message: [INTERFACE]: PHP IDS Alert.Total impact: 18<br/> Affected tags: xss, csrf, id, rfe, lfi<br/> <br/> Variable: POST.ssl_key | Value: -----BEGIN RSA PRIVATE KEY----- ........................................................................................................................................................................................................................................................................................ -----END RSA PRIVATE KEY----- <br/> Impact: 5 | Tags: xss, csrf<br/> Description: Detects obfuscated JavaScript script injections | Tags: xss, csrf | ID 25<br/> <br/> Variable: POST.ssl_request | Value: -----BEGIN CERTIFICATE REQUEST----- .............................................................................................................................................................................................................................................................................. -----END CERTIFICATE REQUEST----- <br/> Impact: 3 | Tags: xss, csrf, id<br/> Description: Detects common comment types | Tags: xss, csrf, id | ID 35<br/> <br/> Variable: POST.ssl_cert | Value: -----BEGIN CERTIFICATE----- ......................................................................................................................................................................................................................................................................................... -----END CERTIFICATE----- <br/> Impact: 10 | Tags: xss, csrf, id, rfe, lfi<br/> Description: Detects common comment types | Tags: xss, csrf, id | ID 35<br/> Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID 67<br/> <br/>
Sorry to dig up an old thread, but I get similar messages which I assume are also just for information, but the problem is my sys_log table is getting huge with these and the logs are not being cleared or rotated. The sys_log table on the db is over 1GB now, so I assume this should not be the norm. I think there's a cron job that's supposed to rotate or clear these? It must not be working correctly, what should I be looking for to fix this? Thanks The message I get are : Code: [INTERFACE]: PHP IDS Alert.Total impact: 7<br/> Affected tags: xss, csrf, id, rfe, lfi<br/> <br/> Variable: COOKIE.example_1 | Value: example_value<br/> Impact: 7 | Tags: xss, csrf, id, rfe, lfi<br/> Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID 67<br/> <br/>
Ok so after some looking into the cron jobs. I found this code which is supposed to clear the sys_log after 7 days AND if the "server_id" is not "0", however when I look into my logs on the db, all the ones remaining are "server_id" of 0. So I guess that's why it's not deleting the log entries. So why is my server_id=0 ?? Do I have a mis configuration somewhere? What should my server_id be, if it's only a single server setup? And where do I change it? Thanks Below is the code I found in the cron file : Code: $sql = "DELETE FROM sys_log WHERE tstamp < ? AND server_id != 0"; $app->dbmaster->query($sql, $tstamp);
So more looking into the ispconfig db tables, it looks like my server_id should be "1" which is correct for the other tables on the db. However I'm not sure why the entries added into sys_log is putting my server_id as "0" Anyone know why that would be? How to fix this? Thanks
Please make a report in the ispconfig bug tracker, I see no reason why records in sys_log with ID 0 should be kept (unlike records in sys_datalog), so I guess there is an issue in the cleanup code.
short update, here is the report and also fix that @Croydon just implemented: https://git.ispconfig.org/ispconfig/ispconfig3/issues/5450
Sure no problem Till. I'll report in bug tracker, but what exactly is the error I should report. Is it that the server_id should be showing 1 instead of 0 on the entries since my server_id should clearly be listed as 1... Or that the cleanup process is not deleting entries with server_id = 0 and it should be. Because I think if we fix the first issue, where the entries are correct and it shows server_id=1, then that resolves the second issue as the entries will be deleted by the current cleanup process. Or both are issues that need to be reported? Thanks
Pleases ee my update post, the report has been added and the issue is fixed already, so no need that you add it.
