X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=libs%2Flib_detector.php;h=1a932ba40a253422b1f4722204704cff098c57cd;hb=7136865ca398b41614a80d57ae397bc1fff63c10;hp=90459c9f184bda2a2a29fedfb91fb78d916ff19e;hpb=0e9fa4215b3b4ae98fa4c1ebe923c0c556a57624;p=ctracker.git diff --git a/libs/lib_detector.php b/libs/lib_detector.php index 90459c9..1a932ba 100644 --- a/libs/lib_detector.php +++ b/libs/lib_detector.php @@ -4,7 +4,7 @@ * * @author Roland Haeder * @version 3.0.0 - * @copyright Copyright (c) 2009 Cracker Tracker Team + * @copyright Copyright (c) 2009 - 2017 Cracker Tracker Team * @license GNU GPL 3.0 or any newer version * @link http://www.shipsimu.org * @@ -37,14 +37,17 @@ function initCrackerTrackerArrays () { $GLOBALS['ctracker_base_path'] = dirname(dirname(__FILE__)); // Whitelist some absolute query strings (see below) - $GLOBALS['ctracker_whitelist'] = array( + $GLOBALS['ctracker_whitelist'] = [ 'cmd=new', // LinPHA 'cmd=edit', // LinPHA 'cmd=lostpw', // LinPHA - ); + '/css/status_config.php', // MantisBT + '/css/common_config.php', // MantisBT + '/javascript_config.php', // MantisBT + ]; // Attacks we should detect and block - $GLOBALS['ctracker_get_blacklist'] = array( + $GLOBALS['ctracker_get_blacklist'] = [ // SQL injections 'union ', ' union', 'insert ', 'select ', ' like', 'like ', 'drop ', 'update ', @@ -88,15 +91,19 @@ function initCrackerTrackerArrays () { // Compiler/interpreter 'bin/g++ ', 'bin/c++ ', 'cc ', 'bin/python', 'bin/python', 'bin/tclsh', - 'bin/tclsh', 'bin/nasm', '/perl', 'cmd.exe', - 'nc.exe', 'ftp.exe', + 'bin/tclsh', 'bin/nasm', '/perl', + + // Windows-related + 'cmd.exe', 'nc.exe', 'ftp.exe', 'powershell', 'system.net.webclient', // php.ini settings 'allow_url_fopen', 'allow_url_include', 'auto_prepend_file', 'disable_functions', 'safe_mode', + 'open_basedir', 'suhosin', 'cgi.force_redirect', 'cgi.redirect_status_env', // PHP commands/scripts 'fopen', 'fwrite', 'phpinfo()', '\', 'base64_decode', 'file_put_contents', 'set_magic_quotes_runtime', 'set_magic_quotes_runtime', 'display_errors', 'passthru', + 'call_user_func', // Typical PHP script remote-inclusions and typical include file names '.inc.php', '.lib.php', '.class.php', 'config.php', '.inc', '_php', @@ -106,7 +113,7 @@ function initCrackerTrackerArrays () { '_phplib', '__callbackparam', // Generic remote inclusion - '=http://', '=https://', + '=http://', '=https://', '=php://', 'path=', 'sql=', '=%7BQUOT%7D', '=%5C', '=%22http','=%22ftp','=%22file','=%27http','=%27ftp', '=%27file', @@ -144,14 +151,50 @@ function initCrackerTrackerArrays () { // MySQL internal functions 'name_const', + // Server configuration (e.g. Apache) + 'application/x-httpd-php', 'addtype', 'server-info', 'server-status', + + // Annoying script name + 'vuln.php', + // @TODO Misc/unsorted 'cgi-', '.eml', '$_request', '$_get', '$request', '$get', '.system', '&aim', 'new_password', '&icq', '.conf', 'motd ', 'HTTP/1.', 'window.open', 'img src', 'img src', '.jsp', 'servlet', 'org.apache', - 'wwwacl', 'server-info', 'server-status', '/servlet/con', 'http_', - 'secure_site, ok', 'chunked''', 'base64_decode', 'file_put_contents', + 'set_magic_quotes_runtime', 'set_magic_quotes_runtime', 'display_errors', 'passthru', + + // Typical PHP script remote-inclusions and typical include file names + '.inc.php', '.lib.php', '.class.php', 'config.php', '.inc', '_php', + 'php_', 'class_', '_class.php', 'db_mysql.inc', + + // PHP arrays + '_phplib', '__callbackparam', + + // Request header being inserted + 'content-type', + + // /proc/ and other forbidden paths + 'proc/self/environ', + ]; // BLock these words found in User-Agent $GLOBALS['ctracker_ua_blacklist'] = array( @@ -167,6 +210,9 @@ function initCrackerTrackerArrays () { 'fopen', 'fwrite', 'phpinfo()', '\', 'base64_decode', 'file_put_contents', 'set_magic_quotes_runtime', 'set_magic_quotes_runtime', 'display_errors', 'passthru', + // Server configuration (e.g. Apache) + 'application/x-httpd-php', + // Typical PHP script remote-inclusions and typical include file names '.inc.php', '.lib.php', '.class.php', 'config.php', '.inc', '_php', 'php_', 'class_', '_class.php', 'db_mysql.inc', @@ -182,16 +228,27 @@ function initCrackerTrackerArrays () { ); // Block these words found in POST requests - $GLOBALS['ctracker_post_blacklist'] = array( + $GLOBALS['ctracker_post_blacklist'] = [ // This line is for detecting hidden link spam in wikis, forums, guestbooks, etc. ' style=', 'overflow:auto', 'height:1px', 'width:1px', 'display:hidden', 'style.display', - // "Common" login names from VHCS exploiters ;-) + // Windows-related + 'cmd.exe', 'nc.exe', 'ftp.exe', 'powershell', 'system.net.webclient', + + // Server configuration (e.g. Apache) + 'application/x-httpd-php', + + // Annoying script name + 'vuln.php', + + // "Common" login names from VHCS exploiters 'starhack', 'DeLiMehmet', 'hisset', 'Hisset', 'delimert', 'MecTruy' - ); + ]; // Also block these requests (mostly you don't want CONNECT to some SMTP sites) - $GLOBALS['ctracker_blocked_requests'] = array('CONNECT' => TRUE); + $GLOBALS['ctracker_blocked_methods'] = [ + 'CONNECT' => TRUE, + ]; // Init more elements $GLOBALS['ctracker_post_track'] = ''; @@ -216,7 +273,7 @@ function isCrackerTrackerWormDetected () { ) || ( $GLOBALS['ctracker_checked_ua'] != crackerTrackerUserAgent(TRUE) ) || ( - isset($GLOBALS['ctracker_blocked_requests'][crackerTrackerRequestMethod()]) + isset($GLOBALS['ctracker_blocked_methods'][crackerTrackerRequestMethod()]) ) ); //* DEBUG-DIE: */ die('isWorm='.intval($isWorm).PHP_EOL.'get='.PHP_EOL.'"'.$GLOBALS['ctracker_checked_get'].'"'.PHP_EOL.'"'.crackerTrackerQueryString().'"'.PHP_EOL.'ua='.PHP_EOL.'"'.$GLOBALS['ctracker_checked_ua'].'"'.PHP_EOL.'"'.crackerTrackerUserAgent().'"'.PHP_EOL); @@ -251,6 +308,7 @@ Request-string : ' . crackerTrackerQueryString() . ' Filtered string : ' . $GLOBALS['ctracker_checked_get'] . ' Server : ' . crackerTrackerServerName() . ' Script : ' . crackerTrackerScriptName() . ' +Method : ' . crackerTrackerRequestMethod() . ' Referrer : ' . crackerTrackerReferer() . ' ----------------------------------------------------- '; @@ -280,12 +338,13 @@ function sendCrackerTrackerTicketMails () { // Sends a mail out function crackerTrackerSendMail ($mail, $recipient = NULL, $subject = NULL) { // Construct dummy array - $rowData = array( - 'remote_addr' => determineCrackerTrackerRealRemoteAddress(), - 'proxy_addr' => getenv('REMOTE_ADDR'), - 'check_get' => $GLOBALS['ctracker_checked_get'], - 'server_name' => crackerTrackerServerName() - ); + $rowData = [ + 'remote_addr' => determineCrackerTrackerRealRemoteAddress(), + 'proxy_addr' => getenv('REMOTE_ADDR'), + 'check_get' => $GLOBALS['ctracker_checked_get'], + 'server_name' => crackerTrackerServerName(), + 'request_method' => crackerTrackerRequestMethod(), + ]; // Only send email if not yet found if (!isCrackerTrackerEntryFound($rowData)) { @@ -329,6 +388,7 @@ Request-string : ' . crackerTrackerQueryString() . ' Filtered string : ' . $GLOBALS['ctracker_checked_get'] . ' Server : ' . crackerTrackerServerName() . ' Script : ' . crackerTrackerScriptName() . ' +Method : ' . crackerTrackerRequestMethod() . ' Referrer : ' . crackerTrackerReferer() . ' ----------------------------------------------------- POST string : ' . $GLOBALS['ctracker_post_track'] . ' @@ -381,7 +441,7 @@ function crackerTrackerLogAttack () { } // END - if // Prepare array for database insert - $rowData = array( + $rowData = [ 'remote_addr' => determineCrackerTrackerRealRemoteAddress(), 'proxy_addr' => getenv('REMOTE_ADDR'), 'user_agent' => crackerTrackerUserAgent(), @@ -396,7 +456,7 @@ function crackerTrackerLogAttack () { 'request_method' => crackerTrackerRequestMethod(), 'proxy_used' => $proxyUsed, 'first_attempt' => 'NOW()' - ); + ]; // Insert the array in database crackerTrackerInsertArray('ctracker_data', $rowData);