scan integrity of files/db

[spacecabbie]

Greetings, couple of quick questions:

what directory's if any are static and should not change (to do a reference scan on with original install files) Is there a way to scan and check the DB on foreign entry's/injections ?

[ywarnier]

Hi @spacecabbie It's easier to list the directories that can change (in 1.11.x):

• app/cache
• app/courses
• app/home
• app/logs
• app/upload
• main/default_course_document/images (when generating thumbnails for icons there)
• main/lang (if you leave the permissions in order to let users create sub-languages)
• web/assets (if regenerating assets / JS dependencies libraries - not common)
• web/build (used when using a language for the first time, or after a "cache clean-up")
• web/css (used after a cache clean-up or after uploading a new stylesheet)
• some plugins might require you to enable writing in one of its folder

There is no simple way to scan a database for foreign entries/injections.

[ywarnier]

If you fear injections through the recent RCE issue, remember that under recent Ubuntu systems, PHP going through Apache (libapache2-mod-php) cannot execute scripts. It would have to upload a PHP script and execute it. If so, you will first find traces of accesses to additional_webservices.php in your Apache access_logs.

Then you can probably use the "find" command to find files no older than a certain number of days (-cdate is an option to find files with a specific creation date) (unless these were deleted afterwards by another command). This should give you a first idea of whether scripts were uploaded, by which IP (if you track that) and then enable you to find more actions of that IP address in the logs.

[spacecabbie]

Ok thanks, Regarding files that can change thanks for that list I will tightener folder rights. This list will help.

They got in via a other site hosted on the same file system this has been cleaned i feared the DB might be affected as well. What you said here puts my mind at ease.

I still fear my DB is still corrupt/inconsistent but this is more a ongoing issue, this is a good as time as any to try and tackle them couple of questions if i may:

1. Is it possible to see orphan entry's that do no belong to any course anymore ?
2. One issue is Administrator account is affected (manually edited sometime ago) I I delete all User tables and import those from a fresh installed DB will this delete all users and reset the main admin account ?
3. Another way to go is export via the site options reset DB and import ?
4. Any other tips/suggestions
5. Are there any commercial company's that can do it for us (BeezNest?)

Please feel free to close the ticket after your reply.

[ywarnier]

1. There are many "items" that belong to courses, so it's a bit difficult to answer all cases at once (Chamilo 1.11 doesn't really have a centralized management for all items). You could start by looking into c_item_property for the c_id field where the c_id references a course that does not exist anymore: SELECT * FROM c_item_property WHERE c_id NOT IN (SELECT id FROM course).
2. I'm not sure I understand your question but you could understand the password mechanism and reset the admin account's password by looking into https://github.com/chamilo/chamilo-lms/wiki/Password-Management. The issue with importing "all user tables" is you might loose users that are linked to resources, and the database management system might reject your attempts saying that you are loosing binding keys...
3. exporting courses only exports authoring parts of courses (not user interactions), so again, not entirely sure this is a good idea, but it depends on your context
4. compare with backups... it also depends on the context, but comparing DB dumps might be humanly possible if your site is not very active
5. BeezNest can probably help out, but it would be necessary to first figure out what you want to do exactly, and it might take a very long time to do (again, depending on the contect)