You are on page 1of 31

Open Source Excellence Security Suite User Manual 

OSE Security Suite


User Manual 

Version: 2.0 (Previous OSE PHP Anti-Hacker Standalone)

Released Date: 03-Dec-2009

Manual Date: 18-Dec-2009

Author: OSE Security Team. security@opensource-excellence.co.uk

Copyright: Reproduction and redistribution of the document is disallowed without the


consent of the author.

Notes:

The OSE Security software series is an Open Source software series developed by Open
Source Excellence Team.

Licence: GPL V2, you can install it into UNLIMITED websites FOREVER! No License
Restrictions! No more IONCUBE!

After you buy the software, you can use it FOREVER (INDEFINITELY)

You can download all upgrades within 1 year.

You can receive our support within 1 year.

1
 
Open Source Excellence Security Suite User Manual 

Table of Contents
1  Introduction ..................................................................................................................................... 3 
1.1  What’s It? ................................................................................................................................ 3 
1.2  Contents in the Package .......................................................................................................... 4 
1.3  Software Download and Support ............................................................................................ 5 
2  Installation....................................................................................................................................... 5 
2.1  Upgrade from a Previous Version .......................................................................................... 5 
2.2  Fresh Installation .................................................................................................................... 6 
3  Configuration .................................................................................................................................. 8 
3.1  Basic Parameters .................................................................................................................... 8 
3.2  File and System Audit ........................................................................................................... 11 
4  Activation and Test ....................................................................................................................... 12 
5  Whitelisting Strings and Form Fields ........................................................................................... 14 
5.1  How to Whitelist a Program? ............................................................................................... 14 
5.2  How to Whitelist a Form Field? ........................................................................................... 16 
6  Scan Files with the Virus Scanner ................................................................................................ 17 
6.1  Basic Configuration .............................................................................................................. 17 
6.2  Scanning Files ....................................................................................................................... 19 
6.3  After Cleaning ....................................................................................................................... 21 
6.4  File Restore ........................................................................................................................... 22 
7  Frequently Asked Questions ......................................................................................................... 22 
7.1  Anti-Hacker FAQs: Which way is better to activate the Anti-Hacker? ................................ 22 
7.2  Anti-Hacker FAQs: What if having difficulties in Activating Anti-Hacker? ......................... 23 
7.3  Anti-Hacker FAQs: How to Whitelist a program? ............................................................... 24 
7.4  Anti-Hacker FAQs: How to Whitelist a form field? .............................................................. 24 
7.5  Anti-Hacker FAQs: How to customize the blocking message on the ban Page .................... 25 
7.6  Anti-Hacker FAQs: How to Update the Signature? ............................................................. 25 
7.7  Anti-Hacker FAQs: What if my user account is blocked? .................................................... 26 
7.8  Anti-Hacker FAQs: What if my IP is banned? ...................................................................... 27 
7.9  Anti-Hacker FAQs: How to set a password to protect a folder with .htaccess? ................... 28 
7.10  Anti-Hacker FAQs: How to disable insecure functions for PHP environment? ................... 30 
7.11  Virus Scanner FAQs: What if the scanner reports a false positive? ..................................... 31 
7.12  Virus Scanner FAQs: What if the website is injected with c99 shell codes? ........................ 31 

2
 
Open Source Excellence Security Suite User Manual 

1 Introduction

1.1 What’s It?

The Open Source Excellence Security Suite is a server-based software which provides an
all-in-one protection for the websites, being able to secure you private data, protect your
system files from malicious codes and hacking attacks, and it clean virus and infected files. It
combines the functions of Open Source Excellence Anti-hacker and Open Source Excellence
Virus Scanner, and hence offers the maximal protection for the websites.

It’s suitable for all kinds of websites, including online stores, small business, personal
websites, public institutes, etc. It’s easy to use and has very friendly interface for you to
customize for your own demands. The application is competent to perform an advanced
protection for ALL PHP systems (for instance Joomla, VirtueMart, Magento, Drupal and
WordPress, etc).

The major technical features include:

¾ Double Firewall system providing Three Layers of protection:

Layer 1: Signature-based Detection System - detecting most common hacking behaviours.

a) Surface Scanning, once hacking behaviour is found, the activity and corresponding IP will
be banned immediately.

Layer 2: Pattern-based Instruction Detection Systems - blocking all inbound malicious codes
and hacking activities, including network-, application-, and operating system-level attacks.

b) Scans and monitors all URL, Form Fields, Cookies values.

c) If hacking is found and the Risk Score exceed the secure level, the IP will be banned
immediately.

d) If Suspicious Hacking behaviour is found for Form Fields and Cookies hacking, the
hacking strings in the Form / Cookies value will be stripped and sanitized.

Layer 3: HTTP BlackList System - dynamically linking to a HTTP blacklist database and
blocking access based on network masks or IP addresses.

e) Scans users' IPs, once the IP address is located in the HTTP blacklist, the access will be
blocked immediately.

3
 
Open Source Excellence Security Suite User Manual 

¾ Two Types of reactions:

a) Ban + Email Alert: If the hacking triggers Layer 1 protection or exceed the Risk Score in
Layer 2 protection, the IP will be blocked, and the alert email will be sent to the administrator.

b) Log + Email Alert: If the Risk Score of the suspicious behaviour is lower than the global
setting, the IP will be blocked for monitoring purpose, and the alert email will be sent to the
administrator.

¾ Embedded OSE Virus Scanner application providing on-demand scanning of your source
codes for malicious codes injections, cleaning of the malicious codes from the infected
files, and generating complete scanning reports.
¾ Form Field Filtering Enabled - allowing users to filter the content of the form fields in
order to prevent XSS attacks.
¾ Whitelist Setting Enabled – Unlike other security software which only provides IP
whitelist function, OSE PHP Anti-Hacker also provides the whitelist function for your
programs and form fields, so that it gives you the flexibility to user a wide range of
software while maintaining a high level of protections.
¾ Supports for Search Engine Optimized Websites – providing protection while
maintaining your page ranking.
¾ Instant emails alerts to administrators once suspicious hacking behavior is logged.
¾ The application is developed under an Open Source PHP basis using the Model-View-
Control Architect. Therefore its functions can be easily extended to all Open Source PHP
systems.

1.2 Contents in the Package

Files which can be installed as a website platform on the server. After installation, the
Open Source Excellence Security Suite platform includes the following components:

¾ Anti-Hacker component – managing blacklist and whitelist IPs, whitelist strings and form
fields list.
¾ Virus Scanning Class Files – A folder containing class files for the application, allowing
you to protect other websites on the same server. This means that with one installation,
you can use it to protect all other PHP system on the same server.
¾ Virus Scanner – A component scanning and cleaning the website files on the same server.

4
 
Open Source Excellence Security Suite User Manual 

¾ System Guard – A set of tools to help you change your system setting. It also includes a
file audit system to audit files in the system of the OSE Security Suite platform.
¾ Updater – An upgrade component which allows you to keep the database of the virus
definitions updated conveniently.

1.3 Software Download and Support

Please find the OSE Security Suite on our OSE website: http://www.opensource-
excellence.co.uk/index.php?page=shop.product_details&flypage=flypage_new.tpl&product_i
d=2&category_id=6&option=com_virtuemart&Itemid=157.

After you purchase the product, you can check and download the latest upgrade on our
OSE website in your “Download Area” after login at: http://www.opensource-
excellence.co.uk/index.php?option=com_osemsc&view=member&Itemid=145.

If you have questions regarding installation, configuration, or usage, please go to our


ticket system to raise a question: http://www.opensource-excellence.co.uk/tickets.

2 Installation

If you have a previous version of the OSE Security Suite installed and you intend to
upgrade it to the latest version, please only read section 2.1 and then use the Security Suite as
before. If you are a new user and going to make a fresh installation, please read all the
contents from section 2.2.

2.1 Upgrade from a Previous Version

1. Uninstalling previous components and plug-ins from the backend

Login to your Security Suite Back-end, and uninstall the Anti-Hacker component, Virus
Scan component, the Updater component and the System Guard component if any.

5
 
Open Source Excellence Security Suite User Manual 

2. Installing new components and plug-ins

Go to your Security Suite Back-end, and install the new version of the Anti-Hacker
component, Virus Scan component, and the System Guard component in the Upgrade Folder
of the zip pack.

3. Uploading new files

Upload all files in the folder "Core Scanning Class Files" to your Security Suite Root
folder.

4. Testing

After finishing all above, please test if the update is successful by entering the following
link: www.yoursite.com/index.php?%20union.

2.2 Fresh Installation

Before you install the OSE Security Suite, please make sure that:

1. Backup your current website, including all files and database just in case there are any
accidents happening!

2. You are using a database that is specific for the Security Suite and is different from the
database for your current website! This means that you have at least two databases, one is for
your website, while the other is for the OSE Security Suite!

3. You are installing the OSE Security Suite into a folder that is different from your existing
websites!

After you confirm the above three requirements, we can start now:

1. Under your www or public_html directory, create a folder called "osesecurity" (or any
other name you prefer);
6
 
Open Source Excellence Security Suite User Manual 

2. Upload the OSESecuritySuite zip pack to the folder "osesecurity";

3. Extract (Unzip) the zip pack;

4. Delete the OSESecuritySuite zip file afte the files are extracted;

5. We can now start installing the software by accessing www.yoursite.com/osesecurity


(please replace "yourdomain.com" to your website address and replace "osesecurity" to the
folder name you specified);

6. Then follow the installation pages step by step. Please choose English for your language.

7. Click Next to go through Step 2 and Step 3.

8. Enter your database setting as shown below.

9. Ignore the FTP setting.

10. In the Final setting page, first of all, please click the Install Sample Data button, which
will import the pre-set security setting for System Guard (which helps you improve the
security of the file system for the Security Suite).

7
 
Open Source Excellence Security Suite User Manual 

11. Then enter your contact email address, and password for the Security Suite backend.

12. Click Next to the Finish page.

13. Delete the Installation folder in the Security Suite folder when you finish setting this up.
The installation folder is under your osesecurity folder (or something you specified) which is
named as "installation".

14. Load the Back-end page and login using you admin information.

3 Configuration

After installation, you need properly configure the OSE security Suite before activating
it to work.

3.1 Basic Parameters

Go to the component and the plug-in manager to configure the Anti-Hacker function
before the first time use.

1. Configuring Security Level of the Anti-hacker.

8
 
Open Source Excellence Security Suite User Manual 

The Anti-Hacker Component introduces a 3-Layer protection system and a risk score policy.

A. Layer 1 Protection

The Layer 1 protection is on by default and any activity violating the Layer 1 rules will
be 100% blocked.

B. Layer 2 Protection

Under the Layer 2 protection, all violations will be scored from 1 to 100 according the
potential harm level, based on which the Anti-hacker decides whether block them. The
violation with a higher risk score is more likely to be a real hacking attack and that with a
very low risk score has a high possibility to be a FALSE POSITIVE.

The Anti-Hacker function sets layer 2 protection off by default and it allows you to
switch it on and configure the appropriate security level which is suitable to your websites by
doing the following:

Please access the "Dash Board" of Anti-Hacker component (by going to the Security
Suite Backend --> Components --> Anti-Hacker), open the Parameters on your top right
corner, adjust the Security Level.

The security level of Layer 2 protection is optional from Level 1 to Level 10. A higher
security level indicates a stricter protection level. For Level n, the software will block all
violations with risk scores above (100-10*n). For instance, if you set the security level as 8, it
will block violations with scores larger than 20 and those under 20 will be only logged and
altered by emails, but won't be blocked. Your websites can get a full protection by setting the
security level to Level 10, at which all suspicions blocked.

9
 
Open Source Excellence Security Suite User Manual 

We recommend you to set the Lay 2 protection to Level 7, which can protect your
websites very well and at the same time reduces the possibility of FALSE POSITIVE to a
quite low level. However, you can set the security level to any value to match your needs.
You may inspect the alert list over a period and find out the optimal level for your websites.

C. Layer 3 Protection

As shown in the above picture, you can configure the Lay 3 (HTTP BL) protection via
the same "Parameter" button. You can opt to turn on the Layer 3 protection by ticking "Yes"
and go to http://www.projecthoneypot.org/create_account.php to apply a HTTP: black list
key.

2. Next, we need to know how to whitelist a program and whitelist a form field, and then
whitelist proper strings and form fields to make the Anti-Hacker compatible with your
websites. This is one important feature of our Anti-Hacker, which allows you to have the
flexibility to use the Anti-Hacker function on any PHP platform. Please read section 5
Whitelisting programs and form fields on the following topics:

a) How to Whitelist a Program?

b) How to Whitelist a Form Field?

3. Other Configurations.

A. Please double check that the Plug-in "Authentication - Open Source Excellence
Authentication" is enabled. You can find it at "top menu -> Extensions -> Plugin Manager".

B. Please click on the Plug-in "Authentication - Open Source Excellence Authentication" to


open the options for it, and adjust the maximum login attempts that you set for backend users
(default value is 3). Change the value "Integrate with Anti-Hacker" from No to Yes.

10
 
Open Source Excellence Security Suite User Manual 

After configuring the Anti-Hacker function, you can go to the next step to make the
System Guard Component perform "File and system audit" for your website.

3.2 File and System Audit

This section introduces how to do the file and system audit using the System Guard of
Security Suite. This includes:

¾ Files permissions audit;


¾ System Configuration audit:
• Ensuring you are using a non-default administrator username,
• Set passwords to protect your administrator folder,
• Ensuring the configuration.php file is not writable.

In order to achieve this, we borrow functions from a popular Joomla component -


GuardXT (this can be downloaded for free from: http://www.joomlaxt.com/).

Step 1. Audit your files permissions

The System Guard (a modified version of GuardXT) has been installed, and the files of
the OSE Security Suite have been audited by default. However, ALL of your other websites
if based on a Joomla system are RECOMMENDED to INSTALL this tool to audit your files
as well.

Step 2. System Configuration Audit

After completing the file permissions checks, now we need to do the following steps:

Step 2.1: Ensuring you are using a non-default administrator username

11
 
Open Source Excellence Security Suite User Manual 

Change the default administrator's username if the super administrator's user name
"admin" is still being used by clicking the Change Now link in System Guard in the Default
admin user active row.

Step 2.2: Set a password to protect the administrator

You can follow the instruction in FAQs to setup a password, Anti-Hacker FAQs: How
do I set a new password to protect a folder with .htaccess?

Or go to your WEB HOSTING account control panel, check with your web hosting
company to see how you can SET A PASSWORD TO PROTECGT A DIRECTORY, then
set a password to protect the whole OSE Security Suite folder. For example, if your Anti-
Hacker is installed in the folder called "home/XXXX/htdocs/osesecurity", please set a
password to protect this folder.

Step 2.3: Change the permission of the configuration file

Simply click the "Change Now" in the "Joomla Server Configuration Check" Section in
System Guard, and it will help you to change the permission of the configuration.php to be
un-writable.

Please note: If you use the recommended php.ini in System Guard, please note one thing
that you may not be able to install further plug-ins if you enable the "open_basedir" in php.ini.
If you would like to install further plug-ins, please temporarily remove that line in the php.ini,
and once you finish installing new plug-ins, add that line back to the php.ini.

We also recommend you to disable insecure functions for PHP environment. Please view
how to do it in the FAQs: How to disable insecure functions for PHP environment?

4 Activation and Test

There are three methods to activate the Anti-Hacker function. Before you perform one of
the activation methods, please notice: replace "/absolute_path_to_antihacker/" with the
absolute path of the Security Suite in the following text. The path should be the admin folder
under the root folder of Security Suite folder where you install the Security Suite, e.g.
"/public_html/osesecurity/administrator/".

First, please go to Components --> System Guard --> Version Checks, it lists the lines
for you to add to activate the anti-hacker.

12
 
Open Source Excellence Security Suite User Manual 

Please use one of the following methods and we would suggest you to choose to use
php.ini or .htaccess to activate the anti-hacker in order to have a server-wide protection.

A. Via the php.ini file

Activate the Anti-Hacker through php.ini: you can add the following line to the php.ini
file, and copy the php.ini file to the folder or system that you would like to protect:

auto_prepend_file=/absolute_path_to_antihacker/administrator/scan.php

B. Via the .htaccess file

If you are using Apache 1 and you want to use .htaccess to run anti-hacker, you can add
the following line to the .htaccess file, and copy the .htaccess file to the folder or system that
you would like to protect:

php_value auto_prepend_file "/absolute_path_to_antihacker/administrator/scan.php"

If you could not activate it through the above methods (even after reading the FAQs,
Anti-Hacker FAQs: What if having difficulties in Activating Anti-Hacker?), please consult
your hosting company with regard to how to enable the auto_prepend function to activate it
through .htaccess or php.ini, because this will maximize the protection on your websites.

While you are waiting for the hosting company to sort out the above problem, you can
use the following method to activate the anti hacker temporarily:

C. Via the index.php file

In the Root folder of the system that you would like to protect, open the index.php, enter the
following code in the first line:

<?php require_once("absolute_path_to_antihacker/administrator/scan.php");

After doing one of these activations, we can go to test the Anti-Hacker function. You can
test it using the url:

www.yoursite.com/index.php?%20union

Then you will be blocked. The screenshot of what your clients will see is as below. You
can customize the blocking message by the "Custom BanPage" function of the Anti-Hacker.

13
 
Open Source Excellence Security Suite User Manual 

However, when you successfully login to the backend, sometimes you will find that
there is no IP being locked! Why???

That is because our plug-in may change the IP status from "hacking IP" to "suspicious
IP" if you can successfully enter into the back end. Then when you successfully enter the
Administrator login information, your IP would be removed from the blacklist automatically.
Therefore, in that case, you cannot find any blacklist IPs in the backend.

If you would like to know the changes of the IP status, you can log into the phpmyadmin
and see how it changes, and also after you login to the backend successfully.

If the Anti-Hacker doesn't return the expected result meaning the activation is not easily
successful, please read the FAQs carefully, Anti-Hacker FAQs: What if having difficulties in
Activating Anti-Hacker?

5 Whitelisting Strings and Form Fields

Since the OSE Security Suite is a common security platform, it only has a basic list of
whitelist programs. You may need to define more to make it compatible with your specific
systems, websites, and programs. This section introduces how to add more allowed-to-access
strings and form fields.

5.1 How to Whitelist a Program?

Although we have a long list of backlist strings in the signature data file, sometimes it
would be possible for the anti-hacker to report false positives. So what shall we do? Here is
the instruction to help you add a program to the whitelist.

WHITELISTING Request Fields and Cookies

14
 
Open Source Excellence Security Suite User Manual 

We bring in a stronger protection which blocks all Request values and cookies between
your browser and the Anti-Hacker.

Example 1

When you encounter false positives like the following:

REQUEST.RokMiniNews={\"0\":{\"active\":5,\"element\":\"section-5\"},\"1\"}

where the violation is

Rule:
[(?:([ws]+([ws]+)[ws]+))|(?:(?<!(?:mozilla/d.ds))([^)[]+[[^]]+][^)]*))|(?:[^s!][{([][^({[]+[{([][^}])]+[}])][
s+",d]*[}])])|(?:")?]W*[)|(?:=s*[^s:;]+s*[{([][^}])]+[}])];)] [Detects self-executing JavaScript functions].

If you believe this is a FALSE POSITIVE (false alarm), please add the following strings
in the Whitelist Strings ONE BY ONE (generally the string before the “=” mark):

REQUEST.RokMiniNews

GET.RokMiniNews

POST.RokMiniNews

COOKIE.RokMiniNews

This will help you whitelist this program, so that the Anti-Hacker scanner will ignore
these strings in the future.

Example 2

For example, if you use sermon manager software, you might receive the following
errors:

Query String: option=com_sermon&task=playaudiofile&file=http://s3.aaa.com/v_81_20090315%20-%20hp


co .mp3&sermonid=67

Violation: Injection - [file=]

Anti-Hacker reports that this IP tries to hack your site using the "file=" command.
However, you are sure that this is an error. Now you can add the following link to the
Whitelist Strings in the Anti-Hakcer by clicking "New" button on the Anti-Hacker -> White
List String menu:

task=playaudiofile

playaudiofile

15
 
Open Source Excellence Security Suite User Manual 

After this, the anti-hacker will recognize the string as a whitelist string and will not
report the error to you any longer.

Example 3

For Virtuemart users, this is the Whitelis. Please enter each line to the White List String
ONE BY ONE. For example, you should create a new whitelist string, enter
"pshop_mode=admin" into the form and save. Then Create a new whitelist string
"/themes/default" and save, then move to the next one. After you finish adding the following
whitelist strings, you should have 5 new whitelist strings in the White List String list.

pshop_mode=admin

/themes/default

filename=resized

wz_tooltip.js

product_attributes.js

5.2 How to Whitelist a Form Field?

In order to maximize the protection, the Anti-hacker of Security Suite will scan and filter
content of all form fields for suspicious hacking behaviours. Therefore, if you would like to

16
 
Open Source Excellence Security Suite User Manual 

NOT scan or filter some form fields, you need to add the corresponding name of the form
field in the White List Form Fields list.

You may simply need to add the name of the form field into the Whitelist Form Field
List in order to ignore scanning the content of this form field. For example, the name of the
filed text in the contact form is called "text", and then you could add "text" in one form field
as follows:

Then save the record, the anti-hacker will NOT filter the content of this form field to see
whether that there is suspicious hacking behaviour. Please note that when sometimes the
scanner reports FALSE POSITIVES alerts, this function allows you to have more flexibility
in Anti-hacker filter rules to fit your system.

6 Scan Files with the Virus Scanner

6.1 Basic Configuration

1. Find the absolute path of your Security Suite website by doing the following:

Go to Security Suite backend --> Global Configuration --> System -> System Setting -->
Path to Log folder

17
 
Open Source Excellence Security Suite User Manual 

You can get the absolute path of the log folder. Then by removing the part "/log", you
will get the absolute path of the Security Suite website

a) Assuming that the absolute path of your Security Suite website log folder is:

home/demo/public_html/osesecurity/log

b) Then the absolute path of your other websites is:

home/demo/public_html/you websites/

c) Then the absolute path of the root folder of your server will be:

home/demo/public_html/

2. Entering the absolute path of the folder you would like to scan in OSE Virus Scanner:

(a) Go to Security Suite Components --> Anti-Virus --> Click the Parameter button on
your top right corner. (b) Enter the Absolute path of the folder that you would like to scan.
Let's say the root folder ("home/demo/public_html/") here. (c) Change the file extensions that
you would like the Virus Scanner to scan. d) Then Save the parameter settings.

18
 
Open Source Excellence Security Suite User Manual 

6.2 Scanning Files

1. After you click the Scan button, the scanner will start scanning files inside the folder you
specified in the parameters. The status bar of your browser will become busy.

2. At this stage, please do not close your Browser or operate the Virus Scanner before the
final result displays.

3. Scanning Results

(a) After Scanning the Files, the Scanner will report what files are infected in a list,
which looks like the following.

(b) 99% of time the scanner reports real infected files, but in some cases it will report
false positives, because some files may use iframe inside their codes which matches one of
the suspicious patterns the scanner is looking for. Therefore sometimes the scanner will alert
false positives. To deal with false positives, we need to add the file path to the whitelist
section. Please tick the files you are going to whitelist and then whitelist them as shown
above. Alternatively, you can also add files in the whitelist by inputting the absolute path of
file in the Whitelist tab as shown below.

19
 
Open Source Excellence Security Suite User Manual 

(c) After Adding all false reported files, go back to the Virus Scan and click the Scan
button to re-scan your folders. Now, only infected files will be reported. Under the result
reporting page, tick all infected files and click the “Clean” button to start cleaning all infected
files.

(d) IF YOUR SERVER ALLOWS THE WRITE PERMISSION FOR THE


COMPONENT, your files can be cleaned immediately and a backup file will be created in
the quarantine folder of the Anti-Virus. You can view the processing report via Report tab.
Please see this screenshot:

(e) Custom scan. You are allowed to scan some of the files and folders using the custom
scan function.

20
 
Open Source Excellence Security Suite User Manual 

6.3 After Cleaning

1. Comparing the Backup Files with the Cleaned Files, you may find the malicious codes
inside the file.

2. If you look at the Cleaned version, the malicious codes were all removed.

3. If you find that the file was reported as false positives because the codes that have been
removed are not malicious codes, please use the "Restore" function to recover the original
files and add the file to the Whitelist for next scan.

21
 
Open Source Excellence Security Suite User Manual 

6.4 File Restore

You can get the original files back at any time you want. Click the Restore button under
the Virus Scan page and you will view the list of all cleaned files.

7 Frequently Asked Questions

7.1 Anti-Hacker FAQs: Which way is better to activate the Anti-Hacker?

There are three ways that you can activate the Anti-Hacker: 1. Index.php; 2. .htaccess;
and 3. php.ini. Which one is better?

We recommend php.ini and .htaccess, because this will protect all PHP programs on
your website. There are usually two modes for a server that runs PHP programs, a) fast-cig
and b) as an Apache module.

For websites running PHP as the apache module, you can use .htaccess to activate the
Anti-Hacker. However, sometimes your hosting company runs it as the fast-cgi mode, and
then if you activate it as .htaccess, you will find the 500 Internal Server Error. In this case,
you have to use the php.ini to activate the anti-hacker.

One more situation is that, your hosting company is running both php4 and php5 in fast-
cgi mode, and in this case, usually you will need to use php5.ini to activate the anti-hacker.

These are all related to how the hosting company setup their server and PHP programs,
and we try to provide both methods to all our clients in order to help you activate it. Read
more in Section 7.2 if you have trouble in activating the Anti-Hacker.

22
 
Open Source Excellence Security Suite User Manual 

7.2 Anti-Hacker FAQs: What if having difficulties in Activating Anti-Hacker?

If you have trouble in activating the Anti-Hacker using all the ways, please try the
follows.

1. Check the PHP version of your hosting account. The Anti-Hacker is only supported by
PHP5. So please make sure your system is running PHP5.

2. Check if the Anti-Hacker Function program is working by directly opening the url
yourwebsite/administrator/scan.php?%20union (please change yourwensite to the proper
installation path). If you get the blocking message, which means the installation is proper and
the program is running, and the problem is only related to activation.

3. In which way the Anti-Hacker function can be activated is decided by in which mode the
server is running. This can be achieved in PHP information of your system. You can easily
check the information by doing the follows:
Create a phpinfo.php file under the root of your website. Put the script <?php phpinfo(); ?> into
this phpinfo.php file. Type yourwebsite/phpinfo.php in the brower.

Then the PHP information will be shown like this:

23
 
Open Source Excellence Security Suite User Manual 

4. If the Server API is in CGI mode, your website can only be activated via the php.ini file,
and if the Server API is under Apache Module, your website can only be activated
via .htaccess file.

5. In CGI mode, you also need to know the location of the loaded configuration file. If the
location is not achievable for you, please try to create the php.ini under your website root, the
location of loaded configuration file may vary.

6. Sometimes your server may be under fast_CGI mode. In this case, you need to activate the
Anti-Hacker with php5.ini file. Please create a php5.ini file under the root folder, and please
add the following codes in:
;;;;;;;;;;;;;;;;;;;;;;;
; PREPEND ANTI HACKER ;
;;;;;;;;;;;;;;;;;;;;;;;
register_globals = off
safe_mode = off
allow_url_fopen = off
display_errors = off;
disable_functions
=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source;

;; The following needs to be changed according to the server setting;


open_basedir = yoursite/public_html:yoursite/public_html/tmp:yoursite/public_html/logs:/tmp
auto_prepend_file = yoursite/public_html/administrator/scan.php
;;;;;;;;;;;;;;;;;;;;;;;

7. Also copy a php5.ini file to the administrator folder, and only change the line
"auto_preappend_file=******/scan.php" to " "auto_preappend_file=" (so that there is no
files pre appending in all php files in the administrator folder).

8. If all above ways don't work, please confirm to your hosting service that the
auto_preappend function is enabled.

9. Please contact use via our support desk if the problem persists with trying all the ways.

7.3 Anti-Hacker FAQs: How to Whitelist a program?

Please read Section 5.1.

7.4 Anti-Hacker FAQs: How to Whitelist a form field?

Please read Section 5.2.

24
 
Open Source Excellence Security Suite User Manual 

7.5 Anti-Hacker FAQs: How to customize the blocking message on the ban Page

You are allowed to customize the blocking message on the Ban Page which your clients
will see when they are suspected to make suspicious activities. You can edit the message via
the "Custom BanPage" button in the main menu of Anti-Hacker.

7.6 Anti-Hacker FAQs: How to Update the Signature?

The signature can be updated via our UpdateMan component. Please go to our website
Æ My Downloads Menu to download the latest signature file.

First, install the UpdateMan component in the SignatureUpdate Package/Update


Manager package at ExtensionsÆInstall/Uninstall. Then go to the UpdateManager
component at Components/OSE UPMan. Upload the Signature file in the package.

After this, you can find the signature package will be listed out at the bottom of the page.
Select it to install and follow the screen tips to finish the update.

25
 
Open Source Excellence Security Suite User Manual 

Finally, you can go to System Guard to check the current Signature version of the system.

7.7 Anti-Hacker FAQs: What if my user account is blocked?

If you or someone try to login with your admin account with more than the number of
attempts that you set in the Open Source Excellence Authentication plugin, your admin
account will be blocked. You will see the following screen the first time of the failed login
(assuming that you set the maximum attempts to be 3):

When you have tried more than 3 times, your account will be blocked and you will see
the following:

If you would like to unlock your account, you need to go to your database management
tool, for example, phpmyadmin, to unlock your account. Go to the jos_users table, and

26
 
Open Source Excellence Security Suite User Manual 

change the value of "block" of that account FROM 1 TO 0 as presented in the following
screenshot:

7.8 Anti-Hacker FAQs: What if my IP is banned?

If you are an administrator of the website, but you are banned, what should you do?

1. Temporarily remove the following lines in the corresponding files depending on which
way you used to activate the Anti-Hacker function:

A) require_once ('/absolute_path_to_antihacker/scan.php'); from the index.php

27
 
Open Source Excellence Security Suite User Manual 

B) auto_prepend_file=/absolute_path_to_antihacker/scan.php from php.ini

C) php_value auto_prepend_file "/absolute_path_to_antihacker/scan.php" from .htaccess

Then login the Security Suite back-end to remove your IP from the blacklist of Anti-
Hacker or whitelist it.

OR

2. If you have PHPMyadmin or any database management tools, you can find the table
"jos_anti_hacker_iptable", and remove your IP from the table. That will help you gain the
access back to the backend.

7.9 Anti-Hacker FAQs: How to set a password to protect a folder with .htaccess?

You could easily create it using the System guard of the OSE Security Suite.

Please go to System Guard (originally the GuardXT component), and click the Start
wizard in the Joomla Server Configuration Check Section:

28
 
Open Source Excellence Security Suite User Manual 

In the wizard, please enter the username, password, and the path you would like to store
your .htpasswd file. For instance, you may set them as follows:

username: testinguser password: testinguser

path to store .htpasswd: /home/youraccount/.htpasswd/antihacker/

29
 
Open Source Excellence Security Suite User Manual 

After you click the Create button, you will see the following page. Please note that after
clicking the Create button, the password has been create, therefore, you don't need to copy
codes to .htaccess and .htpasswd files (shown under "Your Password has been created").

The password will be created and you will be asking for the user name or password you
just setup.

7.10 Anti-Hacker FAQs: How to disable insecure functions for PHP environment?

In order to enhance the security of your website, we recommend you to disable


someinsecure functions for the PHP enviroment.

Please disable these functions using any of below methods by adding the following
codes into the corresponding file.

In the .htaccess:
php_value disable_functions"exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

Or in the php.ini:
disable_functions="exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source"

30
 
Open Source Excellence Security Suite User Manual 

7.11 Virus Scanner FAQs: What if the scanner reports a false positive?

You could restore the files which are falsely cleaned and you might choose to whitelist
them. Please read Section 6.2 – 6.4.

7.12 Virus Scanner FAQs: What if the website is injected with c99 shell codes?

If your website is infected by c99 shell codes (root kit), the hacker may obtain all
credentials of your website, thus the only things you can do are as follows:

1. Backup all files after cleaning them using anti-virus software (or hire our service to do it
for you).

2. Check and backup the database.

2.a. You can check the scheme info of your database to see if there are abnormal users.
However, if you completely re-set your server using new hosting account, all information
here will be emptied and rebuilt. The hacker account will be removed automatically.

2.b. Please check the user table of your website. For instance, if you use a Joomla system,
check in table jos_user whether there are abnormal administrator accounts and if yes, remove
them.

2.c. Backup the whole database.

3. Backup all your emails if any.

4. Completely re-set your hosting account.

4.a. Request a deletion of your hosting account from your hosting company, then re-create a
new one.

Or 4.b. Move to other hosting accounts.

5. Build all things for your new hosting account and then recover your files back to the new
server.

6. Then you can recover the database.

Thank You!

Hope You Enjoy the Software.

31