}
// Whitelist some absolute query strings (see below)
- $GLOBALS['whitelist'] = array(
+ $GLOBALS['ctracker_whitelist'] = array(
'cmd=new', // LinPHA
'cmd=edit', // LinPHA
'cmd=lostpw' // LinPHA
);
// Attacks we should detect and blok
- $GLOBALS['wormprotector'] = array(
+ $GLOBALS['ctracker_wormprotector'] = array(
'chr(', 'chr=', 'chr%20', '%20chr', 'wget%20', '%20wget', 'wget(',
'cmd=', '%20cmd', 'cmd%20', 'rush=', '%20rush', 'rush%20',
'union%20', '%20union', 'union(', 'union=', 'echr(', '%20echr', 'echr%20', 'echr=',
'select from', 'drop%20', '.system', 'getenv', 'http_', '_php', 'php_', 'phpinfo()', '\<?php', '?\>', 'sql=',
'div style=', 'overflow: auto', 'height: 1px', 'cc%20', 'admin_action=', 'path=', 'action=http',
'page=http', 'module=http', 'op=http', 'id=http', 'id%3Dhttp', 'action%3Dhttp', 'page%3Dhttp',
- 'module%3Dhttp', 'op%3Dhttp', 'starhack', '../../', 'directory=http', 'dir=http', 'busca', 'uol.com'
+ 'module%3Dhttp', 'op%3Dhttp', 'starhack', '../../', 'directory=http', 'dir=http', 'busca', 'uol.com',
+ '=http://', '=https://','=ftp://'
);
// Block these words found in POST requests
- $GLOBALS['post_blacklist'] = array(
+ $GLOBALS['ctracker_post_blacklist'] = array(
// These two lines are for detecting hidden link spam in wikis, forums, guestbooks, etc.
'div style=', 'overflow:auto', 'height:1px', 'width:1px', 'display:hidden',
'overflow: auto', 'height: 1px', 'display: hidden',
// Checks for worms
function isCrackerTrackerWormDetected () {
// Check against the whole list
- $GLOBALS['checkworm'] = str_replace($GLOBALS['wormprotector'], '*', $_SERVER['QUERY_STRING']);
+ $GLOBALS['ctracker_checkworm'] = str_replace($GLOBALS['ctracker_wormprotector'], '*', $_SERVER['QUERY_STRING']);
// If it differs to original and the *whole* request string is not in whitelist
// then blog the attempt
- return ($GLOBALS['checkworm'] != $_SERVER['QUERY_STRING'] && (!in_array($_SERVER['QUERY_STRING'], $GLOBALS['whitelist'])));
+ return ($GLOBALS['ctracker_checkworm'] != $_SERVER['QUERY_STRING'] && (!in_array($_SERVER['QUERY_STRING'], $GLOBALS['ctracker_whitelist'])));
}
// Checks POST data
function isCrackerTrackerPostAttackDetected () {
// Implode recursive the whole $_POST array
- $GLOBALS['post_track'] = implode_r('', $_POST);
+ $GLOBALS['ctracker_post_track'] = implode_r('', $_POST);
// Check for suspicious POST data
- $GLOBALS['check_post'] = str_replace($GLOBALS['post_blacklist'], '*', $GLOBALS['post_track']);
+ $GLOBALS['ctracker_check_post'] = str_replace($GLOBALS['ctracker_post_blacklist'], '*', $GLOBALS['ctracker_post_track']);
// Is it detected?
- return ((isCrackerTrackerWormDetected()) || ($GLOBALS['check_post'] != $GLOBALS['post_track']));
+ return ((isCrackerTrackerWormDetected()) || ($GLOBALS['ctracker_check_post'] != $GLOBALS['ctracker_post_track']));
}
// Prepares a mail and send it out
// Mail content
$mail = "Attack detected:
-----------------------------------------------------
-Remote-IP: ".$_SERVER['REMOTE_ADDR']."
-User-Agent: ".$_SERVER['HTTP_USER_AGENT']."
-Request-string: ".$_SERVER['QUERY_STRING']."
-Filtered string: ".$GLOBALS['checkworm']."
-Server: ".$_SERVER['SERVER_NAME']."
-Script: ".$_SERVER['SCRIPT_NAME']."
-Referrer: ".$_SERVER['HTTP_REFERRER']."
+Remote-IP : ".determineCrackerTrackerRealRemoteAddress()."
+User-Agent : ".$_SERVER['HTTP_USER_AGENT']."
+Request-string : ".$_SERVER['QUERY_STRING']."
+Filtered string : ".$GLOBALS['ctracker_checkworm']."
+Server : ".$_SERVER['SERVER_NAME']."
+Script : ".$_SERVER['SCRIPT_NAME']."
+Referrer : ".$_SERVER['HTTP_REFERRER']."
-----------------------------------------------------
";
function crackerTrackerSendMail ($mail) {
// Construct dummy array
$rowData = array(
- 'remote_addr' => $_SERVER['REMOTE_ADDR'],
- 'check_worm' => $GLOBALS['checkworm']
+ 'remote_addr' => determineCrackerTrackerRealRemoteAddress(),
+ 'check_worm' => $GLOBALS['ctracker_checkworm'],
+ 'server_name' => $_SERVER['SERVER_NAME']
);
// Only send email if not yet found
// All fine
return true;
- } else {
+ } elseif (isset($GLOBALS['ctracker_email'])) {
// Send it
- return mail(constant('__CTRACKER_EMAIL'), 'CTracker: Attack detected!', $mail, 'From: ctracker@mxchange.org');
+ return mail($GLOBALS['ctracker_email'], 'CTracker: Attack detected!', $mail, $GLOBALS['ctracker_header']);
+ } else {
+ // Send it the deprecated way with constant
+ return mail(constant('__CTRACKER_EMAIL'), 'CTracker: Attack detected!', $mail, $GLOBALS['ctracker_header']);
}
} // END - if
}
// Mail text
$mail = "POST-Attack detected:
-----------------------------------------------------
-Remote-IP: ".$_SERVER['REMOTE_ADDR']."
-User-Agent: ".$_SERVER['HTTP_USER_AGENT']."
-POST string: ".$GLOBALS['post_track']."
-Filtered worm string: ".$GLOBALS['checkworm']."
-Filtered POST string: ".$GLOBALS['check_post']."
-Server: ".$_SERVER['SERVER_NAME']."
-Script: ".$_SERVER['SCRIPT_NAME']."
+Remote-IP : ".determineCrackerTrackerRealRemoteAddress()."
+User-Agent : ".$_SERVER['HTTP_USER_AGENT']."
+Request-string : ".$_SERVER['QUERY_STRING']."
+Filtered string : ".$GLOBALS['ctracker_checkworm']."
+Server : ".$_SERVER['SERVER_NAME']."
+Script : ".$_SERVER['SCRIPT_NAME']."
+Referrer : ".$_SERVER['HTTP_REFERRER']."
+-----------------------------------------------------
+POST string : ".$GLOBALS['ctracker_post_track']."
+Filtered POST string : ".$GLOBALS['ctracker_check_post']."
-----------------------------------------------------
";
// Aquire database link
aquireCrackerTrackerDatabaseLink();
+ // By default no proxy is used
+ $proxyUsed = 'N';
+
+ // Did the attacker use a proxy?
+ if (isCrackerTrackerProxyUsed()) {
+ // Set it
+ $proxyUsed = 'Y';
+ } // END - if
// Prepare array for database insert
$rowData = array(
- 'remote_addr' => $_SERVER['REMOTE_ADDR'],
- 'user_agent' => $_SERVER['HTTP_USER_AGENT'],
- 'post_data' => $GLOBALS['post_track'],
- 'check_worm' => $GLOBALS['checkworm'],
- 'check_post' => $GLOBALS['check_post'],
- 'server_name' => $_SERVER['SERVER_NAME'],
- 'script_name' => $_SERVER['SCRIPT_NAME'],
- 'referer' => $_SERVER['HTTP_REFERER']
+ 'remote_addr' => determineCrackerTrackerRealRemoteAddress(),
+ 'user_agent' => $_SERVER['HTTP_USER_AGENT'],
+ 'get_data' => $_SERVER['QUERY_STRING'],
+ 'post_data' => $GLOBALS['ctracker_post_track'],
+ 'check_worm' => $GLOBALS['ctracker_checkworm'],
+ 'check_post' => $GLOBALS['ctracker_check_post'],
+ 'server_name' => $_SERVER['SERVER_NAME'],
+ 'script_name' => $_SERVER['SCRIPT_NAME'],
+ 'referer' => $_SERVER['HTTP_REFERER'],
+ 'proxy_used' => $proxyUsed
);
// Insert the array in database