ionCube Logo
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


 
Post new topic   Reply to topic    ionCube Forum Index -> ionCube 24 - NEW for 2015

How to disable ioncube24?

Author Message
Looke1929



Joined: 10 May 2015
Posts: 1

PostPosted: Sun May 10, 2015 9:48 pm    Post subject: How to disable ioncube24? Reply with quote

Hello,

I have spotted that installing ioncube loader now forces ioncube24 protection.
I'd love to have protection but I don't like that phoning-home features as I don't want your servers know which scripts I run and I don't want your servers steal my proprietary code.
How do I disallow ioncube24 calling home? Will simply blocking outgoing connections to ioncube24.com in firewall work?

Thanks in advance
Back to top
View user's profile Send private message
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2756

PostPosted: Tue May 12, 2015 9:05 pm    Post subject: Reply with quote

"I'd love to have protection"

And you can, and without any of the concerns that you worry about. I'll explain more about how it works.

First of all though, you are not "forced" to enable ionCube24. It's part of the Loader because that's where the magic happens, but it's entirely optional and does nothing if you don't enable it. To activate you would simply register at ioncube24.com and then add the few ini entries that specify your private key, exclusion key and so on. Remove those, or just set ic24.enable = 0 for now, and once the web server has cycled it'll be disabled. If you never setup an account and configure it, then it's entirely benign.

"I don't like that phoning-home features as I don't want your servers know which scripts I run"

The security part of ionCube 24 is about detecting when malware is about to be executed, blocking it from execution (that's the most important bit and something that vulnerability scanners cannot do for you), and letting you know when this has happened. When an alert has happened a notification is sent via an encrypted SSL connection to our servers, and then based on the alert settings you've chosen, you are notified. This is via email, but we have a prototype Android app running too that interacts with the system, and other options will be available down the line. The ionCube24 front end also has a real time connection to our back end servers. and if you were logged in at the time, you might see an alert via the interface in less than a second of an issue on your server. No contents of files are sent to our servers. You can choose to have no notifications, and you'll still get the benefit of unexpected code being blocked before it can execute and do any harm, but being notified is recommended because you might inadvertently have a good file blocked and you'd want to know about that.

When you perform operations via your ionCube 24 account, requests are made to the control script on your server that you installed. Aside from having a random name, there are checks to ensure that this can only be accessed by our servers, The control script performs operations such as setting the Trustpoint, blocking and unblocking files etc.

A polling mechanism may be added for retrieving notifications periodically rather than having them pushed for sites were outgoing connections are not possible, but ionCube 24 is designed to be highly real time; it's protecting your server from unexpected code no matter how it got there, and making sure you know about it PDQ. Contrast that with a vulnerability scanner that checks your site once a day, will only find vulnerabilities that it knows about, will take files from your server to do this, does nothing to stop the vulnerability being exploited, and cannot tell you if it already has been.

Checking then is performed locally by the Loader in real time. It keeps track of files that it knows about so that it can tell if they have been modified. Based on configuration it knows whether to block or permit new files that it finds, and has optional blocking of uploaded files that trumps any settings that would otherwise allow those files.

So to sum up. If enabled it gives the benefit of blocking any unexpected code. Important notifications are pushed at the end of a request from your server to your ionCube 24 account, and requests are made to your server to interact as necessary. If you choose not to have intrusion protection, that's fine, you can just disable it or never set it up in the first place.

Last, there's more coming for ionCube 24 that might have you begging us on all fours to give it to you now if we told you about it, but the first component is the intrusion protection. Take a look at h-zone.org sometime and you'll see the type of defacements that happen to sites on a continual basis, and what you'll find there is a tiny fraction of what is going on 24/7, much of which is from unrestricted file upload attacks that ionCube 24 deals with. Our mission with the first features of ionCube 24 is to empower users, even those on a basic shared server where they cannot run a standalone agent, with a simple to use but powerful and effective weapon against the types of vulnerabilities in Wordpress plugins and countless other code bases that leave users such as yourself open to the mindless attacks that cause upset, distress and havoc to your world.
_________________
Community Admin
Back to top
View user's profile Send private message
hfwui



Joined: 02 May 2010
Posts: 2

PostPosted: Sun May 17, 2015 8:57 pm    Post subject: and its gone... Reply with quote

ic24-random.php file is plaintext and it contain exclusion_key

If the website is compromised malware can read this value and add it to all own malicious files making them "Trusted"? No alerts will be seen?
Back to top
View user's profile Send private message
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2756

PostPosted: Mon May 18, 2015 6:29 pm    Post subject: Reply with quote

If the malware is PHP, ionCube 24 would block the malware that was attempting to read the exclusion key before it could Smile

We have been discussing alternatives to the exclusion key for the control script though, as having as few attack vectors as possible is the aim. Encoding the file is of course also a possibility, but we chose to intentionally provide this as non-encoded so that people can scrutinise it if they wish.
_________________
Community Admin
Back to top
View user's profile Send private message
hfwui



Joined: 02 May 2010
Posts: 2

PostPosted: Mon May 18, 2015 7:13 pm    Post subject: Reply with quote

True. If attack vector is NEW PHP script we are secured.

Not if vulnerable script allows you to read contents of other files.

Also on my server i see most attacks originate by FTP password leak from clients, files are modified on Desktop side by malware. And uploaded on FTP.

It's a matter of time before (if ic24 will be more popular) malware will check for ic24-.php file and acquire Exclusion Key.
Then new uploads will be immune to protection.

Encoded(optional) ic24.php will prevent such sophisticated malware actions.

For now its not a problem but for the future it can be.
Back to top
View user's profile Send private message
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2756

PostPosted: Mon May 18, 2015 8:24 pm    Post subject: Reply with quote

Great points.

hfwui wrote:
True. If attack vector is NEW PHP script we are secured.


Right, and also if a file is modified. Uploaded files that are made permanent by calling move_uploaded_file(), which is the official PHP way for handling uploads, are also blocked by default regardless of other settings unless that feature is disabled.

hfwui wrote:
Not if vulnerable script allows you to read contents of other files.


assuming that the attacker can also discover what the random file name is.

hfwui wrote:
Also on my server i see most attacks originate by FTP password leak from clients, files are modified on Desktop side by malware. And uploaded on FTP.


Interesting. The main issue that the security part of ionCube 24 addresses right now is remote file upload vulnerabilities in web applications themselves, which is a huge issue for websites of all sizes and not something addressed by other solutions. The problem of users leaving the door open by wittingly or otherwise giving out their credentials to others is certainly something that can potentially be addressed though.

hfwui wrote:
It's a matter of time before (if ic24 will be more popular) malware will check for ic24-.php file and acquire Exclusion Key.


Quite right. Removing the exclusion key has been in our Mantis tracker system for a little while already, and either that or a variation to achieve the same ends will happen as part of its evolution. ionCube 24 is also conceived as more than just the malware protection, and other features are on their way that we hope will be useful for a wide spectrum of users.

hfwui wrote:
Encoded(optional) ic24.php will prevent such sophisticated malware actions.


Yes, although the script really needs to be functional without the Loader so that users can be taken through the tutorial process. We could easily provide a specially encoded replacement to drop into place afterwards, but we're all agreed that the best plan is not to use the same exclusion mechanism as may be optionally used for other files.

hfwui wrote:
For now its not a problem but for the future it can be.


Right. The system works great already hence making it available now, but we're really keen to have feedback such as yours (with maybe some goodies for early adopters down the line) before ramping up awareness.

Thanks for the comments!
_________________
Community Admin
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    ionCube Forum Index -> ionCube 24 - NEW for 2015 All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum