A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
ISDPodcast Button
RootSecure Button
Social-engineer-training Button
Irongeek Button

Web Hosting:
Dreamhost Logo
Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle




PHPIDS Installation and Test Page

PHPIDS Installation and Test Page


        Since my page is mostly a home grown ghetto PHP CMS, I was interested in seeing what sort of attacks were being thrown against it. I found a project online Called PHPIDS, and here are my notes on installing it along with a list of recent attacks as reported by the IDS.

    1. First, download the PHPIDS from http://php-ids.org/downloads/ and extract it.

    2. I uploaded everything in the directory lib and below to my web folder.

    3. I'm a noob when it comes to MySQL, so I set up a new database in MySQL using the PHPMyAdmin front end. In the file lib\IDS\Log\Database.php you will find how the DB has to be set up. What it amounted to for me was just creating the needed table using the SQL command:

CREATE TABLE IF NOT EXISTS `intrusions` (
`id` int(11) unsigned NOT null auto_increment,
`name` varchar(128) NOT null,
`value` text NOT null,
`page` varchar(255) NOT null,
`ip` varchar(15) NOT null,
`impact` int(11) unsigned NOT null,
`origin` varchar(15) NOT null,
`created` datetime NOT null,
PRIMARY KEY (`id`)
) ENGINE=MyISAM ;


    4. By default, the Config.ini file is in \lib\IDS\Config. This is where you need to set up your database name, password, email address etc. Obviously, you don't want to leave this someplace where folks can just download it, in my case I moved it one folder up from the web root where thePHP install could still get to it (see note about paths in the next section) but a web browser hopefully can not. I also set mine to ignore some Google cookies by adding this to the Config.ini:

exceptions[] = __utmz
exceptions[] = __utmc
exceptions[] = COOKIE.__utmz
exceptions[] = COOKIE.__utmc
exceptions[] = REQUEST.__utmz
exceptions[] = REQUEST.__utmc


    5. I then created the following stub file (idsstub.php) to initiate the IDS:

<?php //Set where the relative IDS directory is (IDS parent folder), no leading or trailing slashes. Change this PATH.
$IDSLoc= "lib";
set_include_path(
get_include_path()
.
PATH_SEPARATOR
. $IDSLoc . '/'
);
/*
if (!session_id()) {
session_start();
}
*/
//Make sure the line below is set to the right path. Change this PATH.
require_once $IDSLoc . '/IDS/Init.php';
try {
$request = array(
'REQUEST' => $_REQUEST,
'GET' => $_GET,
'POST' => $_POST,
'COOKIE' => $_COOKIE,
'SERVER' => $_SERVER["HTTP_HOST"],
//Uncomment the next line if you want to check the user agent, but you may get a lot of false positives
//'USERAGENT' => $_SERVER["HTTP_USER_AGENT"],
'ACCEPT' => $_SERVER["HTTP_ACCEPT "]

);
//By default, the config is in an insecure place where it can be downloaded, I moved it one directory up from my root web folder. Change this PATH.
$init = IDS_Init::init('/home/.giga/irongeek/Config.ini');
$init->config['General']['base_path'] = dirname(__FILE__) . '/' . $IDSLoc . '/IDS/';
$init->config['General']['use_base_path'] = true;
$init->config['Caching']['caching'] = 'none';
$ids = new IDS_Monitor($request, $init);
$result = $ids->run();
if (!$result->isEmpty()) {
//echo $result
?>
<div style="position:fixed; right:180px; bottom:10px; overflow:visible;" id="clippy">
<table valign="top" width="130" height="309" border="0" background="http://www.irongeek.com/images/clippy.png" cellpadding="10">
<tr><td
valign="top"><font size="1">
&nbsp;Hello, according to <a href="http://php-ids.org/">PHPIDS</a> it looks like you are trying to pwn my site.
Would you like
<a href="http://www.irongeek.com/i.php?page=videos/owasp-top-5-louisville">some help with that?</a>
</font></td></tr>
</table> </div>
<?
require_once 'IDS/Log/File.php';
require_once 'IDS/Log/Composite.php';
$compositeLog = new IDS_Log_Composite();
$compositeLog->addLogger(IDS_Log_File::getInstance($init));
require_once 'IDS/Log/Email.php';
require_once 'IDS/Log/Database.php';
$compositeLog->addLogger(
IDS_Log_Email::getInstance($init),
IDS_Log_Database::getInstance($init)
);

$compositeLog->execute($result);
} else {
echo 'Alls good, in the hood.';
}
}
catch (Exception $e) {
printf(
'An error occured: %s',
$e->getMessage()
);
}
?>


    Things you will want to note: There are several places where you will need to change your path so it knows where the files are. I've noted them in the code above with the comment "Change this PATH." Setting the right paths is the biggest pain, and sorry, but I can't help you on your personal install. Also, make sure you point the config file to wherever you put Config.ini . I've also changed some of the user submitted data that the IDS checks. Folks can possibly slip in attacks via the HTTP ACCEPT for USER AGENT header fields. I had to comment out my user agent check as it caused too many false positive. On mine, I set it to pop up an image like the following if folks try to attack my site:



It's fun to be a wiseass to attackers. All hail Clippy!!!

    6. On every page I wanted to track attacks, I added the following line of PHP:
include ("idsstub.php");
In my case, I just put it in my footer.

    7. That's pretty much it. Check out my log below of the last 2000 detected attacks, mostly it's folks trying RFI (remote file includes):
<Had to take it down because of CPU load on my shared hosting provider>

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2014, IronGeek
Louisville / Kentuckiana Information Security Enthusiast