smd_prognostics: monitor your Txp installation for suspicious activity

gomedia · 2012-04-16 12:54:18

Hi Stef,

Very nice indeed! I’m looking forward to having a good play around with this. I stumbled across it because I was looking for something that might alert me to some other suspicious activites – such as when the hosting company has been fiddling – e.g. if they’ve upgraded PHP or MySQL. Is this an option?

Also, I hit a permissions problem when attempting to save the list of files for monitoring. From the error_log:

fopen(..../smd_prognostics_checksums.txt) [<a href='function.fopen'>function.fopen</a>]: failed to open stream: Permission denied

Fixing the permissions is not a problem but should I have got an error message in Admin?

Cheers,

Adi

Bloke · 2012-04-16 13:00:11

gomedia wrote:

if [the host] upgraded PHP or MySQL.

Hmmmm, not thought of that, but it’d be darn handy since it often breaks things. Let me see if I can find a way to do that somehow.

Fixing the permissions is not a problem but should I have got an error message in Admin?

Uhhh, probably not. Guess I need some more defensive checks in the code. Thanks for letting me know, I’ll put on my bug hunting trousers.

Last edited by Bloke (2012-04-16 13:00:42)

Bloke · 2012-04-18 12:39:55

First pass beta 0.21 should at least keep quiet if the prognostics directory is unwritable. It’s supposed to guard against you being able to select an unsuitable location from the prefs, but I guess that bit’s not up to scratch either.

Still thinking about the PHP/MySQL versions as I’m wondering about a more generic case for testing versions of things other than just the host environment.

gomedia · 2012-04-24 04:39:21

Bloke wrote:

First pass beta 0.21 should at least keep quiet if the prognostics directory is unwritable.

That seems to be working – friendly error message on screen & no errors in log – thanks.

tye · 2012-06-02 08:10:11

Hey Stef – how’s things?

I installed this on a site to check it out a while back and now I keep getting emails mentioning a “Possible SQL injection detected” which seem to be connected to zem_contact – Do I need to do anything about this or is it just informational?

Everything seems OK on the site and it just looks like people were trying to leave a spam’ment…. in my contact form :)

Bloke · 2012-06-02 11:27:50

tye wrote:

is it just informational?

Yep. Spam messages usually trip the filter (I’ve only had one false positive so far, which is shame, but acceptable). You can choose to use the info to tweak the settings so fewer messages get marked, or just turn that bit off.

tye · 2012-06-04 23:02:53

Thanks Stef – I don’t mind the notifications, at least I know its working :)

uli · 2017-10-02 11:52:55

Since a little more than a week one of the sites I’m monitoring is exposed to more than 30 attacks¹ (I didn’t keep all the mails). Can I do something to make these fools drop my URL from their cheat sheet?

I remember Ruud once published something to keep certain requests in an infinite loop, IIRC, but unfortunately I didn’t bookmark that, and my investigations were unsuccessful so far.

¹ smd_prognostics_preamble_sql_inject [..] m=member&c=index&a=register&siteid=1

ruud · 2017-10-03 09:42:57

@uli, doesn’t ring a bell. Btw 30 attacks = 30 requests? For one week it’s not that much. Just keep everything up to date and ignore the attempts.

uli · 2017-10-04 22:27:56

OK then

ruud wrote #307275:

For one week it’s not that much. Just keep everything up to date and ignore the attempts.

Well, OK, I thought it’s much as I look(ed) at every report email, after having silence for ages and everywhere else.

miles · 2018-07-20 20:04:55

@bloke Is this plugin compatible with 4.7? I have installed it and made a few pref changes then I get blank screens on all the tabs, apart from the menu tabs at the top.

Desperate to use this plugin :)

gomedia · 2020-10-24 23:39:47

Hi Stef, not withstanding one rabbit-hole I’ve disappeared down today, here’s another strange one.

Recently I did some updates on the local version of my website and, in blissful ignorance, transferred everything to the live hosting thinking everything was fine. A while later I noticed a PHP parse error message on the live version.

After a bit of hacking around I discovered that if I disable smd_prognostics on the local site I see the PHP error message as well.

On both, the php.ini setting for display_errors is On. The local site’s production mode is Debugging, the live site is Live.

I know it’s not the hosting because when just using local site:

if smd_prognostics disabled, I see PHP errors
if smd_prognostics enabled, I only see PHP errors is Production Status is Live

I can see from the plugin code that smd_prognostics might be fiddling with the value of PHP’s display_errors, but can’t quite reconcile why or how it’s different when the Production Status changes.

Bloke · 2020-12-14 01:13:29

New version 0.5.0 released. This is for Txp 4.7.2 and higher, and is tested as far as 4.8.5 to date.

Main changes:

Use site URL correctly in language string notifications.
Fix max_input_vars being exceeded on Files save.
Fix the UI panels so they occupy the full width of the display.

Bloke · 2020-12-14 01:20:47

gomedia wrote #326550:

if I disable smd_prognostics on the local site I see the PHP error message as well.

Yeah, now this is where my lack of knowledge and copy-n-paste coding came into play. The class that does all the real-time protection / input validation / checking of dodgy SQL squeries / etc was lifted directly off an ancient Google Code repo, called PhProtector. That no longer exists and I’m not sure it’s even maintained anywhere else.

If you peruse its constructor you’ll see that if you pass false into it (as this plugin does) then it turns off error display, which will override everything. Since this happens whenever the plugin runs, both public and admin sides, it pretty much trolleys any error display.

I’m not sure why the original writer of the class did that. I just copied it, because it seemed like a good idea at the time. That may have been foolhardy. What we can do is test it by hacking out that check in the constructor so it just reads:

    public function __construct($show_errors)
    {
        ini_set('log_errors', "1"); //log_errors

        $this->do_xss = get_pref('smd_prognostics_xss', 0);
    }

If that works – and I expect it’ll be just fine – then I might as well just rip that out properly and remove the parameter too from the constructor and its call at the head of the plugin. I’m not even sure if we need to log_errors either. I guess that decision should be down to the system administrator rather than a plugin!

If you get a chance to try it, by all means do so. I’ll do some testing when I can too. Sorry for the hassle.

Last edited by Bloke (2020-12-14 01:21:48)

gomedia · 2020-12-15 22:56:49

Bloke wrote #327479:

New version 0.5.0 released.

I’m a bit confused! I already had a version 0.5.0 installed – from a few weeks back. Is this an old new or a new new?

Also, in the admin tab:

- the “Check files …” radio is blank (sorry can’t remember if this was the case before or not)
- some of the labels need a bit of air between them and their inputs
- can’t see “Fix the UI panels so they occupy the full width of the display”

Textpattern CMS

Textpattern CMS support forum

#76 2012-04-16 12:54:18

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#77 2012-04-16 13:00:11

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#78 2012-04-18 12:39:55

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#79 2012-04-24 04:39:21

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#80 2012-06-02 08:10:11

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#81 2012-06-02 11:27:50

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#82 2012-06-04 23:02:53

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#83 2017-10-02 11:52:55

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#84 2017-10-03 09:42:57

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#85 2017-10-04 22:27:56

Re: smd_prognostics: monitor your Txp installation for suspicious activity

ruud wrote #307275:

#86 2018-07-20 20:04:55

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#87 2020-10-24 23:39:47

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#88 2020-12-14 01:13:29

Re: smd_prognostics: monitor your Txp installation for suspicious activity

#89 2020-12-14 01:20:47

Re: smd_prognostics: monitor your Txp installation for suspicious activity

gomedia wrote #326550:

#90 2020-12-15 22:56:49

Re: smd_prognostics: monitor your Txp installation for suspicious activity

Bloke wrote #327479:

Board footer