Legacy Server Stats - More info please Guys!

[Mick]

Loving the new updated version thank you very much for all your hard work!

However the stats that you enable for admin to see at the bottom of the page need more information in my opinion.

I used to have this modification (see php below) installed, I added the start to it so it would only work for admin.

But this version below had SERVER stats too see the code block below this is what it looks like.

Page Time: 0.86991 seconds      Memory: 39,507 KB      Queries: 31      Templates: 53
Server Uptime: 32 days 2 hours 28 mins      Server Load: 0.39 : 0.44 : 0.67

MicroStats

if ($vbulletin->userinfo['usergroupid'] == 6)  
{  
$totaltime = microtime(true) - TIMESTART; 
$templatecache = vB_Template::$template_usage; 

$microdebug .= '<div class="footer_morecopyright" style="margin-top: 0px">'; 
$microdebug .= 'Page Time: <b>' . vb_number_format($totaltime, 5) . '</b> seconds      '; 
$microdebug .= function_exists('memory_get_usage') ? 'Memory: <b>' . number_format(memory_get_usage() / 1024) . '</b> KB      ' : ''; 
$microdebug .= 'Queries: <b>' . $vbulletin->db->querycount . '</b>      '; 
$microdebug .= 'Templates: <b>' . sizeof($templatecache) . '</b>'; 

if ($vbulletin->userinfo['usergroupid'] == 6) 
{ 
    $templatequeries = vB_Template::$template_queries; 
    $microdebug .= $templatequeries ? ' (<b>' . sizeof($templatequeries) . '</b> uncached)' : ''; 

    if ($uptime = @exec(uptime)) 
    { 
        $microdebug .= '<br />'; 
        preg_match_all('/([\d\.]+)/',$uptime,$srv); 
        $srv = $srv[1]; 

        if ($srv[10]) 
        { 
            $microdebug .= 'Server Uptime: <b>' . $srv[3] . ' months ' . $srv[4] . ' days ' . $srv[5] . ' hours ' . $srv[6] . ' mins</b>      '; 
            $microdebug .= 'Server Load: <b>' . $srv[8] . '</b> : ' . $srv[9] . ' : ' . $srv[10]; 
        } 
        else if ($srv[9]) 
        { 
            $microdebug .= 'Server Uptime: <b>' . $srv[3] . ' days ' . $srv[4] . ' hours ' . $srv[5] . ' mins</b>      '; 
            $microdebug .= 'Server Load: <b>' . $srv[7] . '</b> : ' . $srv[8] . ' : ' . $srv[9]; 
        } 
        else if ($srv[8]) 
        { 
            $microdebug .= 'Server Uptime: <b>' . $srv[3] . ' hours ' . $srv[4] . ' mins</b>      '; 
            $microdebug .= 'Server Load: <b>' . $srv[6] . '</b> : ' . $srv[7] . ' : ' . $srv[8]; 
        } 
    } 

    if ($templatequeries) 
    { 
        ksort($templatecache); 
        $microdebug .= '<br /><table cellspacing="0" cellpadding="0" border="0" style="margin-left: auto; margin-right: auto;">'; 

        foreach ($templatecache AS $templatename => $times) 
        { 
            if ($templatequeries["$templatename"]) 
            { 
                $microdebug .= '<tr><td style="color: red; text-align: left;"><b>' . $templatename . '</b></td><td style="padding-left: 10px;">(' . $times . ')</td></tr>'; 
            } 
        } 

        $microdebug .= '</table>'; 
    } 
} 

$microdebug .= "</div>"; 
$output = str_replace('</body>',$microdebug.'</body>', $output); 
}

Thank you very much for your time as always

Regards
Mick

 

[Fillip H.]

Having exec (and similar functions) is extremely bad for security - it means that if for whatever reason a malicious individual gains access to your Plugins & Products page, they will essentially be able to control large portions of your server via "php shell" scripts.

Think about it, you're giving someone permission to run any system command they desire via your PHP files.

I cannot recommend strongly enough that you disable the following functions via the disable_functions php.ini directive:

show_source,system,shell_exec,passthru,exec,popen,proc_open,symlink

Doing so will vastly improve the security of your server, as it will drastically reduce the usefulness of some "php shell" scripts. You will of course lose some benefits like the ability to display server load in the AdminCP, but I feel this is an acceptable trade-off for the security benefits.


This is not applicable to shared servers, as they do not have access to this directive

 

[Mick]

Wow you learn something new every day, thank you for that!

I have put those in my php.ini like this:

disable_functions = show_source,system,shell_exec,passthru,exec,popen,proc_open,symlink

Is that correct, I can still see the load in my admincp, and I have restarted php-fpm

Again thank you very much!

Mick

 

[Fillip H.]

I don't know if it matters, but the php.ini generated by WHM (which has an interface for this) produces

disable_functions = "show_source,system,shell_exec,passthru,exec,popen,proc_open,symlink"

so maybe the quotes matter.

You should also be sure you're editing the correct php.ini file, which you can find in your "View PHP Info" page under Maintenance. You can check disable_functions there too to check the values once you've restarted Apache / php-fpm.

 

[Mick]

Hi Fillip H.,

Strange as I can see it in my admincp when I look at the php info?

I have the right file too...

 

[Fillip H.]

That is strange indeed... What about the plugin you posted, does that also show server load?

Maybe php-fpm has some other way of retrieving load that doesn't use any of the blocked functions - we ran it for a time but it caused quite a few problems for us so we had to undo it unfortunately