Plugin verify files - development
Plugin verify files - development
Since someone in the german forum asked to have some sort of automatic file integrity check, somehow necessary to have in case of compromised files panic , we discussed having at least some automatic list of all files outside of a Serendipty Release.
As I thought this might help some more people, I developed a plugin including the cores integrity check, which is done by the checksum file, and additionally a diff to the current installation files, showing missing core files and additional files versus the checksum file array. After plugin installation, you will find a new link in the admin sidebar to go for it.
If anybody has more ideas this would be a good point to discuss and develop the plugin here, before we put it up to CVS.
As I thought this might help some more people, I developed a plugin including the cores integrity check, which is done by the checksum file, and additionally a diff to the current installation files, showing missing core files and additional files versus the checksum file array. After plugin installation, you will find a new link in the admin sidebar to go for it.
If anybody has more ideas this would be a good point to discuss and develop the plugin here, before we put it up to CVS.
Last edited by Timbalu on Wed Nov 09, 2011 6:58 pm, edited 5 times in total.
Regards,
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
Re: Plugin verify files - development
I just added a basic check for hacked php files using "eval(base64_decode", please test.
Are there any other strings we could check for?
Are there any other strings we could check for?
Regards,
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: Plugin verify files - development
Hi!
"fpassthru" could also be a good detector; generally "exec(" and "eval(" could be added, we would only need to exclude a few bundled PEAR libs from creating false errors?
Good idea!
Regards,
Garvin
"fpassthru" could also be a good detector; generally "exec(" and "eval(" could be added, we would only need to exclude a few bundled PEAR libs from creating false errors?
Good idea!
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Re: Plugin verify files - development
hmmm, not really ... I found at least 22 clean files here, without knowing how many there are, if someone has some more plugins active...
Search "eval(" (19 hits in 13 php files) in /bundled-libs/ (11), /plugins/ (1), /tests/ (1) - takes also things like "serializeval("
Search "exec(" (12 hits in 8 php files) in /htmlarea/ (4), /include/ (1), /plugins/ (3)
Search "fpassthru" (1 hit in 1 php file) in / (1)
Downsizing, would be some ~17 files to exclude, leaving /htmlarea/ files to alert.
This might get complicated trying to fetch all these excludements. Any ideas?
Search "eval(" (19 hits in 13 php files) in /bundled-libs/ (11), /plugins/ (1), /tests/ (1) - takes also things like "serializeval("
Search "exec(" (12 hits in 8 php files) in /htmlarea/ (4), /include/ (1), /plugins/ (3)
Search "fpassthru" (1 hit in 1 php file) in / (1)
Downsizing, would be some ~17 files to exclude, leaving /htmlarea/ files to alert.
This might get complicated trying to fetch all these excludements. Any ideas?
Regards,
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
Re: Plugin verify files - development
It wasn't to bad excluding a file array and including search needles to get this to work and I uploaded v. 1.02. I still need some testers, to give me more information about possible more files to exclude. Just run 'Verify additional files' to see some output, if any.
Regards,
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
Re: Plugin verify files - development
Hi
Got this in my testinstallation:
Got this in my testinstallation:
Code: Select all
Possible infected php files in Installation
filename: plugins/serendipity_event_spamblock_bayes/serendipity_event_spamblock_bayes.php :
filetype: file, was last modified: April 20 2011 19:32:23.
filename: plugins/serendipity_event_xmlrpc/PEAR/XML/RPC.php :
filetype: file, was last modified: February 24 2011 19:46:48.
filename: plugins/serendipity_event_autotitle/serendipity_event_autotitle.php :
filetype: file, was last modified: January 21 2011 12:45:02.
filename: templates_c/plus9^%%62^622^62255D3C%%entries.tpl.php :
filetype: file, was last modified: March 25 2011 15:27:39.
filename: templates_c/bulletproof^%%CD^CD5^CD50A5BF%%entries.tpl.php :
filetype: file, was last modified: January 21 2011 12:52:53.
filename: templates_c/serendipity-1.5.5/serendipity/include/functions_images.inc.php :
filetype: file, was last modified: January 21 2011 12:52:41.
filename: templates_c/serendipity-1.5.5/serendipity/htmlarea/plugins/ImageManager/Classes/IM.php :
filetype: file, was last modified: January 21 2011 12:52:41.
filename: templates_c/serendipity-1.5.5/serendipity/htmlarea/plugins/SpellChecker/aspell_setup.php :
filetype: file, was last modified: January 21 2011 12:52:41.
filename: templates_c/serendipity-1.5.5/serendipity/htmlarea/plugins/SpellChecker/spell-check-logic.php :
filetype: file, was last modified: January 21 2011 12:52:41.
filename: templates_c/serendipity-1.5.5/serendipity/htmlarea/plugins/SpellChecker/spell-check-savedicts.php :
filetype: file, was last modified: January 21 2011 12:52:41.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/Smarty/libs/Smarty.class.php :
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/Smarty/libs/plugins/function.math.php :
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/Smarty/libs/plugins/function.mailto.php :
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/Smarty/libs/plugins/function.eval.php :
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/Smarty/libs/internals/core.process_cached_inserts.php :
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/Smarty/libs/internals/core.smarty_include_php.php :
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/Smarty/libs/internals/core.run_insert_handler.php :
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/PEAR.php :
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/XML/RPC.php :
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php :
filetype: file, was last modified: January 21 2011 12:52:40.
filename: templates_c/serendipity-1.5.5/serendipity/serendipity_admin_image_selector.php :
filetype: file, was last modified: January 21 2011 12:52:42.
Please check these files with an editor for strings like: "eval( or exec( or eval(base64_decode or fpassthru" and inform the 'Serendipty Forum' board!
You could surely prevent serializeeval to be found when searching for " eval" or "\seval" or something like that.Search "eval(" (19 hits in 13 php files) in /bundled-libs/ (11), /plugins/ (1), /tests/ (1) - takes also things like "serializeval("
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: Plugin verify files - development
Hi!
Your test installation at least has a strangely stacked templates_c/serendipity-1.5.5/ which contains the original s9y release again? I believe that's a reason why you get so many hits...
Regards,
Garvin
Your test installation at least has a strangely stacked templates_c/serendipity-1.5.5/ which contains the original s9y release again? I believe that's a reason why you get so many hits...
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Re: Plugin verify files - development
Hi Malte
Thank you, 3 more plugin files to exclude.
Are you sure these 2 are based to the 1.5.5 template releases?
If yes, we can't really filter them out the array of possible infected files, also all the autoupdater files in templates_c, without getting very complicated.
The excluded file array is now by 25, which, growing up, opens a hole to more intelligent hackers to compromise just one or two of these and get away with it.
We could chmod them automatically to read only, by using this plugin, but if this is a good way to go ... I don't know.
Edit:
Well, actually the current file array is by 25, since I have the new Smarty here, which isn't present in the checksum file - 10 files in it belong to the next Smarty, so future Verify Versions will have 10 files less, ergo 15 by now.
Before I update, I'd be pleased if some more could test it and report back!
Edit 2:
Sorry! I should have tested with a vanilla install...
If you dont have changed any core files, the array shrinks to pleasant 6 files(*), all in /plugins/. Thats something to live with.
Garvin, did some older or testing Serendipity Release ship with the /tests/ folder? I got one here and just realized 1.5.5 hasen't got it. If this is a remnant, could we erase it with the 1.6 release? (tests/coverage/phpunit_coverage.php)
*since this is including a diff to the checksum files
Thank you, 3 more plugin files to exclude.
Are you sure these 2 are based to the 1.5.5 template releases?
- filename: templates_c/plus9^%%62^622^62255D3C%%entries.tpl.php :
filetype: file, was last modified: March 25 2011 15:27:39.
filename: templates_c/bulletproof^%%CD^CD5^CD50A5BF%%entries.tpl.php :
filetype: file, was last modified: January 21 2011 12:52:53.
If yes, we can't really filter them out the array of possible infected files, also all the autoupdater files in templates_c, without getting very complicated.
No not really, apart from having some more *eval* names, since I am searching in a minimized file_get_contents() with strpos ... this only affects ~2 files by nowYou could surely prevent serializeeval to be found when searching for " eval" or "\seval" or something like that.
The excluded file array is now by 25, which, growing up, opens a hole to more intelligent hackers to compromise just one or two of these and get away with it.
We could chmod them automatically to read only, by using this plugin, but if this is a good way to go ... I don't know.
Edit:
Well, actually the current file array is by 25, since I have the new Smarty here, which isn't present in the checksum file - 10 files in it belong to the next Smarty, so future Verify Versions will have 10 files less, ergo 15 by now.
Before I update, I'd be pleased if some more could test it and report back!
Edit 2:
Sorry! I should have tested with a vanilla install...
If you dont have changed any core files, the array shrinks to pleasant 6 files(*), all in /plugins/. Thats something to live with.
Garvin, did some older or testing Serendipity Release ship with the /tests/ folder? I got one here and just realized 1.5.5 hasen't got it. If this is a remnant, could we erase it with the 1.6 release? (tests/coverage/phpunit_coverage.php)
*since this is including a diff to the checksum files
Last edited by Timbalu on Fri Jun 10, 2011 6:12 pm, edited 3 times in total.
Regards,
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
Re: Plugin verify files - development
No, i'm not. I checked all the plugins and it is quite possible i added a newline or something.Are you sure these 2 are based to the 1.5.5 template releases?
Garvin, the stacked files are quite possible the result of the autoupdater-plugin.
Re: Plugin verify files - development
No sorry, thats not what I meant, ..., 'plus9' wont be in a release and some compiled templates use eval likeonli wrote:No, i'm not. I checked all the plugins and it is quite possible i added a newline or something.Are you sure these 2 are based to the 1.5.5 template releases?
Code: Select all
<?php echo smarty_function_eval(array('var' => $this->_tpl_vars['footer_totalPages']-6,'assign' => 'paginationStartPage'), $this);?>
Code: Select all
<?php $_template = new Smarty_Internal_Template('eval:'.$_smarty_tpl->getVariable('footer_totalPages')->value-6, $_smarty_tpl->smarty, $_smarty_tpl);$_smarty_tpl->assign("paginationStartPage",$_template->getRenderedTemplate()); ?>
Regards,
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
Re: Plugin verify files - development
I updated the zip, to confirm the new array. Please test and report.Timbalu wrote:Sorry! I should have tested with a vanilla install...
If you dont have changed any core files, the array shrinks to pleasant 6 files(*), all in /plugins/. Thats something to live with.
Garvin, did some older or testing Serendipity Release ship with the /tests/ folder? I got one here and just realized 1.5.5 hasen't got it. If this is a remnant, could we erase it with the 1.6 release? (tests/coverage/phpunit_coverage.php)
*since this is including a diff to the checksum files
Garvin, could you tell me something about /tests please.
Regards,
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
Re: Plugin verify files - development
Yes, /tests dir comes with development versions and without a checksums file array.
So I moved some things around, decided to include the /tests file again and added another error message.
Please test v.1.04, to make this a widely and useful integrity helper plugin.
So I moved some things around, decided to include the /tests file again and added another error message.
Please test v.1.04, to make this a widely and useful integrity helper plugin.
Regards,
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
Re: Plugin verify files - development
I saw I forgot to drop 1.05 here in summer, therefore we jump to 1.06, as of the official release of S9y 1.6. If you upgrade, you may need to clean your templates_c or your browsers cache by F5 to get things up...
Changelog:
1.06:
-----
changed function verifyAllFiles() to match empty array returning as a string and added (array) to 2cd argument of array_merge()
added (string) to property since we use array_flip later, which needs values to be Integer or Strings
1.05:
-----
added 'use PHP 5.1 up error' if file search array is empty
added some more files to list of exceptions
changed strpos to stripos to search case insensitive
added inset bad words in search for .htm files too
added inset bad words 'iframe'
added de lang files
Changelog:
1.06:
-----
changed function verifyAllFiles() to match empty array returning as a string and added (array) to 2cd argument of array_merge()
added (string) to property since we use array_flip later, which needs values to be Integer or Strings
1.05:
-----
added 'use PHP 5.1 up error' if file search array is empty
added some more files to list of exceptions
changed strpos to stripos to search case insensitive
added inset bad words in search for .htm files too
added inset bad words 'iframe'
added de lang files
Regards,
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
Re: Plugin verify files - development
I just released version 1.07, which has
Please download in updated first post.
If you have any interesting ideas for this plugin, just drop me a PM, please.
Code: Select all
added another file to exclude,
fixed the output of show_verified_files array function and
fixed the Directory Seperator of excludement array.
If you have any interesting ideas for this plugin, just drop me a PM, please.
Regards,
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian