Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#73 2011-03-28 00:03:51

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 10,515
Website GitHub

Re: smd_prognostics: monitor your Txp installation for suspicious activity

maverick wrote:

All the preferences were gone.

Eek! I’ve had this before but I thought I’d squashed the bug that caused it. Maybe in multi-site installations it still manifests itself somehow. That’s not good. I’ll see if I can figure out why it might have cleared your settings.

where in the database does it save its preferences?

In the usual txp_prefs table. If you have smd_prefalizer installed, just search for any entries with smd_prog in them. If they’re not making it to your database then I need to find out why and fix it.

Last edited by Bloke (2011-03-28 00:04:13)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#74 2011-03-28 01:04:11

maverick
Member
From: Southeastern Michigan, USA
Registered: 2005-01-14
Posts: 975
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

Bloke wrote:

maverick wrote:

All the preferences were gone.

Eek! I’ve had this before but I thought I’d squashed the bug that caused it. Maybe in multi-site installations it still manifests itself somehow. That’s not good. I’ll see if I can figure out why it might have cleared your settings.

where in the database does it save its preferences?

If you have smd_prefalizer installed, just search for any entries with smd_prog in them.

I do have smd_prefalizer installed. I used it to confirm what the preferences showed – no settings in the database (initially). After I saved the settings again they now show in prefalizer. Likewise when I check in phpadmin.

So somehow or why they cleared out.

Let me know if you need access.

Offline

#75 2012-01-26 01:38:50

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 10,515
Website GitHub

Re: smd_prognostics: monitor your Txp installation for suspicious activity

New major release. v0.20 has the following features:

  • Major performance boost: internal functions have been optimized and tweaked to improve responsiveness and reduce the impact of file system checks, making the admin side snappier. Note to self: never underestimate how slow some of PHP’s functions are (*cough* strtr() I’m looking at you)
  • Added a separate XSS shield pref so you can benefit from SQL injection protection without compromising your user comments
  • Altered the callback signature. It is now event="smd_frognostics" to avoid clashes with the admin side when using dashboards
  • Password strength meter integrated with smd_user_manager
  • Added CSRF tokens (although they’re not used yet)
  • Fixed a few miscellaneous warnings / PHP notices
  • Fixed array_merge()-requires-array-argument snafu
  • Fixed rogue status message when viewing alarms panel

All in all, well worth the upgrade even if it’s just for the performance improvements. Please let me know if you spot anything squiffy or if it saves your bacon one day.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#76 2012-04-16 12:54:18

gomedia
Plugin Author
Registered: 2008-06-01
Posts: 1,357
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

Hi Stef,

Very nice indeed! I’m looking forward to having a good play around with this. I stumbled across it because I was looking for something that might alert me to some other suspicious activites – such as when the hosting company has been fiddling – e.g. if they’ve upgraded PHP or MySQL. Is this an option?

Also, I hit a permissions problem when attempting to save the list of files for monitoring. From the error_log:

fopen(..../smd_prognostics_checksums.txt) [<a href='function.fopen'>function.fopen</a>]: failed to open stream: Permission denied

Fixing the permissions is not a problem but should I have got an error message in Admin?

Cheers,

Adi

Offline

#77 2012-04-16 13:00:11

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 10,515
Website GitHub

Re: smd_prognostics: monitor your Txp installation for suspicious activity

gomedia wrote:

if [the host] upgraded PHP or MySQL.

Hmmmm, not thought of that, but it’d be darn handy since it often breaks things. Let me see if I can find a way to do that somehow.

Fixing the permissions is not a problem but should I have got an error message in Admin?

Uhhh, probably not. Guess I need some more defensive checks in the code. Thanks for letting me know, I’ll put on my bug hunting trousers.

Last edited by Bloke (2012-04-16 13:00:42)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#78 2012-04-18 12:39:55

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 10,515
Website GitHub

Re: smd_prognostics: monitor your Txp installation for suspicious activity

First pass beta 0.21 should at least keep quiet if the prognostics directory is unwritable. It’s supposed to guard against you being able to select an unsuitable location from the prefs, but I guess that bit’s not up to scratch either.

Still thinking about the PHP/MySQL versions as I’m wondering about a more generic case for testing versions of things other than just the host environment.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#79 2012-04-24 04:39:21

gomedia
Plugin Author
Registered: 2008-06-01
Posts: 1,357
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

Bloke wrote:

First pass beta 0.21 should at least keep quiet if the prognostics directory is unwritable.

That seems to be working – friendly error message on screen & no errors in log – thanks.

Offline

#80 2012-06-02 08:10:11

tye
Member
From: Pottsville, NSW
Registered: 2005-07-06
Posts: 858
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

Hey Stef – how’s things?

I installed this on a site to check it out a while back and now I keep getting emails mentioning a “Possible SQL injection detected” which seem to be connected to zem_contact – Do I need to do anything about this or is it just informational?

Everything seems OK on the site and it just looks like people were trying to leave a spam’ment…. in my contact form :)

Offline

#81 2012-06-02 11:27:50

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 10,515
Website GitHub

Re: smd_prognostics: monitor your Txp installation for suspicious activity

tye wrote:

is it just informational?

Yep. Spam messages usually trip the filter (I’ve only had one false positive so far, which is shame, but acceptable). You can choose to use the info to tweak the settings so fewer messages get marked, or just turn that bit off.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#82 2012-06-04 23:02:53

tye
Member
From: Pottsville, NSW
Registered: 2005-07-06
Posts: 858
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

Thanks Stef – I don’t mind the notifications, at least I know its working :)

Offline

#83 2017-10-02 11:52:55

uli
Moderator
From: Cologne
Registered: 2006-08-15
Posts: 4,256

Re: smd_prognostics: monitor your Txp installation for suspicious activity

Since a little more than a week one of the sites I’m monitoring is exposed to more than 30 attacks1 (I didn’t keep all the mails). Can I do something to make these fools drop my URL from their cheat sheet?

I remember Ruud once published something to keep certain requests in an infinite loop, IIRC, but unfortunately I didn’t bookmark that, and my investigations were unsuccessful so far.

1 smd_prognostics_preamble_sql_inject [..] m=member&c=index&a=register&siteid=1


In bad weather I never leave home without wet_plugout, smd_where_used and adi_form_links

Offline

#84 2017-10-03 09:42:57

ruud
Developer emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: smd_prognostics: monitor your Txp installation for suspicious activity

@uli, doesn’t ring a bell. Btw 30 attacks = 30 requests? For one week it’s not that much. Just keep everything up to date and ignore the attempts.

Offline

Board footer

Powered by FluxBB