Textpattern Support Forum

You know that horrible shivery feeling you get when someone’s been at your files? Wouldn’t it be nice to be informed that something dodgy was going on so you could get on top of it right away instead of only finding out when Google slapped a “This site may harm your computer” warning on your links?

In steps smd_prognostics: pro-active diagnostics for Textpattern. It requires TXP 4.4.1+ and PHP 5.

This beastie monitors your site’s files and sends out an alarm when things change. You can acknowledge the alarms and the plugin will then go about its business until the next time something changes. Of course, you can configure how frequently you’re nagged and whether you want to send off the forensic prognostics (a.k.a. frognostics) to yourself, or me to help improve the plugin.

I should warn you up-front that the type of stuff the frognostics sends may be quite sensitive (file paths and stuff) so if you don’t want me to see that sort of thing, don’t put my prognostics e-mail address in! You can always sanitize the data and send it by hand later if you prefer, or cut me out of the loop completely. The dedicated e-mail account I set up is only there so you can help me improve the plugin — and perhaps Txp — by sending intrusion detections for me to analyse.

The plugin also has a few real-time monitors that try to detect common attacks and block them. I would love to hear your reports on whether it works or it’s rubbish. There is also an advice page on how to harden your installation (more in later versions as I get my head round it), and even a simplistic but entertaining password strength monitor on the Admin->Users tab.

smd_prognostics is not the ultimate tool for peace of mind and you should never let your guard down. But it can be useful to help you recover quickly should the unthinkable happen as it allows you to very rapidly find the changes and fix them. Just ask kevinpotts who was my gracious test subject how useful it was when it detected a rather nasty variant of the c99shell backdoor on his server (probably let in by someone else on the same shared host).

Of course I couldn’t have done this alone. I am also indebted to Steve (net-carver) for his unending support, ideas and enthusiasm in helping me take this plugin far beyond the initial capabilities I sent to him in the alpha version. He’s a true hero.

With all that said, download, install, and read the help file to get the most out of the plugin; I’ve tried to keep things brief, honest! Above all, please leave feedback here so I can shape this thing in future versions. If anyone has any guidance on what the plugin can look for, any extra advice it can give (for example, Steve has plans for helping me check MySQL’s SHOW GRANTS capabilities in a meaningful way) or any other info on how to improve the plugin workflow then let me know.

It’s taken the best part of six weeks to hammer this into shape between my own testing and those of my willing beta testers; hope it’s useful :-)

Revision history
————————

All available versions and changes are listed here. Each entry indexes the relevant post(s) in the thread to learn about the features.

• 11 Nov 2010 | 0.10 | Initial release
• 11 Nov 2010 | 0.11 | Added Ignore button
• 12 Nov 2010 | 0.12 | Fixed white screen of death on Files Save (binary files are now left unprocessed) ; improved performance ; added file quantity check
• 15 Nov 2010 | 0.13 | Alarms panel now always displays all alerts and doesn’t interfere with file checking rotation ; fixed incorrect URL in acknowledge messages (thanks thebombsite) though multi-site installations may still be wrong ; removed dumb admin-side SQL injection, added Check files between and TXP version advice (all thanks ruud) ; tweaked injection detector ; refactored e-mail header code
• 16 Nov 2010 | 0.14 | Added forensic options for header spoofing/SQL injections ; can now throw HTTP response code or custom message/form instead of ‘nice try’ ; wildcard ability for ignored files ; added user check and TXP dir option (thanks maverick)
• 09 Dec 2010 | 0.15 | Improved warning display when saving preferences (thanks maniqui) ; skipped comment preview step for SQL injections ; fixed version number in frognostics ; fixed display error on Advice panel ; added sql_injection callback ; added rpc advice check
• 09 Dec 2010 | 0.16 | Never assume English button names (thanks roelof)
• 30 Dec 2010 | 0.17 | Added injection sensitivity to try and minimise false positives on sites that accept comments ; fixed loss of settings on switching prognostics subtab
• 26 Jan 2012 | 0.20 | Performance boost ; added separate XSS shield pref ; altered callback signature: event=“smd_frognostics” to avoid clashes with the admin side ; fixed a few warnings ; password strength meter integrated with smd_user_manager ; fixed array_merge()-requires-array-argument snafu ; added CSRF tokens ; fixed rogue status msg when viewing alarms panel

Last edited by Bloke (2012-01-26 01:42:38)