X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=libs%2Flib_detector.php;h=21a15d8e5e54d808a7a15bf744ba403da5120e49;hb=5ba4cfd551ee9582b1d64605d92e3e4ee7b9de3b;hp=6f120498192756b8d581e4cc24eefca454558322;hpb=046f186e27ca52e2c31e7077527754453bbc70c5;p=ctracker.git diff --git a/libs/lib_detector.php b/libs/lib_detector.php index 6f12049..21a15d8 100644 --- a/libs/lib_detector.php +++ b/libs/lib_detector.php @@ -2,11 +2,11 @@ /** * Detector library * - * @author Roland Haeder + * @author Roland Haeder * @version 3.0.0 * @copyright Copyright (c) 2009 Cracker Tracker Team * @license GNU GPL 3.0 or any newer version - * @link http://www.ship-simu.org + * @link http://www.shipsimu.org * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -33,23 +33,28 @@ function initCrackerTrackerArrays () { @error_reporting(0); } + // Base path + $GLOBALS['ctracker_base_path'] = dirname(dirname(__FILE__)); + // Whitelist some absolute query strings (see below) - $GLOBALS['ctracker_whitelist'] = array( - 'cmd=new', // LinPHA - 'cmd=edit', // LinPHA - 'cmd=lostpw', // LinPHA - 'secure_session=1', // Mantis Bug Tracker - ); + $GLOBALS['ctracker_whitelist'] = [ + 'cmd=new', // LinPHA + 'cmd=edit', // LinPHA + 'cmd=lostpw', // LinPHA + '/css/status_config.php', // MantisBT + '/css/common_config.php', // MantisBT + '/javascript_config.php', // MantisBT + ]; // Attacks we should detect and block - $GLOBALS['ctracker_get_blacklist'] = array( + $GLOBALS['ctracker_get_blacklist'] = [ // SQL injections 'union ', ' union', 'insert ', 'select ', ' like', 'like ', 'drop ', 'update ', 'union(', 'union=', // $GLOBAL/$_SERVER array elements - 'HTTP_USER_AGENT', 'HTTP_HOST', 'HTTP_PHP', '_SESSION','CFG_ROOT', + 'HTTP_USER_AGENT', 'HTTP_HOST', 'HTTP_PHP', '_SESSION', 'CFG_ROOT', 'DOCUMENT_ROOT', '_SERVER', // Sensitive files @@ -60,8 +65,8 @@ function initCrackerTrackerArrays () { // Other Linux/FreeBSD/??? programs (sometimes with space) 'traceroute ', 'ping ', 'bin/xterm', 'bin/./xterm', 'lsof ', - 'telnet ', 'wget ', 'bin/id', 'uname\x20', 'uname ', 'killall', - 'diff ', 'kill ', 'locate ', 'grep ', 'vi ', 'mv ', + 'telnet ', 'wget ', 'bin/perl', 'bin/id', 'uname\x20', 'uname ', + 'killall', 'diff ', 'kill ', 'locate ', 'grep ', 'vi ', 'mv ', 'rmdir ', 'mcd ', 'mrd ', 'rm ', ' mcd', ' mrd', ' rm', 'passwd ', ' passwd', 'mdir ', ' mdir', 'cp ', ' cp', 'esystem ', 'chr ', ' chr', 'wget ', ' wget', ' cmd', @@ -71,7 +76,7 @@ function initCrackerTrackerArrays () { // Other Linux programs (+ brace) 'locate(', 'grep(', 'kill(', 'mcd(', 'mrd(', 'rm(', 'mv(', 'rmdir(', 'chmod(', 'chmod(', 'chown(', 'chgrp(', 'passwd(', 'vi(', 'cp(', - 'mdir(', 'esystem(', 'chr(', 'wget(', 'rush(', 'echr(', + 'mdir(', 'system(', 'chr(', 'wget(', 'rush(', 'echr(', // Other Linux programs (+ equal) 'mcd=', 'mrd=', 'chmod=', 'chr=', 'rush=', 'echr=', @@ -85,19 +90,27 @@ function initCrackerTrackerArrays () { '/chgrp', '/chown', '/chmod', 'chown ', 'chmod ', 'chgrp ', // Compiler/interpreter - 'g++ ', 'c++ ', 'cc ', 'bin/./python', 'bin/python', 'bin/tclsh', - 'bin/./tclsh', 'bin/nasm', 'bin/./nasm', '/perl', 'perl ', 'cmd.exe', + 'bin/g++ ', 'bin/c++ ', 'cc ', 'bin/python', 'bin/python', 'bin/tclsh', + 'bin/tclsh', 'bin/nasm', '/perl', 'cmd.exe', 'nc.exe', 'ftp.exe', + // php.ini settings + 'allow_url_fopen', 'allow_url_include', 'auto_prepend_file', 'disable_functions', 'safe_mode', + 'open_basedir', + // PHP commands/scripts - 'fopen', 'fwrite', 'phpinfo()', '\', + 'fopen', 'fwrite', 'phpinfo()', '\', 'base64_decode', 'file_put_contents', + 'set_magic_quotes_runtime', 'set_magic_quotes_runtime', 'display_errors', 'passthru', // Typical PHP script remote-inclusions and typical include file names '.inc.php', '.lib.php', '.class.php', 'config.php', '.inc', '_php', 'php_', 'class_', '_class.php', 'db_mysql.inc', + // PHP arrays + '_phplib', '__callbackparam', + // Generic remote inclusion - '=http://', '=https://', + '=http://', '=https://', '=php://', 'path=', 'sql=', '=%7BQUOT%7D', '=%5C', '=%22http','=%22ftp','=%22file','=%27http','=%27ftp', '=%27file', @@ -126,54 +139,108 @@ function initCrackerTrackerArrays () { // Attempts to insert links into a badly secured URL '%3E%3C', + // Request header being inserted + 'content-type', + + // /proc/ and other forbidden paths + 'proc/self/environ', + + // MySQL internal functions + 'name_const', + // @TODO Misc/unsorted 'cgi-', '.eml', '$_request', '$_get', '$request', '$get', '.system', '&aim', 'new_password', '&icq', '.conf', 'motd ', 'HTTP/1.', - 'window.open', 'img src', 'img src', '.jsp', 'servlet', - 'wwwacl', '.js', '.jsp', 'server-info', 'server-status', - 'secure_site, ok', 'chunked', 'org.apache', '/servlet/con', - '', 'base64_decode', 'file_put_contents', + 'set_magic_quotes_runtime', 'set_magic_quotes_runtime', 'display_errors', 'passthru', + + // Typical PHP script remote-inclusions and typical include file names + '.inc.php', '.lib.php', '.class.php', 'config.php', '.inc', '_php', + 'php_', 'class_', '_class.php', 'db_mysql.inc', + + // PHP arrays + '_phplib', '__callbackparam', + + // Request header being inserted + 'content-type', + + // /proc/ and other forbidden paths + 'proc/self/environ', + ]; // Block these words found in POST requests - $GLOBALS['ctracker_post_blacklist'] = array( + $GLOBALS['ctracker_post_blacklist'] = [ // This line is for detecting hidden link spam in wikis, forums, guestbooks, etc. ' style=', 'overflow:auto', 'height:1px', 'width:1px', 'display:hidden', 'style.display', // "Common" login names from VHCS exploiters ;-) 'starhack', 'DeLiMehmet', 'hisset', 'Hisset', 'delimert', 'MecTruy' - ); + ]; - // Load email header - $GLOBALS['ctracker_header'] = crackerTrackerLoadEmailTemplate('header'); + // Also block these requests (mostly you don't want CONNECT to some SMTP sites) + $GLOBALS['ctracker_blocked_methods'] = [ + 'CONNECT' => TRUE, + ]; // Init more elements - $GLOBALS['ctracker_post_track'] = ''; - $GLOBALS['ctracker_checkworm'] = ''; - $GLOBALS['ctracker_check_post'] = ''; + $GLOBALS['ctracker_post_track'] = ''; + $GLOBALS['ctracker_checked_get'] = ''; + $GLOBALS['ctracker_checked_post'] = ''; + $GLOBALS['ctracker_checked_ua'] = ''; } // Checks for worms function isCrackerTrackerWormDetected () { // Check against the whole list - $GLOBALS['ctracker_checkworm'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerQueryString())); + $GLOBALS['ctracker_checked_get'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerQueryString(TRUE))); + $GLOBALS['ctracker_checked_ua'] = urldecode(str_ireplace($GLOBALS['ctracker_ua_blacklist'], '*', crackerTrackerUserAgent(TRUE))); + + /* + * If it differs to original and the *whole* request string is not in + * whitelist then blog the attempt. + */ + $isWorm = ( + ( + $GLOBALS['ctracker_checked_get'] != crackerTrackerQueryString(TRUE) && (!in_array(crackerTrackerQueryString(TRUE), $GLOBALS['ctracker_whitelist'])) + ) || ( + $GLOBALS['ctracker_checked_ua'] != crackerTrackerUserAgent(TRUE) + ) || ( + isset($GLOBALS['ctracker_blocked_methods'][crackerTrackerRequestMethod()]) + ) + ); + //* DEBUG-DIE: */ die('isWorm='.intval($isWorm).PHP_EOL.'get='.PHP_EOL.'"'.$GLOBALS['ctracker_checked_get'].'"'.PHP_EOL.'"'.crackerTrackerQueryString().'"'.PHP_EOL.'ua='.PHP_EOL.'"'.$GLOBALS['ctracker_checked_ua'].'"'.PHP_EOL.'"'.crackerTrackerUserAgent().'"'.PHP_EOL); - // If it differs to original and the *whole* request string is not in whitelist - // then blog the attempt - return ($GLOBALS['ctracker_checkworm'] != crackerTrackerQueryString() && (!in_array(crackerTrackerQueryString(), $GLOBALS['ctracker_whitelist']))); + // Return it + return $isWorm; } // Checks POST data function isCrackerTrackerPostAttackDetected () { // Implode recursive the whole $_POST array - $GLOBALS['ctracker_post_track'] = urldecode(implode_r('', $_POST)); + $GLOBALS['ctracker_post_track'] = urldecode(implode_r('&', $_POST)); // Check for suspicious POST data - $GLOBALS['ctracker_check_post'] = str_ireplace($GLOBALS['ctracker_post_blacklist'], '*', $GLOBALS['ctracker_post_track']); + $GLOBALS['ctracker_checked_post'] = urldecode(str_ireplace($GLOBALS['ctracker_post_blacklist'], '*', crackerTrackerSanitize($GLOBALS['ctracker_post_track']))); // Is it detected? - return ((isCrackerTrackerWormDetected()) || ($GLOBALS['ctracker_check_post'] != $GLOBALS['ctracker_post_track'])); + return ((isCrackerTrackerWormDetected()) || ($GLOBALS['ctracker_checked_post'] != crackerTrackerSanitize($GLOBALS['ctracker_post_track']))); } // Prepares a mail and send it out @@ -187,7 +254,7 @@ function sendCrackerTrackerMail () { Remote-IP : ' . determineCrackerTrackerRealRemoteAddress() . ' User-Agent : ' . crackerTrackerUserAgent() . ' Request-string : ' . crackerTrackerQueryString() . ' -Filtered string : ' . $GLOBALS['ctracker_checkworm'] . ' +Filtered string : ' . $GLOBALS['ctracker_checked_get'] . ' Server : ' . crackerTrackerServerName() . ' Script : ' . crackerTrackerScriptName() . ' Referrer : ' . crackerTrackerReferer() . ' @@ -219,12 +286,12 @@ function sendCrackerTrackerTicketMails () { // Sends a mail out function crackerTrackerSendMail ($mail, $recipient = NULL, $subject = NULL) { // Construct dummy array - $rowData = array( + $rowData = [ 'remote_addr' => determineCrackerTrackerRealRemoteAddress(), 'proxy_addr' => getenv('REMOTE_ADDR'), - 'check_worm' => $GLOBALS['ctracker_checkworm'], + 'check_get' => $GLOBALS['ctracker_checked_get'], 'server_name' => crackerTrackerServerName() - ); + ]; // Only send email if not yet found if (!isCrackerTrackerEntryFound($rowData)) { @@ -262,16 +329,16 @@ function sendCrackerTrackerPostMail () { // Mail text $mail = 'POST-Attack detected: ----------------------------------------------------- -Remote-IP : '.determineCrackerTrackerRealRemoteAddress().' -User-Agent : '.crackerTrackerUserAgent().' -Request-string : '.crackerTrackerQueryString().' -Filtered string : '.$GLOBALS['ctracker_checkworm'].' -Server : '.crackerTrackerServerName().' -Script : '.crackerTrackerScriptName().' -Referrer : '.crackerTrackerReferer().' +Remote-IP : ' . determineCrackerTrackerRealRemoteAddress() . ' +User-Agent : ' . crackerTrackerUserAgent() . ' +Request-string : ' . crackerTrackerQueryString() . ' +Filtered string : ' . $GLOBALS['ctracker_checked_get'] . ' +Server : ' . crackerTrackerServerName() . ' +Script : ' . crackerTrackerScriptName() . ' +Referrer : ' . crackerTrackerReferer() . ' ----------------------------------------------------- -POST string : '.$GLOBALS['ctracker_post_track'].' -Filtered POST string : '.$GLOBALS['ctracker_check_post'].' +POST string : ' . $GLOBALS['ctracker_post_track'] . ' +Filtered POST string : ' . $GLOBALS['ctracker_checked_post'] . ' ----------------------------------------------------- '; @@ -320,20 +387,22 @@ function crackerTrackerLogAttack () { } // END - if // Prepare array for database insert - $rowData = array( - 'remote_addr' => determineCrackerTrackerRealRemoteAddress(), - 'proxy_addr' => getenv('REMOTE_ADDR'), - 'user_agent' => crackerTrackerUserAgent(), - 'get_data' => crackerTrackerQueryString(), - 'post_data' => $GLOBALS['ctracker_post_track'], - 'check_worm' => $GLOBALS['ctracker_checkworm'], - 'check_post' => $GLOBALS['ctracker_check_post'], - 'server_name' => crackerTrackerServerName(), - 'script_name' => crackerTrackerScriptName(), - 'referer' => crackerTrackerReferer(), - 'proxy_used' => $proxyUsed, - 'first_attempt' => 'NOW()' - ); + $rowData = [ + 'remote_addr' => determineCrackerTrackerRealRemoteAddress(), + 'proxy_addr' => getenv('REMOTE_ADDR'), + 'user_agent' => crackerTrackerUserAgent(), + 'get_data' => crackerTrackerQueryString(), + 'post_data' => $GLOBALS['ctracker_post_track'], + 'check_ua' => $GLOBALS['ctracker_checked_ua'], + 'check_get' => $GLOBALS['ctracker_checked_get'], + 'check_post' => $GLOBALS['ctracker_checked_post'], + 'server_name' => crackerTrackerServerName(), + 'script_name' => crackerTrackerScriptName(), + 'referer' => crackerTrackerReferer(), + 'request_method' => crackerTrackerRequestMethod(), + 'proxy_used' => $proxyUsed, + 'first_attempt' => 'NOW()' + ]; // Insert the array in database crackerTrackerInsertArray('ctracker_data', $rowData); @@ -345,20 +414,8 @@ function crackerTrackerAlertCurrentUser () { if (isset($GLOBALS['ctracker_last_suspicious_entry'])) { // Does the user have a ticket? if (ifCrackerTrackerIpHasTicket()) { - // Should we continue? - if (isset($_POST['ctracker_continue'])) { - // Set cookie - sendCrackerTrackerCookie(); - - // And redirect to same URL - crackerTrackerRedirectSameUrl(); - } elseif (ifCrackerTrackerCookieIsSet()) { - // Return here to normal program - return; - } else { - // Load "Thank you" template - crackerTrackerLoadTemplate('add_ticket_thanks'); - } + // Load "Thank you" template + crackerTrackerLoadTemplate('add_ticket_thanks'); } elseif ((isset($_POST['ctracker_add_ticket'])) && (!empty($_POST['name'])) && (!empty($_POST['email']))) { // Add the ticket addCrackerTrackerTicket($_POST); @@ -374,6 +431,3 @@ function crackerTrackerAlertCurrentUser () { // And stop here die(); } - -// [EOF] -?>