Sitemonitor Security contrib for osCmax 2.5

Testing and information here is based on the osCommerce Sitemonitor contrib v2.9 and svn osCmax 2.5beta as at 2011-03-11, also with the knowledge that _MS2_or_RC2 is the core for osCmax v2.5.

(From the readme file with the osCommerce version)

SiteMonitor for osCommerce by Jack_mcs at oscommerce-solution.com

This contribution was developed for, and tested on, osCommerce MS2, RC2, 2.3, CRE and oscMax shops.

PURPOSE: If someone is able to hack into your site, they can alter your files which can allow them to obtain your customers information or other important information regarding your shop. I've seen this happen several times, thus the genesis of this contribution. This contribution will create a record of your files so that they can be checked at a later date. If any file has been added or deleted, or the size, timestamp or permissions changed, an email is sent to the shop owner listing those changes. The script can be ran manually, but the best way to run it is to set up a cron job so that the files are checked automatically on a daily basis. It also has the option to check for known hacker-type code. Any files found with suspicious code in them will be displayed. It is up to you to determine if the files are listed because they have been hacked or not. This option just gives you a place to start looking. It is highly recommended that you get a complete backup of your shop on your computer. This makes finding and fixing problems much easier.

---

There are a couple of modifications required to v2.9 of Sitemonitor for compatibility with osCmax v2.5.

Layout issues and .css

In both sitemonitor_admin.php (line 213) and sitemonitor_configure_setup.php (line 352)

.css : check each file and replace the single line .css file with the oscMax ,css settings

<link rel="stylesheet" type="text/css" href="includes/stylesheet.css">

replace with

<link rel="stylesheet" type="text/css" href="includes/stylesheet.css">
<link rel="stylesheet" type="text/css" href="includes/javascript/jquery-ui-1.8.2.custom.css">
<script type="text/javascript" src="includes/general.js"></script>

Then in sitemonitor_configure_setup.php

The parameters for the function tep_draw_textarea_field have changed.

osC     function tep_draw_textarea_field($name, $wrap, $width, $height, $text = '', $parameters = '', $reinsert_value = true)

oscMax  function tep_draw_textarea_field($name, $width, $height, $text = '', $parameters = '', $reinsert_value = true)

The removal of the $wrap variable throws out the layout of the admin screen. Update all calls to tep_draw_textarea_field to remove the second 'wrap' value.

There are 3 entries in sitemonitor_configure_setup.php at lines 561, 570, 579

The change is just to remove the reference to 'soft' and the comma.

<td><?php echo tep_draw_textarea_field('exclude_list', 'soft', 60, 7, $switch['exclude_list'], 'class="smallText"', false); ?></td>

change by removing the space, the 'soft' and the comma after it

<td><?php echo tep_draw_textarea_field('exclude_list', 60, 7, $switch['exclude_list'], 'class="smallText"', false); ?></td>

Repeat for each of the lines in the same way.

The following steps are taken from the Sitemonitor v2.9 readme.txt file and edited for osCmax v2.5.

I left the Sitemonitor for osCommerce information intact so that the comparative can be made if required.

---

Copy all of the files included in the admin directory of this contribution to the admin directory of your shop. Only files intended for this contribution will be overwritten.

osCmax changed file /admin/includes/boxes/sitemonitor.php to /admin/includes/boxes/security.php

Provides a distinct Security menu option that can be used with other Security type contribs.

---

Add the following to admin/includes/languages/english.php anywhere before the last ?>

// sitemonitor text in includes/boxes/sitemonitor.php
define('BOX_HEADING_SITEMONITOR', 'SiteMonitor');
define('BOX_SITEMONITOR_ADMIN', 'Admin');
define('BOX_SITEMONITOR_CONFIG_SETUP', 'Configure');
define('IMAGE_EXCLUDE', 'Exclude');

osCmax 2.5: for the menu to be clear change the text

admin/includes/languages/english/core.php

// sitemonitor text in includes/boxes/sitemonitor.php
define('BOX_HEADING_SITEMONITOR', 'SiteMonitor'); //not used in osCmax 2.5
define('BOX_SITEMONITOR_ADMIN', 'Site Monitor Admin'); // used in the security menu
define('BOX_SITEMONITOR_CONFIG_SETUP', 'Site Monitor Configure');// used in the security menu
define('IMAGE_EXCLUDE', 'Exclude');

This can be anywhere in the file but must be before the last ?>

---

Add the following to admin/includes/filenames.php anywhere before the last ?>.

       
  define('FILENAME_SITEMONITOR_ADMIN', 'sitemonitor_admin.php');
  define('FILENAME_SITEMONITOR_CONFIG_SETUP', 'sitemonitor_configure_setup.php');
  define('FILENAME_SITEMONITOR_CONFIGURE', 'sitemonitor_configure.php');

osCmax added prior to last ?> as above.

// BOF: Site Monitor
  define('FILENAME_SITEMONITOR_ADMIN', 'sitemonitor_admin.php');
  define('FILENAME_SITEMONITOR_CONFIG_SETUP', 'sitemonitor_configure_setup.php');
  define('FILENAME_SITEMONITOR_CONFIGURE', 'sitemonitor_configure.php');
// EOF: Site Monitor

---

Add the following to admin/includes/column_left.php.

If your shop is BEFORE version 2.3, add this anywhere before the last ?>

  require(DIR_WS_BOXES . 'sitemonitor.php');

If your shop is AFTER version 2.3, add this before the first ?>

  include(DIR_WS_BOXES . 'sitemonitor.php');

For oscMax 2.5beta3 you need to make a change to the \admin\includes\menu.php

The very last section is filled out for a menu item called sitemonitor which we want to change to reference security.php. There are two entries shown here after the change

<?php } ?>

<!-- SECURITY -->
<?php
  if (tep_admin_check_boxes('security.php') == true) { // was sitemonitor.php ?>
    <li>
      <a href="#">Security</a>
        <ul>
           <?php require(DIR_WS_BOXES . 'security.php'); // was sitemonitor.php ?>
        </ul>
    </li>
<?php } ?>

<!-- END OF MENU -->

Once this is done you need to set the file security.

admin page Administrator→File Access

Select the Security line which is automatically triggered from the file being found in the includes/boxes directory

Click the green light to enable it

Note: the Security menu item will appear at the right hand side now but will be empty until you 'store files'.

Select Store Files From the drop down list select only

sitemonitor_admin.php sitemonitor_configure_setup.php

The other files can be safely ignored as they do not get run by the admin console

Note: check that you have the files with the correct file permissions for the web application to write to the files that need to be written to.

This will vary depending on your server config. This is where Check Permissions might come in handy

---

Go to admin→Sitemonitor→Configure, setup the various settings and click Update.

osCmax 2.5beta3

Go to admin→Security→Site Monitor Configure

Note that selecting Site Monitor Admin will look very similar to the Site Monitor Configure until you have saved the config for the first time becuase Admin calls config if its not setup.

Site Monitor Admin will display an error the first time you run it.

Something like this will appear at the top of the screen.

“Your username is invalid. Please change it and try again.: System → /home/your_site_directory/from_your_osCmax_config/ - SiteMonitor → /home/username/public_html”

The System directory will be the default path for your osCmax store.

The Site Monitor path defaults to /home/username/public_html and the error message

“Your username is invalid. ” really means that the value of the path in the Site Monitor is incorrect. This is because it is not a valid path.

The message could read “please update the default path for your store in the Start Directory field”.

There are 3 values that you should set that are not set by default:

To: Email address that the SiteMonitor email will be sent to. From: Email address that the SiteMonitor email is sent from (useful for multiple shops). Start Directory: Usually the root of the shop. Using a different location may not result in the best results. (As above)

Once these fields are set, scroll to the bottom of the page and click Update

This ends the osCmax specific information everything after this should be generic.

---

Go to admin→Sitemonitor→Admin and click the top button.

A message should be displayed saying that the file was ran for the first time.

Then click on the second or third button to actually run a test.

A “No mismatches found” message should be displayed.

If not, something is wrong with the installation.

That's it. When the script is ran again, either manually or via cron, any differences will be emailed to you.

---

This is optional but recommended so that you are automatically notified of activity on a regular basis.

OPTIONAL CRON * If you don't want to have to run it each time to check for differences, you can setup a cron job to have the script ran automatically. This is not required but is the preferred way. The following explains how to do this. Your host has to have this feature enabled.

To set up the cron jobs, add the following as the cron command to run the normal file check code:

 php /home/username/public_html/catalog/admin/sitemonitor.php?instance=X

where X = the number of the sitemonitor configure file to be used,

and create another cron job to run the hacker test code using this:

php /home/username/public_html/catalog/admin/sitemonitor_hacker_cron.php

Note that you need to change username to your username and the path to the sitemonitor.php file must be correct. Also, some hosts require a different syntax for the command. Ask your host if you run into problems.

There should also be settings for Minute, Hour, Day, Month and Weekday. If you place an asterisk (*) in these fields, then it means any time at all. If a number is placed in that field, it means just that one time. For example, if you place a 10 in the minute field and a * in all of the other fields, the job will be ran every hour of every day at 10 past the hour. Now, if you replace * in the hour field with a 12, the script will be called everyday at 12:10.

In my experience with hacker changes, they seem to prefer changing the files in the early morning hours (2 - 5 AM) so I suggest running the cron job around 5 or 6 AM. When they will make changes is, of course, unknown, but the closer you can get to it, the less time the changed files be on the server. You can run more than one cron job to reduce that even further if you want. But that increases server load so you have to decide which is best in your situation.

If you have a large site, the script might time out before all of the files are checked. When, or even if, that timeout occurs will depend upon your server. If you find that the script is not completing, then you may need to exclude some directories. This can be done in the admin→Sitemonitor→Configure section.

---

Install the Version Checker contribution. This is not required but will allow you see at a glance if the version of Site Monitor is up-to-date. All that is needed to install Version Checker is to download the latest version from here:

http://addons.oscommerce.com/info/7148

extract the files and upload them to your server. There is an option in admin→Configuration→Version Checker to make version checking automatic, once that contribution is installed.

---

- If the script times out when first ran, it is probably due to a large number of files in your account and/or a server with a load timeout value set. To get around that, change the url to

http://YOUR_DOMAIN_NAME/YOUR_ADMIN/sitemonitor_configure_setup.php?override=1

and press enter. That will allow the configure section to load so that more files can be excluded.

- If SiteMonitor will only run if you exclude directories and you want to check all of them, use the “instance” option. Think of an instance as a separate job to run. In the Configure section you can setup any number of instances, each with its own set of rules. In the Admin section, you can select which instance to run (see above for setting up a cron job for different instances). Using this method of multiple instances, you will be able to monitor all of your files.

- The hacker test lists files that “may be” hacked files. The hackers use code that legitimate in some oscommerce files so it is not possible to say for sure if the file found is infected or not from within the program. If you are in doubt, compare your file with a known good one.

- In general, a hacker will usually add their code at the very beginning (first or second line) or the very end (last line) of a file. That is because if they add it in the middle, they can't be sure it will work since the code they insert it into may be conditional code. This isn't a hard and fast rule but it is almost always the case, in my experience. So if you see a file in the hacker test list and the line number is greater than 2 and less than the total number of lines in the file (you would need to click on the file name to verify that), then the file is probably OK.

- Most hacking attempts seem to occur in the early morning hours (2 Am to 5 AM). This is not, in any way, a rule since hackers can attack at any time. But it seems to be the case the majority of the time. So I suggest setting up the cron job to run around 6 AM in the hopes of catching any changes closer to when they occur.

- If SiteMonitor won't work, it may be that you are getting some error that your host isn't reporting. To try and override that, find this line in admin/sitemonitor_admin.php

     $handleErrors = false;

and change it to

     $handleErrors = true;

- If a message is displayed that says your images directory is not protected, download the latest version of oscommerce and copy the .htaccess file in its image directory to your images directory to fix that.

---

There is a place in the configure file to load the username and password of admin. This is needed in order to allow curl to be used. But if the configure page is filled in while on a non-secure page, it is possible for someone to obtain that login information. Using curl is not required unless your server won't allow fopen to be used. In that case, you should enable ssl for your admin so entering this information is safe. Otherwise, the curl options in the sitemonitor_configure.php file can be ignored (set to blank spaces).

---

For discussion of the osCommerce version and any generic queries.

If you have any problems or questions, please see the support thread at:

http://forums.oscommerce.com/topic/221438-sitemonitor/