets banned automatically when the Impact Score is greater or equal to this set value. You could change this to a lesser or higher value as per your requirement.', 888002, 8, NULL, '2016-05-04 22:08:05', NULL, NULL),
(500, 'Variable Exclusions', 'PHPIDS_EXCLUSIONS', 'REQUEST.__utmz, COOKIE.__utmz, REQUEST.custom, POST.custom, REQUEST.osCsid, COOKIE.osCsid, REQUEST.verify_sign, POST.verify_sign, REQUEST.s_pers, COOKIE.s_pers, REQUEST.enquiry, POST.enquiry', 'List of safe Variables to exclude from intrusion report. Separated by comma and space. Example: REQUEST.__utmz, COOKIE.__utmz<br>', 888002, 12, NULL, '2016-05-04 22:08:05', NULL, 'tep_cfg_textarea(');

and configuration_group


CREATE TABLE IF NOT EXISTS `configuration_group` (
  `configuration_group_id` int(11) NOT NULL AUTO_INCREMENT,
  `configuration_group_title` varchar(64) COLLATE utf8_unicode_ci NOT NULL,
  `configuration_group_description` varchar(255) COLLATE utf8_unicode_ci NOT NULL,
  `sort_order` int(5) DEFAULT NULL,
  `visible` int(1) DEFAULT '1',
  PRIMARY KEY (`configuration_group_id`)

INSERT INTO `configuration_group` (`configuration_group_id`, `configuration_group_title`, `configuration_group_description`, `sort_order`, `visible`) VALUES
(888002, 'PHPIDS', 'PHPIDS for osCommerce', 30, 1);

You should check the configuration_group_id value on sql structure of configuration_group that must be unique. The value 8888002 on my case, shouldn't be already set on configuration_group_id field value; if this is your case, you must change it and the "auto_increment" value of create table instrucion line too. I hope to explain it well. Please remember to delete phpids_installer.php as mentioned in the read_me file of phpids addon.


