News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Anyone know why Load.php is being updated?

Started by AD/vh, July 07, 2011, 03:25:15 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

AD/vh

July 07, 2011, 03:25:15 PM Last Edit: July 07, 2011, 04:13:55 PM by cannoli
I've noticed something odd, and was wondering if anyone could clue me in as to the reason for it.

I've been messing around with SMF installs for some time now - nothing that's gone 'live' yet (ETA: 'live' on webserver but not publicized or made accessible to the public) - 1.x versions, 2.x RC and final, with varying mods on each install - and on each install, regardless of version used or mods installed and on entirely different databases and domains, I have noticed the following effect:

If I step away from working on a site and return to it for any length of time longer than a day or so, I see that the "last modified" time for Load.php on the webserver is FAR more recent than my last uploaded version.  When I diff the files, the CONTENT is the same... yet something's touched the Load.php on the server for some reason, and I can't figure out what or why.

As I've said, this is an effect I've noticed consistently across versions and mod installs, so I'm not going to enumerate each one (not sure I can).  I contacted my webhost (Bluehost) and the guy I spoke to isn't aware of anything on their end that would explain this, and I've tried to google the issue and not found anything helpful either.  To the best of my ability to determine, it is ONLY Load.php that's experiencing this effect, not any other files on any SMF or non-SMF site, and it has happened on EVERY install I've done recently.

Can anyone explain this, or give me pointers on how to figure out why it's happening and whether I should be concerned about it?

Thanks.

(ETA: to change subject to something hopefully more descriptive)

MrPhil

#1
July 07, 2011, 04:40:03 PM
If someone was hacking your site, you'd think that more than Load.php would be touched. SMF in its normal operation wouldn't be editing or updating any files on a regular basis. Have you checked your cron jobs to see if something is running daily that might do this? How did you install SMF? If it's some third-party installer, could it be trying to do some kind of update/upgrade regularly?

AD/vh

#2
July 07, 2011, 05:39:33 PM
SMF install I did myself (despite Bluehost having an option to do it - I'm geek enough to DIY) and my own cron jobs are all things like sql backups, nothing that touches the docroot. 

As for why a crack might want to touch Load.php and nothing else, well, it's pretty trivial to insert a fake admin user once you've got write access to Load.php, so there ya go.  :P

Thing is, I know that SMF and some mods "phone home" for news files or to make sure versions are up to date or to enforce copyright placement or whatnot, but I've never heard of anything that would do this...  If it's a known process and there's a good reason for it, fine; but if not, then something very odd is going on and I'm going to need to dig deeper.  I'd just rather not tear apart a kazillion lines of code if it's not warranted.  :)

Norv

#3
July 12, 2011, 05:34:21 AM
I think it's normal behavior... SMF 2.0 uses md5(filemtime()) on Load.php for the cache keys, and may try to clear the cache by touching Load.php, thus changing its modified time.
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker

Also known as Norv on D* | Norv N. on G+ | Norv on Github

AD/vh

#4
July 12, 2011, 09:20:12 AM
Just looked over the code you referenced, and didn't see where it would be touching Load.php... then again, I haven't yet had coffee and I may need new glasses, so.  ;)  But your explanation makes sense, and puts my mind at ease - that was driving me *nuts*.  I'd thought I'd noticed it on 1.x too, but I could easily have gotten confused about that part.  Thanks for letting me know!

Norv

#5
July 12, 2011, 10:34:50 AM
You may want to take a look at clean_cache() in Subs.php. :)
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker

Also known as Norv on D* | Norv N. on G+ | Norv on Github

MrPhil

#6
July 15, 2011, 10:30:04 AM
Quote from: Norv on July 12, 2011, 05:34:21 AM
I think it's normal behavior... try to clear the cache by touching Load.php, thus changing its modified time.
That's incredibly stupid behavior. You never change files that normally shouldn't be changed. This is going to give all sorts of false alarms on code checking for hacks and unauthorized changes (or manual checks). The proper thing to do would be to have some sort of "throw-away" marker file just to touch the timestamp on, rather than doing this to a real production file.

Sir Osis of Liver

#7
July 15, 2011, 11:41:10 PM

Does not happen on my 1.1.13 installs, only 2.0.

Ashes and diamonds, foe and friend,
 we were all equal in the end.
                                     - R. Waters

AD/vh

#8
July 18, 2011, 08:04:07 PM
Yeeeeeeah, I finally got the chance to look at the code in question, and maybe I'm being unnecessarily clueless here, but *why* are we not simply storing the timestamp value somewhere in the database, again?

ARIY

#9
July 29, 2011, 08:34:22 AM
Whew!  another web site I run was recently hacked, so this gave me quite a scare.  Please consider changing this.

Kolya

#10
April 18, 2015, 03:51:41 AM
I just ran into this and I want to echo what MrPhil said above (minus the aggressive tone).
Please consider changing this behaviour. It sends false alarms to forum owners who watch their files.

Illori

#11
April 18, 2015, 06:22:29 AM
does look like this has been changed in 2.1... it "touches" Settings.php or the cachedir index.php file.
Print
Go Up Pages1
User actions
Advertisement: