Digi Posted July 14, 2006 Posted July 14, 2006 This is a topic for feature expansions to the IPB Anti-Virus Check. Feel free to post your other suggestions here :)My suggestion is that the anti-virus check has an option added to mark a file safe. For instance, we are running the ineo RC and the scan comes back saying that the language file for this component is possibly a virus file, though it has a low score of 4. I can just imagine what a pain it would be to look at this page once an admin has installed multitudes of modifications or components to their site.The biggest down-side to this would be that it would make it easy, for those that are able to infect a site, to mark themselves as "safe" by running a query into the "safe" table. I'm not quite sure of a good way to keep this from happening atm, but...my brain is a bit fried today :PPerhaps someone else can thing of something.Regards,Digi
Brandon C Posted July 14, 2006 Posted July 14, 2006 This is a topic for feature expansions to the IPB Anti-Virus Check. Feel free to post your other suggestions here :) My suggestion is that the anti-virus check has an option added to mark a file safe.<snip>+1 :)
Management Matt Posted July 14, 2006 Management Posted July 14, 2006 I thought about this but decided against it because, as you say, if someone gets ACP access they can just add a list of "safe" files in your DB via the SQL toolbox and you'd never know about it.Of course, you could say "IPB found 10 files marked as safe" but unless you can remember exactly how many safe files you should have it's pointless.
Rikki Posted July 14, 2006 Posted July 14, 2006 I guess one way could be to store the list of 'safe' files locally in a cookie?
Luke Posted July 14, 2006 Posted July 14, 2006 If it doesnt do this already, I would like to see it pull a list of "known files" from the ips server rather than from a "known files" file. That way if there are any more of these files IPS can easily update the list of "known file names". A lot like how anti-virus's download definitions from their servers.Also the "safe files" thing doesnt have to be saved locally, but could be rather saved under your license. Be able to view the files in the client center under each license. And when you're using the tool under IPB, you have to type in your client user id and password to update it. Without that, you cant do it.
Sinistra Sensei Posted July 14, 2006 Posted July 14, 2006 SQL toolbox only the root admin can use or I thought could only use it.
Digi Posted July 14, 2006 Posted July 14, 2006 I don't ever expect this to happen in relation to this tool, but I really like the idea of having a server hosting the relationship of all files reported by users as good, bad, etc. That is kind of what MS did with windows defender and the "spynet community". It might also help IPS better rate some of the more common files to the installs of any ips product (including rating those that are most commonly attacked in hacks higher with the scan), not to mention popular modifications that add new files and so on.Second to that I think that storing them in a cookie would be another great idea. However, the ACP doesn't even use cookies for anything in there at the moment does it? What could the side-effects of this be?
bfarber Posted July 14, 2006 Posted July 14, 2006 SQL toolbox only the root admin can use or I thought could only use it.If a hacker got your root admin account, or made themself a root admin somehow, for example. ;)
n-k Posted July 19, 2006 Posted July 19, 2006 How about checking the md5sums of all php files on the server against an external database? Right now, it looks like the virus scan will only find new files and will ignore files that have been modified.
Digi Posted July 19, 2006 Posted July 19, 2006 That is a good idea of what could be done against the default IPB files (and other IPS product files). :)
bfarber Posted July 20, 2006 Posted July 20, 2006 The thing is, the more things that need to check against something remote (presumably hosted on our servers), the more bandwidth and maintenance and problems can occur. :)Not to say it's not possible or not something to consider - but what if our site is done, for example, or we move a file somewhere.
Dark Phantom Posted July 21, 2006 Posted July 21, 2006 Why can't you just list the filename's that you mark as safe.I know, at least in my case, that I could remember any files I marked as safe and would notice something new. Could also add the date it was, added to the list, would allow you to see "recent" modifications to the list itself.Of course the simple solution is don't get hacked, which the only way I believe is possible, is not to use modifications.
n-k Posted July 25, 2006 Posted July 25, 2006 The thing is, the more things that need to check against something remote (presumably hosted on our servers), the more bandwidth and maintenance and problems can occur. :)Not to say it's not possible or not something to consider - but what if our site is done, for example, or we move a file somewhere.I have no idea how many active IPBs there are, but since most admins would only do this scan once every few weeks, I don't think the strain on your servers would be too big - after all, you could just put the data into a plain text file that is then downloaded and parsed by the software...I don't really understand what you mean by "but what if our site is done, for example, or we move a file somewhere". If you want to use another server, couldn't you just make your server redirect old versions with a 301 and change the url in the next version?Something else about the virus check:In my opinion, the current integration into the ACP has one big problem: When a hacker finds a way to change files on the server, what is stopping him from changing the virus scanner itself?I think it would be better to offer a stand-alone PHP file, seperate from the IPB, that users can upload as needed. Maybe you could even include the md5 hashes in that file, so there wouldn't be any problems with using your servers.
Management Matt Posted July 25, 2006 Management Posted July 25, 2006 Why can't you just list the filename's that you mark as safe.Because no files names are safe. If we labelled all standard IPS files as safe, the hacker would just name the shell file "lang_blog.php" and you'd never know about it.How about checking the md5sums of all php files on the server against an external database?That's a lot of overhead. We'd have to maintain a list of all files for all versions and all patches. Plus, a single edit will mark it as changed and it'd just be flagged as modified.The more complicated you make this tool the more angles the hacker has at disguising his shell scripts without your knowledge.It takes maybe 2 minutes to scoot through the list to determine if anything looks out of place and you can click each file to see what it loads.
Digi Posted July 25, 2006 Posted July 25, 2006 I agree Matt. However, a lot of users just do not know what is going on on their servers....if they can't even figure out chomod, what makes you think they will be able to understand the reatings of good and bad files?I think this one got over looked :PI don't ever expect this to happen in relation to this tool, but I really like the idea of having a server hosting the relationship of all files reported by users as good, bad, etc. That is kind of what MS did with windows defender and the "spynet community". It might also help IPS better rate some of the more common files to the installs of any ips product (including rating those that are most commonly attacked in hacks higher with the scan), not to mention popular modifications that add new files and so on.Second to that I think that storing them in a cookie would be another great idea. However, the ACP doesn't even use cookies for anything in there at the moment does it? What could the side-effects of this be?
Luke Posted July 27, 2006 Posted July 27, 2006 You know.... an atacker, if already changing files, could always modify the anti virus tool to skip their script in the first place....
Digi Posted July 27, 2006 Posted July 27, 2006 Actually, none of the core fies were ever modified as they aren't usually set to writeable except by user error. As such, the virus tool would be just as safe as index.php (which wasn't targeted by any of the latest attacks).
n-k Posted July 29, 2006 Posted July 29, 2006 Actually, none of the core fies were ever modified as they aren't usually set to writeable except by user error. As such, the virus tool would be just as safe as index.php (which wasn't targeted by any of the latest attacks).Aren't there some files that have to be set to 777, though? Like the config file or the cache directory.
Digi Posted July 29, 2006 Posted July 29, 2006 Yes, but this isn't what was being pointed out in the previous post. They were trying to say that hacker would be able to change the file checker to ignore their files. Which, as it is set up, would not happen.
super.smash.brothers Posted August 1, 2006 Posted August 1, 2006 For the filters, how about sorting the files based on the filters.Show All filter will list the file alphabetically by folders then files.Show score x or more will list the files by score ascending.Show files larger than 55k will list the files by size with the largest first.Show files modified in the last 30 days will list the files with the last file being editing first.
Dlf Posted August 1, 2006 Posted August 1, 2006 What of the 30 days, you can also add another 'option' like modifed in 30 days, were (or are) a score of x (or more|or less).
Recommended Posts
Archived
This topic is now archived and is closed to further replies.