Textpattern Forum

You are not logged in. Register | Login | Help

#31 2010-11-14 21:48:20

ruud
Developer emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 4,492
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

Not sure I follow. An admin-side “attack” is one that begins http://site.com/textpattern/some_file?attack=content. […] if $txp_user is set during an “attack” (primarily a save operation) don’t run the prognostics check.

But if you base that decision on whether $txp_user is set, then the assumption is that any potential damage happens after the authentication. In that case you can simply ignore all admin-side attacks, because $txp_user is not set, then the attack will lead simply result in a login form being returned to ‘evil person’. And if the authentication part of the code is vulnerable, you’d be too late if you base your decision on $txp_user being set or not.

Offline

#32 2010-11-15 09:01:47

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 5,808
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

ruud wrote:

the assumption is that any potential damage happens after the authentication.

D’oh, of course you’re right. Told you I wasn’t following. Right, admin side injection will be gone in the next version Thank you for putting me straight.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern.

Txp Builders – finely-crafted code, design and Txp

Offline

#33 2010-11-15 15:00:11

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 5,808
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

smd_prognostics v0.13 is released. In this version:

  • Fixed Alarms panel so it now always displays all alerts and doesn’t interfere with the file checking rotation
  • Fixed incorrect URL in acknowledge messages (thanks thebombsite) though multi-site installations may still be wrong
  • Removed dumb admin-side SQL injection (thanks ruud)
  • Added Check files between (thanks ruud)
  • Added TXP version advice (thanks ruud)
  • Tweaked injection detector for performance reasons
  • Refactored e-mail header code to save repetition

The smd plugin menagerie — for when you need one more gribble of power from Textpattern.

Txp Builders – finely-crafted code, design and Txp

Offline

#34 2010-11-16 00:02:54

thebombsite
Plugin Author
From: Exmouth, England
Registered: 2004-08-24
Posts: 3,251
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

Well I see the Txp version advice is working Stef. I now get the message:-

A new version of Textpattern is available: 4.3.0

which is fine, but I assume it shouldn’t appear if you are already using 4.3.0 so I presume I am seeing it because I am on SVN?


Stuart – The BombsiteProText ThemesTextgarden

In a Time of Universal Deceit
Telling the Truth is Revolutionary.

Offline

#35 2010-11-16 00:54:16

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 5,808
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

thebombsite wrote:

I presume I am seeing it because I am on SVN?

I guess so. Odd because the ‘version’ entry in txp_prefs should still be 4.3.0 even if running SVN. What’s your version string set to? And what version does it report at the bottom of the admin side in Classic? If either is 4.2.0 then that explains the message, but doesn’t explain how you could be running 4.3.0 unless the upgrade to the final 4.3.0 didn’t quite set everything it should.

Of course there’s also the possibility that my code is broken but I stole most of it directly from txplib_update.php so I thought it’d be robust enough. I’ll give this some testing tomorrow before I release the next version (sorry for the flurry of updates) which has another couple of useful options in it.

Last edited by Bloke (2010-11-16 00:54:48)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern.

Txp Builders – finely-crafted code, design and Txp

Offline

#36 2010-11-16 01:00:46

maverick
Member
From: Southeastern Michigan, USA
Registered: 2005-01-14
Posts: 746
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

Like Stuart, I’m on svn. And am also getting the message abt. a newer version.

Diagnostics shows: Textpattern version: 4.3.0 (r3458). Also showing 4.3.0 at the bottom on the admin side in classic.

Last edited by maverick (2010-11-16 01:01:36)

Offline

#37 2010-11-16 01:51:24

maverick
Member
From: Southeastern Michigan, USA
Registered: 2005-01-14
Posts: 746
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

Bloke – a clarification — smd_prognostics is installed on both domains of the multi-site install.

domain 1 is showing x files being monitored of x number of total files. domain 2 is showing x files being monitored (same number as in domain1) of 0 files being monitored.

There are no files being shown. i.e. – literally the select box of files is not showing

update1: I hit save any way on domain2. now it reads that I’m monitoring 0 of 0 files.

update2: Now domain1 has 0 files being monitored.

Apparently hitting save on one domain changes the other domain.

fwiw

Last edited by maverick (2010-11-16 01:55:28)

Offline

#38 2010-11-16 15:11:12

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 5,808
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

To continue the flurry of releases, v0.14 is out. Changelog:

  • Can now throw HTTP response code or a custom message / TXP form instead of ‘nice try’
  • Added independent forensic options for header spoofing/SQL injections
  • Wildcard ability for ignored files — so you can now monitor directories such as tmp for additions and perhaps specify *.tmp in the Ignore files box if you don’t want to be alerted about such files. The usual * and ? wildcards are supported
  • Added user check so you can now restrict the plugin to certain logins (thanks maverick)
  • Added TXP dir option which helps multi-site installations (thanks maverick)

Couldn’t find out why the ‘New version’ advice check is firing for Stuart and Mike. No matter what I do with my SVN installation — upgrade it, muck about with settings, whatever — I can’t make that piece of advice fire. When I get a chance later I’ll log into Mike’s server and see if I can figure out how things are different to my server and that should lead me to the solution.

In the meantime I thought I’d rush this one out so Bert has the option to pare back or customise the volume of forensics data from the (many) attacks he gets on PHPXref :-)

Last edited by Bloke (2010-11-16 15:13:27)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern.

Txp Builders – finely-crafted code, design and Txp

Offline

#39 2010-11-16 15:42:29

hcgtv
Member
From: Charlotte, NC
Registered: 2005-11-29
Posts: 2,154
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

Bloke wrote:

In the meantime I thought I’d rush this one out so Bert has the option to pare back or customise the volume of forensics data from the (many) attacks he gets on PHPXref :-)

Upgraded to Textpattern 4.3.0 and version 0.14 of the plugin. I kept the same parameters in place for now, I’m liking frognostics and all the info it sends me on the attacks. I did get Alarms for all the files that changed and were added, I just acknowledged them.


txp:tag – Textpattern Tags ~ TxPlanet – Textpattern Planet

Offline

#40 2010-11-16 16:05:16

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 5,808
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

hcgtv wrote:

I kept the same parameters in place for now

Oki doke. As long as you checked all the settings were still the same on the screen and Saved them after upgrade, everything will continue to work. Some of the names of things have changed internally so some of your options may have flicked on or off during the upgrade.

I’m liking frognostics and all the info it sends me on the attacks

Me too. Had a really juicy one earlier with someone trying to install a c99shell-type script from your contact form.

But the plugin can trip out on legit content too — Mike tried to send me an e-mail last night and the plugin threw its toys out of the pram. Luckily I had forensics switched on so it sent me the message anyway along with all the other server info for me to analyse so I can try to reduce the false-negative rate. With the new HTTP response code headers in play and the forensics switched on I can now deliver a nicer message saying that the request has been quarantined but I still received it.

Alternatively for the ultimate low-radar approach I could set it to trigger a 200 (OK) request and defer processing to a TXP form. In that form I could analyse the content and server information further there to decide if the attack really was an attack or not, taking action accordingly. For example I could forward the request on to its intended destination and return a success message, or grind to a halt, select some pertinent data and stuff it aside for later analysis. Sky’s the limit here so the fact the plugin triggers an SQL injection warning need not be the end of the road.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern.

Txp Builders – finely-crafted code, design and Txp

Offline

Board footer

Powered by FluxBB