You are not logged in.
You know that horrible shivery feeling you get when someone’s been at your files? Wouldn’t it be nice to be informed that something dodgy was going on so you could get on top of it right away instead of only finding out when Google slapped a “This site may harm your computer” warning on your links?
In steps smd_prognostics: pro-active diagnostics for Textpattern. It requires TXP 4.4.1+ and PHP 5.
This beastie monitors your site’s files and sends out an alarm when things change. You can acknowledge the alarms and the plugin will then go about its business until the next time something changes. Of course, you can configure how frequently you’re nagged and whether you want to send off the forensic prognostics (a.k.a. frognostics) to yourself, or me to help improve the plugin.
I should warn you up-front that the type of stuff the frognostics sends may be quite sensitive (file paths and stuff) so if you don’t want me to see that sort of thing, don’t put my prognostics e-mail address in! You can always sanitize the data and send it by hand later if you prefer, or cut me out of the loop completely. The dedicated e-mail account I set up is only there so you can help me improve the plugin — and perhaps Txp — by sending intrusion detections for me to analyse.
The plugin also has a few real-time monitors that try to detect common attacks and block them. I would love to hear your reports on whether it works or it’s rubbish. There is also an advice page on how to harden your installation (more in later versions as I get my head round it), and even a simplistic but entertaining password strength monitor on the Admin->Users tab.
smd_prognostics is not the ultimate tool for peace of mind and you should never let your guard down. But it can be useful to help you recover quickly should the unthinkable happen as it allows you to very rapidly find the changes and fix them. Just ask kevinpotts who was my gracious test subject how useful it was when it detected a rather nasty variant of the c99shell backdoor on his server (probably let in by someone else on the same shared host).
Of course I couldn’t have done this alone. I am also indebted to Steve (net-carver) for his unending support, ideas and enthusiasm in helping me take this plugin far beyond the initial capabilities I sent to him in the alpha version. He’s a true hero.
With all that said, download, install, and read the help file to get the most out of the plugin; I’ve tried to keep things brief, honest! Above all, please leave feedback here so I can shape this thing in future versions. If anyone has any guidance on what the plugin can look for, any extra advice it can give (for example, Steve has plans for helping me check MySQL’s SHOW GRANTS capabilities in a meaningful way) or any other info on how to improve the plugin workflow then let me know.
It’s taken the best part of six weeks to hammer this into shape between my own testing and those of my willing beta testers; hope it’s useful :-)
All available versions and changes are listed here. Each entry indexes the relevant post(s) in the thread to learn about the features.
Check files betweenand TXP version advice (all thanks ruud) ; tweaked injection detector ; refactored e-mail header code
sql_injectioncallback ; added rpc advice check
Last edited by Bloke (2012-01-26 01:42:38)
New version 0.11 adds the ability to Ignore files when acknowledging alarms. Thus the alarm will be acknowledged but will not automatically add the file(s) to the list of monitored files. Saves you having to acknowledge everything and then visit the Files list to unselect the ones you don’t want to monitor.
Wow. Incredible work Stef! But that’s becoming par for the course…
I hate to be a prognosticator. But something is terribly wrong ;) I get a white screen at http://stefdawson.com
and BTW, zounds man!
@mrdale: freaky. I got it too in Firefox then I checked in Opera and it was fine, went back to Firefox and all was well. Think my hoster must be having problems but I’ll keep an eye on things, thanks for the report.
Last edited by Bloke (2010-11-11 19:24:48)
Seems my site’s been issuing more than its fair share of 500 Internal Server Errors since lunchtime. Hoster has no mention of it but there’s no common thread I can see in the log files. Different types of request from different hosts and referrers (and bots) hitting different pages all got about 90% 500s, and the odd 200 or 301/302 response in between. Then everything went ok for a spell and started going all 500y again about 3:30pm my time… until just now.
If it was prognostics and it was working properly you’d see a ‘Nice Try’ message for any dubious access attempts. If it’s prognostics and it’s bailing out for some reason then I’ll need to trace it through. If it’s something outside my control then either someone else on my shared server has problems, my host are keeping quiet, or I’ll need to dig further. Gonna keep an eye on the logs tonight and see if I can catch a whiff of anything going on. Apologies for the strange behaviour.
OK, further investigation reveals that for some reason the public-side click check in prognostics is doing something strange. I set the time out to 60 seconds and public clicks on. I refreshed the page repeatedly and 60 seconds later I got a white screen of death. I continued to get this white screen until I hit the admin side (any tab except Plugins) thus the prognostics routine ran, did something that ‘unlocked’ itself and worked fine.
I can merrily click away on the admin side forever and a day without issue, but if I hit the site from the public side, the first time it triggers the prognostics routine: BAM it dies and locks any further requests until the admin side is visited. Well, any further requests from the same host as it seems that other things can sometimes get through.
Gotta be something odd with the callback (pretext) that’s killing things and the way it interacts with my site. But why it would lock everything out continuously until the admin side unlocks it is a mystery. Also a mystery is why it doesn’t exhibit this behaviour on my dev site which is on the same server running the same versions of everything….
If anyone else experiences anything similar, please let me know as much detail as you can so I might be able to nail this. I apologise in advance if the plugin does break, but the temporary solution is to turn off the Public-side click checking.
I’ll put my code diving gear on and take the plunge later tonight.
Last edited by Bloke (2010-11-11 20:25:13)
I just installed it – everything seems to be working alright. (I’ve the public side clicks turned off)
Got my first message too – Prognostics Checksums.txt was missing – so I will assume it works.
I won’t send @Bloke any forensics data yet – I’d rather see them for myself before sending it to him.
Great work otherwise. I was hoping and expecting for such a feature. Thank you !
اردو میں بھی دستیاب Textpattern آپ کے لیے اب
I can tell you that I’ve had this installed on my main site for several weeks now, and it has already caught two very nasty changes to textpattern’s core PHP files that would have resulted in ungodly pharma spam. Invaluable. If your host’s security is suspect (wink wink Dreamhost), install this tool immediately.
I installed it at PHPXref.com. It’s just checking the Textpattern core files, not the cross references.
I have Check files on public side clicks: set to yes and things are working fine so far. This site gets a boat load of attacks, it should be fun to see what it detects. I have check files and alarms set to 3600 seconds for now, just to test. Notify me via email is set, I can add you on it, just let me know the address.
I’ve noticed on the Setup page, that when I make a change, and click save, that it returns the screen with the old values, I change it again, click save a second time, and it saves the correct values.
I’m on DreamHost, let the games begin.