Can I modify the "Crypt salt special code"?

[1200]

I do n’t like the current Crypt salt special code, so I want to modify it, Login directly to the database to modify? How should the new Crypt salt special code be generated?

 

[Rodolfo]

If you modify the salt all the old content URLs will stop working. The salt controls how the public ids are encoded, is just the token used to don't have the same encoded ids in different installs.

The salt is not intended to be customizable.

 

[1200]

If you modify the salt all the old content URLs will stop working. The salt controls how the public ids are encoded, is just the token used to don't have the same encoded ids in different installs.

The salt is not intended to be customizable.

Is there a way to reinstall chevereto without losing the website data to modify the Crypt salt special code?

 

[Rodolfo]

I don't understand why you have the urge to change this value. I will just describe how it works and I hope that it helps you to achieve what you are trying to do.

The crypt salt is designed to convert int values like 12345 into KfN or LmnI, or K4w, hfN4df, etc. It is used internally to encode/decode the public ID values by providing a random+unique factor. The salt is designed to provide unique public ids for your installation, which makes significantly harder to attempt cheap attacks on content enumeration.

For the system itself, a change in the salt won't break anything. This is because the salt applies globally, the system is not affected by its change. However, any external link on public IDs (images/<id>, album/<id>) will stop working, because these links are reflecting IDs generated with another salt.

If you don't care about the external links then go ahead and change it. Assuming your DB table prexif is "chv_", the value to change in your database is at chv_settings.crypt_salt

 

[1200]

I don't understand why you have the urge to change this value. I will just describe how it works and I hope that it helps you to achieve what you are trying to do.

The crypt salt is designed to convert int values like 12345 into KfN or LmnI, or K4w, hfN4df, etc. It is used internally to encode/decode the public ID values by providing a random+unique factor. The salt is designed to provide unique public ids for your installation, which makes significantly harder to attempt cheap attacks on content enumeration.

For the system itself, a change in the salt won't break anything. This is because the salt applies globally, the system is not affected by its change. However, any external link on public IDs (images/<id>, album/<id>) will stop working, because these links are reflecting IDs generated with another salt.

If you don't care about the external links then go ahead and change it. Assuming your DB table prexif is "chv_", the value to change in your database is at chv_settings.crypt_salt

Because the virtual host directory where I stored the Chevereto program may be implanted with backdoor code, etc., I am afraid, so I want to modify the features of the currently installed Chevereto program, such as Crypt salt, and download and install Chevereto again. Program, I think I'm particularly scared. Can you give me some suggestions? Also I don't want to clean and remove the backdoor code without losing the current data.

 

[Rodolfo]

I'm afraid that altering the crypt_salt won't make your installation safer. This is because the crypt_salt is used only for ids, everything else uses time based ciphers so passwords can't be cracked by knowing the crypt_salt.

If you concern about the system integrity, I suggest you to do a code compare in the entire folder. Simply compare yours with the stock installation using software like Beyond Compare (there are many more).

As for the DB, check that there aren't unwanted admin users in the chv_users table. You should also remove all cookie logins at chv_logins.

There are dozen more measures that you can do, but at this time I recommend you to analyze your website backup in local and proceed from there.

 

[1200]

I'm afraid that altering the crypt_salt won't make your installation safer. This is because the crypt_salt is used only for ids, everything else uses time based ciphers so passwords can't be cracked by knowing the crypt_salt.

If you concern about the system integrity, I suggest you to do a code compare in the entire folder. Simply compare yours with the stock installation using software like Beyond Compare (there are many more).

As for the DB, check that there aren't unwanted admin users in the chv_users table. You should also remove all cookie logins at chv_logins.

There are dozen more measures that you can do, but at this time I recommend you to analyze your website backup in local and proceed from there.

Ok i will do it.

There were many unknown files in the directory where Chevereto was stored, and it was in key directories, such as /app. I use the Plesk web hosting management panel. It keeps reminding me that installing Chevereto's website is risky. I worry about important data files being hacked.

 

[Rodolfo]

It keeps reminding me that installing Chevereto's website is risky.

Can you elaborate on that? Is Plesk telling you that the system is insecure?

 

[DeCysos]

I use the Plesk web hosting management panel. It keeps reminding me that installing Chevereto's website is risky. I worry about important data files being hacked.

I don't think you need to worry about the Chevereto software.
Plesk itself does not tell them about the possible security risk, rather it will be an extension of Plesk, something like Watchdog or something similar.
The programs are also written by only one person and cannot possibly take all eventualities into consideration.
I myself have 2 Plesk servers and none of them give me any message about Chevereto.

So relax a little and keep calm

 

[1200]

Can you elaborate on that? Is Plesk telling you that the system is insecure?

No, Chevereto is safe.

I may have leaked my server password before. Later, the Plesk panel prompts that there is server malware under the website where the Chevereto program is installed. It marks these files indicating malware as SRV. 'SRV — Server malware is usually the backdoor of a hacker or the backdoor of a website. Tools, malicious injection in files, spammers, portals, and hacking tools. It is usually located in a file written in php, pl, or python. ’

After that, I cleared these files marked as SRV by the Plesk security program. After that, I scanned and installed the website of Chevereto again to prompt security. The name of the security program of Plesk was "ImunifyAV", a kind of intelligent anti-virus and security for websites. Monitoring tool with one-click automatic malware cleanup, domain reputation monitoring, and blacklist status checking.

But after this I still feel insecure, I just want to modify the Chevereto characteristic Crypt salt, etc., and reinstall to achieve security.

Until you tell me to check the database for unnecessary users and clear the records in the table chv_logins. I followed this operation, and now I also changed the server database and other passwords. But I still have a lot of fear, and I'm afraid of bad people invading.