X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=libs%2Flib_detector.php;h=1a932ba40a253422b1f4722204704cff098c57cd;hb=7136865ca398b41614a80d57ae397bc1fff63c10;hp=976ac546e72247538d66199cbd2904e613c34291;hpb=a44fb4bebb215b795183870b065b87a3788b7b16;p=ctracker.git diff --git a/libs/lib_detector.php b/libs/lib_detector.php index 976ac54..1a932ba 100644 --- a/libs/lib_detector.php +++ b/libs/lib_detector.php @@ -4,7 +4,7 @@ * * @author Roland Haeder * @version 3.0.0 - * @copyright Copyright (c) 2009 Cracker Tracker Team + * @copyright Copyright (c) 2009 - 2017 Cracker Tracker Team * @license GNU GPL 3.0 or any newer version * @link http://www.shipsimu.org * @@ -37,22 +37,24 @@ function initCrackerTrackerArrays () { $GLOBALS['ctracker_base_path'] = dirname(dirname(__FILE__)); // Whitelist some absolute query strings (see below) - $GLOBALS['ctracker_whitelist'] = array( - 'cmd=new', // LinPHA - 'cmd=edit', // LinPHA - 'cmd=lostpw', // LinPHA - 'secure_session=1', // Mantis Bug Tracker - ); + $GLOBALS['ctracker_whitelist'] = [ + 'cmd=new', // LinPHA + 'cmd=edit', // LinPHA + 'cmd=lostpw', // LinPHA + '/css/status_config.php', // MantisBT + '/css/common_config.php', // MantisBT + '/javascript_config.php', // MantisBT + ]; // Attacks we should detect and block - $GLOBALS['ctracker_get_blacklist'] = array( + $GLOBALS['ctracker_get_blacklist'] = [ // SQL injections 'union ', ' union', 'insert ', 'select ', ' like', 'like ', 'drop ', 'update ', 'union(', 'union=', // $GLOBAL/$_SERVER array elements - 'HTTP_USER_AGENT', 'HTTP_HOST', 'HTTP_PHP', '_SESSION','CFG_ROOT', + 'HTTP_USER_AGENT', 'HTTP_HOST', 'HTTP_PHP', '_SESSION', 'CFG_ROOT', 'DOCUMENT_ROOT', '_SERVER', // Sensitive files @@ -63,8 +65,8 @@ function initCrackerTrackerArrays () { // Other Linux/FreeBSD/??? programs (sometimes with space) 'traceroute ', 'ping ', 'bin/xterm', 'bin/./xterm', 'lsof ', - 'telnet ', 'wget ', 'bin/id', 'uname\x20', 'uname ', 'killall', - 'diff ', 'kill ', 'locate ', 'grep ', 'vi ', 'mv ', + 'telnet ', 'wget ', 'bin/perl', 'bin/id', 'uname\x20', 'uname ', + 'killall', 'diff ', 'kill ', 'locate ', 'grep ', 'vi ', 'mv ', 'rmdir ', 'mcd ', 'mrd ', 'rm ', ' mcd', ' mrd', ' rm', 'passwd ', ' passwd', 'mdir ', ' mdir', 'cp ', ' cp', 'esystem ', 'chr ', ' chr', 'wget ', ' wget', ' cmd', @@ -74,7 +76,7 @@ function initCrackerTrackerArrays () { // Other Linux programs (+ brace) 'locate(', 'grep(', 'kill(', 'mcd(', 'mrd(', 'rm(', 'mv(', 'rmdir(', 'chmod(', 'chmod(', 'chown(', 'chgrp(', 'passwd(', 'vi(', 'cp(', - 'mdir(', 'esystem(', 'chr(', 'wget(', 'rush(', 'echr(', + 'mdir(', 'system(', 'chr(', 'wget(', 'rush(', 'echr(', // Other Linux programs (+ equal) 'mcd=', 'mrd=', 'chmod=', 'chr=', 'rush=', 'echr=', @@ -88,26 +90,30 @@ function initCrackerTrackerArrays () { '/chgrp', '/chown', '/chmod', 'chown ', 'chmod ', 'chgrp ', // Compiler/interpreter - 'g++ ', 'c++ ', 'cc ', 'bin/./python', 'bin/python', 'bin/tclsh', - 'bin/./tclsh', 'bin/nasm', 'bin/./nasm', '/perl', 'perl ', 'cmd.exe', - 'nc.exe', 'ftp.exe', + 'bin/g++ ', 'bin/c++ ', 'cc ', 'bin/python', 'bin/python', 'bin/tclsh', + 'bin/tclsh', 'bin/nasm', '/perl', + + // Windows-related + 'cmd.exe', 'nc.exe', 'ftp.exe', 'powershell', 'system.net.webclient', // php.ini settings 'allow_url_fopen', 'allow_url_include', 'auto_prepend_file', 'disable_functions', 'safe_mode', + 'open_basedir', 'suhosin', 'cgi.force_redirect', 'cgi.redirect_status_env', // PHP commands/scripts 'fopen', 'fwrite', 'phpinfo()', '\', 'base64_decode', 'file_put_contents', 'set_magic_quotes_runtime', 'set_magic_quotes_runtime', 'display_errors', 'passthru', + 'call_user_func', // Typical PHP script remote-inclusions and typical include file names '.inc.php', '.lib.php', '.class.php', 'config.php', '.inc', '_php', 'php_', 'class_', '_class.php', 'db_mysql.inc', // PHP arrays - '_PHPLIB', + '_phplib', '__callbackparam', // Generic remote inclusion - '=http://', '=https://', + '=http://', '=https://', '=php://', 'path=', 'sql=', '=%7BQUOT%7D', '=%5C', '=%22http','=%22ftp','=%22file','=%27http','=%27ftp', '=%27file', @@ -136,57 +142,156 @@ function initCrackerTrackerArrays () { // Attempts to insert links into a badly secured URL '%3E%3C', + // Request header being inserted + 'content-type', + // /proc/ and other forbidden paths 'proc/self/environ', // MySQL internal functions 'name_const', + // Server configuration (e.g. Apache) + 'application/x-httpd-php', 'addtype', 'server-info', 'server-status', + + // Annoying script name + 'vuln.php', + // @TODO Misc/unsorted 'cgi-', '.eml', '$_request', '$_get', '$request', '$get', '.system', '&aim', 'new_password', '&icq', '.conf', 'motd ', 'HTTP/1.', - 'window.open', 'img src', 'img src', '.jsp', 'servlet', - 'wwwacl', '.js', '.jsp', 'server-info', 'server-status', - 'secure_site, ok', 'chunked', 'org.apache', '/servlet/con', - '', 'base64_decode', 'file_put_contents', + 'set_magic_quotes_runtime', 'set_magic_quotes_runtime', 'display_errors', 'passthru', + + // Typical PHP script remote-inclusions and typical include file names + '.inc.php', '.lib.php', '.class.php', 'config.php', '.inc', '_php', + 'php_', 'class_', '_class.php', 'db_mysql.inc', + + // PHP arrays + '_phplib', '__callbackparam', + + // Request header being inserted + 'content-type', + + // /proc/ and other forbidden paths + 'proc/self/environ', + ]; + + // BLock these words found in User-Agent + $GLOBALS['ctracker_ua_blacklist'] = array( + // Compiler/interpreter + 'bin/g++ ', 'bin/c++ ', 'cc ', 'bin/python', 'bin/python', 'bin/tclsh', + 'bin/tclsh', 'bin/nasm', '/perl', 'cmd.exe', + 'nc.exe', 'ftp.exe', 'wget ', 'system(', 'curl ', + + // php.ini settings + 'allow_url_fopen', 'allow_url_include', 'auto_prepend_file', 'disable_functions', 'safe_mode', + + // PHP commands/scripts + 'fopen', 'fwrite', 'phpinfo()', '\', 'base64_decode', 'file_put_contents', + 'set_magic_quotes_runtime', 'set_magic_quotes_runtime', 'display_errors', 'passthru', + + // Server configuration (e.g. Apache) + 'application/x-httpd-php', + + // Typical PHP script remote-inclusions and typical include file names + '.inc.php', '.lib.php', '.class.php', 'config.php', '.inc', '_php', + 'php_', 'class_', '_class.php', 'db_mysql.inc', + + // PHP arrays + '_phplib', '__callbackparam', + + // Request header being inserted + 'content-type', + + // /proc/ and other forbidden paths + 'proc/self/environ', ); // Block these words found in POST requests - $GLOBALS['ctracker_post_blacklist'] = array( + $GLOBALS['ctracker_post_blacklist'] = [ // This line is for detecting hidden link spam in wikis, forums, guestbooks, etc. ' style=', 'overflow:auto', 'height:1px', 'width:1px', 'display:hidden', 'style.display', - // "Common" login names from VHCS exploiters ;-) + // Windows-related + 'cmd.exe', 'nc.exe', 'ftp.exe', 'powershell', 'system.net.webclient', + + // Server configuration (e.g. Apache) + 'application/x-httpd-php', + + // Annoying script name + 'vuln.php', + + // "Common" login names from VHCS exploiters 'starhack', 'DeLiMehmet', 'hisset', 'Hisset', 'delimert', 'MecTruy' - ); + ]; + + // Also block these requests (mostly you don't want CONNECT to some SMTP sites) + $GLOBALS['ctracker_blocked_methods'] = [ + 'CONNECT' => TRUE, + ]; // Init more elements - $GLOBALS['ctracker_post_track'] = ''; - $GLOBALS['ctracker_checkworm'] = ''; - $GLOBALS['ctracker_check_post'] = ''; + $GLOBALS['ctracker_post_track'] = ''; + $GLOBALS['ctracker_checked_get'] = ''; + $GLOBALS['ctracker_checked_post'] = ''; + $GLOBALS['ctracker_checked_ua'] = ''; } // Checks for worms function isCrackerTrackerWormDetected () { // Check against the whole list - $GLOBALS['ctracker_checkworm'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerQueryString())); + $GLOBALS['ctracker_checked_get'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerQueryString(TRUE))); + $GLOBALS['ctracker_checked_ua'] = urldecode(str_ireplace($GLOBALS['ctracker_ua_blacklist'], '*', crackerTrackerUserAgent(TRUE))); + + /* + * If it differs to original and the *whole* request string is not in + * whitelist then blog the attempt. + */ + $isWorm = ( + ( + $GLOBALS['ctracker_checked_get'] != crackerTrackerQueryString(TRUE) && (!in_array(crackerTrackerQueryString(TRUE), $GLOBALS['ctracker_whitelist'])) + ) || ( + $GLOBALS['ctracker_checked_ua'] != crackerTrackerUserAgent(TRUE) + ) || ( + isset($GLOBALS['ctracker_blocked_methods'][crackerTrackerRequestMethod()]) + ) + ); + //* DEBUG-DIE: */ die('isWorm='.intval($isWorm).PHP_EOL.'get='.PHP_EOL.'"'.$GLOBALS['ctracker_checked_get'].'"'.PHP_EOL.'"'.crackerTrackerQueryString().'"'.PHP_EOL.'ua='.PHP_EOL.'"'.$GLOBALS['ctracker_checked_ua'].'"'.PHP_EOL.'"'.crackerTrackerUserAgent().'"'.PHP_EOL); - // If it differs to original and the *whole* request string is not in whitelist - // then blog the attempt - return ($GLOBALS['ctracker_checkworm'] != crackerTrackerQueryString() && (!in_array(crackerTrackerQueryString(), $GLOBALS['ctracker_whitelist']))); + // Return it + return $isWorm; } // Checks POST data function isCrackerTrackerPostAttackDetected () { // Implode recursive the whole $_POST array - $GLOBALS['ctracker_post_track'] = urldecode(implode_r('', $_POST)); + $GLOBALS['ctracker_post_track'] = urldecode(implode_r('&', $_POST)); // Check for suspicious POST data - $GLOBALS['ctracker_check_post'] = str_ireplace($GLOBALS['ctracker_post_blacklist'], '*', $GLOBALS['ctracker_post_track']); + $GLOBALS['ctracker_checked_post'] = urldecode(str_ireplace($GLOBALS['ctracker_post_blacklist'], '*', crackerTrackerSanitize($GLOBALS['ctracker_post_track']))); // Is it detected? - return ((isCrackerTrackerWormDetected()) || ($GLOBALS['ctracker_check_post'] != $GLOBALS['ctracker_post_track'])); + return ((isCrackerTrackerWormDetected()) || ($GLOBALS['ctracker_checked_post'] != crackerTrackerSanitize($GLOBALS['ctracker_post_track']))); } // Prepares a mail and send it out @@ -200,9 +305,10 @@ function sendCrackerTrackerMail () { Remote-IP : ' . determineCrackerTrackerRealRemoteAddress() . ' User-Agent : ' . crackerTrackerUserAgent() . ' Request-string : ' . crackerTrackerQueryString() . ' -Filtered string : ' . $GLOBALS['ctracker_checkworm'] . ' +Filtered string : ' . $GLOBALS['ctracker_checked_get'] . ' Server : ' . crackerTrackerServerName() . ' Script : ' . crackerTrackerScriptName() . ' +Method : ' . crackerTrackerRequestMethod() . ' Referrer : ' . crackerTrackerReferer() . ' ----------------------------------------------------- '; @@ -232,12 +338,13 @@ function sendCrackerTrackerTicketMails () { // Sends a mail out function crackerTrackerSendMail ($mail, $recipient = NULL, $subject = NULL) { // Construct dummy array - $rowData = array( - 'remote_addr' => determineCrackerTrackerRealRemoteAddress(), - 'proxy_addr' => getenv('REMOTE_ADDR'), - 'check_worm' => $GLOBALS['ctracker_checkworm'], - 'server_name' => crackerTrackerServerName() - ); + $rowData = [ + 'remote_addr' => determineCrackerTrackerRealRemoteAddress(), + 'proxy_addr' => getenv('REMOTE_ADDR'), + 'check_get' => $GLOBALS['ctracker_checked_get'], + 'server_name' => crackerTrackerServerName(), + 'request_method' => crackerTrackerRequestMethod(), + ]; // Only send email if not yet found if (!isCrackerTrackerEntryFound($rowData)) { @@ -275,16 +382,17 @@ function sendCrackerTrackerPostMail () { // Mail text $mail = 'POST-Attack detected: ----------------------------------------------------- -Remote-IP : '.determineCrackerTrackerRealRemoteAddress().' -User-Agent : '.crackerTrackerUserAgent().' -Request-string : '.crackerTrackerQueryString().' -Filtered string : '.$GLOBALS['ctracker_checkworm'].' -Server : '.crackerTrackerServerName().' -Script : '.crackerTrackerScriptName().' -Referrer : '.crackerTrackerReferer().' +Remote-IP : ' . determineCrackerTrackerRealRemoteAddress() . ' +User-Agent : ' . crackerTrackerUserAgent() . ' +Request-string : ' . crackerTrackerQueryString() . ' +Filtered string : ' . $GLOBALS['ctracker_checked_get'] . ' +Server : ' . crackerTrackerServerName() . ' +Script : ' . crackerTrackerScriptName() . ' +Method : ' . crackerTrackerRequestMethod() . ' +Referrer : ' . crackerTrackerReferer() . ' ----------------------------------------------------- -POST string : '.$GLOBALS['ctracker_post_track'].' -Filtered POST string : '.$GLOBALS['ctracker_check_post'].' +POST string : ' . $GLOBALS['ctracker_post_track'] . ' +Filtered POST string : ' . $GLOBALS['ctracker_checked_post'] . ' ----------------------------------------------------- '; @@ -333,21 +441,22 @@ function crackerTrackerLogAttack () { } // END - if // Prepare array for database insert - $rowData = array( + $rowData = [ 'remote_addr' => determineCrackerTrackerRealRemoteAddress(), 'proxy_addr' => getenv('REMOTE_ADDR'), 'user_agent' => crackerTrackerUserAgent(), 'get_data' => crackerTrackerQueryString(), 'post_data' => $GLOBALS['ctracker_post_track'], - 'check_worm' => $GLOBALS['ctracker_checkworm'], - 'check_post' => $GLOBALS['ctracker_check_post'], + 'check_ua' => $GLOBALS['ctracker_checked_ua'], + 'check_get' => $GLOBALS['ctracker_checked_get'], + 'check_post' => $GLOBALS['ctracker_checked_post'], 'server_name' => crackerTrackerServerName(), 'script_name' => crackerTrackerScriptName(), 'referer' => crackerTrackerReferer(), - 'request_method' => $_SERVER['REQUEST_METHOD'], + 'request_method' => crackerTrackerRequestMethod(), 'proxy_used' => $proxyUsed, 'first_attempt' => 'NOW()' - ); + ]; // Insert the array in database crackerTrackerInsertArray('ctracker_data', $rowData); @@ -376,6 +485,3 @@ function crackerTrackerAlertCurrentUser () { // And stop here die(); } - -// [EOF] -?>