X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=libs%2Flib_detector.php;h=f7bde09388f6218d30a4bd5b502ceb2b4ea35678;hb=92211399b80ffeec8cf30e1510d78d7afab06ad8;hp=8c1e22d5f3b91b1e3c071e2ec2ab3e631e7db4fc;hpb=9fb3426e26f9ae0e0ff620a66a9d75fca543a302;p=ctracker.git diff --git a/libs/lib_detector.php b/libs/lib_detector.php index 8c1e22d..f7bde09 100644 --- a/libs/lib_detector.php +++ b/libs/lib_detector.php @@ -2,11 +2,11 @@ /** * Detector library * - * @author Roland Haeder + * @author Roland Haeder * @version 3.0.0 - * @copyright Copyright (c) 2009 Cracker Tracker Team + * @copyright Copyright (c) 2009 - 2017 Cracker Tracker Team * @license GNU GPL 3.0 or any newer version - * @link http://www.ship-simu.org + * @link http://www.shipsimu.org * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -33,82 +33,242 @@ function initCrackerTrackerArrays () { @error_reporting(0); } + // Base path + $GLOBALS['ctracker_base_path'] = dirname(dirname(__FILE__)); + // Whitelist some absolute query strings (see below) - $GLOBALS['ctracker_whitelist'] = array( - 'cmd=new', // LinPHA - 'cmd=edit', // LinPHA - 'cmd=lostpw', // LinPHA - 'secure_session=1', // Mantis Bug Tracker - ); + $GLOBALS['ctracker_whitelist'] = [ + 'cmd=new', // LinPHA + 'cmd=edit', // LinPHA + 'cmd=lostpw', // LinPHA + '/css/status_config.php', // MantisBT + '/css/common_config.php', // MantisBT + '/javascript_config.php', // MantisBT + ]; // Attacks we should detect and block - $GLOBALS['ctracker_get_blacklist'] = array( - 'chr(', 'chr=', 'chr%20', '%20chr', 'wget%20', '%20wget', 'wget(', - 'cmd.exe', '%20cmd', 'cmd%20', 'rush=', '%20rush', 'rush%20', - 'union%20', '%20union', 'union(', 'union=', 'echr(', '%20echr', 'echr%20', 'echr=', - 'esystem(', 'esystem%20', 'cp%20', '%20cp', 'cp(', 'mdir%20', '%20mdir', 'mdir(', - 'mcd%20', 'mrd%20', 'rm%20', '%20mcd', '%20mrd', '%20rm', - 'mcd(', 'mrd(', 'rm(', 'mcd=', 'mrd=', 'mv%20', 'rmdir%20', 'mv(', 'rmdir(', - 'chmod(', 'chmod%20', '%20chmod', 'chmod(', 'chmod=', 'chown%20', 'chgrp%20', 'chown(', 'chgrp(', - 'locate%20', 'grep%20', 'locate(', 'grep(', 'diff%20', 'kill%20', 'kill(', 'killall', - 'passwd%20', '%20passwd', 'passwd(', 'telnet%20', 'vi(', 'vi%20', 'cgi-', '.eml', - 'insert%20into', 'select%20', 'nigga(', '%20nigga', 'nigga%20', 'fopen', 'fwrite', '%20like', 'like%20', - '$_request', '$_get', '$request', '$get', '.system', 'HTTP_PHP', '&aim', '%20getenv', 'getenv%20', - 'new_password', '&icq', '/self/', '/environ', '/shadow', '/gshadow', '/etc/', '/passwd', - 'HTTP_USER_AGENT', 'HTTP_HOST', 'wget%20', 'uname\x20-', 'uname%20-', 'bin/id', '/bin/', '/chgrp', - '/chown', '/chmod', 'chown%20', 'chmod%20', 'chgrp%20', '/usr/bin', 'g++', 'c++', 'bin/python', - 'bin/tclsh', 'bin/nasm', 'perl%20', 'traceroute%20', 'ping%20', 'bin/xterm', 'lsof%20', '.conf', - 'motd%20', 'HTTP/1.', '.inc.php', '.lib.php', '.class.php', 'config.php', 'file\://', 'file://', - 'window.open', 'javascript\://', 'img src', 'img%20src', '.jsp', 'ftp.exe', 'xp_enumdsn', - 'xp_availablemedia', 'xp_filelist', 'xp_cmdshell', 'nc.exe', '.htpasswd', 'servlet', - '/etc/passwd', 'wwwacl', '~root', '~ftp', '.js', '.jsp', '.history', 'bash_history', - '.bash_history', '~nobody', 'server-info', 'server-status', 'reboot%20', 'halt%20', - 'powerdown%20', '/home/ftp', '/home/www', 'secure_site, ok', 'chunked', 'org.apache', '/servlet/con', - '', 'sql=', - 'div style=', 'overflow: auto', 'height: 1px', 'cc%20', 'path=', 'starhack', 'busca', - 'uol.com', '=http://', '=https://','=ftp://','=file://','_SESSION','CFG_ROOT','/proc/', ',0x', '(0x', - '=%7BQUOT%7D', '=%5C', 'DOCUMENT_ROOT', '_SERVER','=%22http','=%22ftp','=%22file','=%27http','=%27ftp', - '../../','..//', '=%27file', 'data://', 'tcp://', 'udp://', 'raw://' + $GLOBALS['ctracker_get_blacklist'] = [ + // SQL injections + 'union ', ' union', 'insert ', + 'select ', ' like', 'like ', 'drop ', 'update ', + 'union(', 'union=', + + // $GLOBAL/$_SERVER array elements + 'HTTP_USER_AGENT', 'HTTP_HOST', 'HTTP_PHP', '_SESSION', 'CFG_ROOT', + 'DOCUMENT_ROOT', '_SERVER', + + // Sensitive files + '/environ', 'etc/shadow', 'etc/gshadow', 'etc/passwd', 'etc/group', + 'etc/./shadow', 'etc/./gshadow', 'etc/./passwd', 'etc/./group', + '.htaccess', '.htpasswd', '.htgroup', '.history', 'bash_history', + 'bashrc', + + // Other Linux/FreeBSD/??? programs (sometimes with space) + 'traceroute ', 'ping ', 'bin/xterm', 'bin/./xterm', 'lsof ', + 'telnet ', 'wget ', 'bin/perl', 'bin/id', 'uname\x20', 'uname ', + 'killall', 'diff ', 'kill ', 'locate ', 'grep ', 'vi ', 'mv ', + 'rmdir ', 'mcd ', 'mrd ', 'rm ', ' mcd', ' mrd', ' rm', + 'passwd ', ' passwd', 'mdir ', ' mdir', 'cp ', ' cp', + 'esystem ', 'chr ', ' chr', 'wget ', ' wget', ' cmd', + 'cmd ', ' rush', 'rush ', ' echr', 'echr ', ' getenv', + 'getenv', 'reboot ', 'halt ', 'powerdown ', + + // Other Linux programs (+ brace) + 'locate(', 'grep(', 'kill(', 'mcd(', 'mrd(', 'rm(', 'mv(', 'rmdir(', + 'chmod(', 'chmod(', 'chown(', 'chgrp(', 'passwd(', 'vi(', 'cp(', + 'mdir(', 'system(', 'chr(', 'wget(', 'rush(', 'echr(', + + // Other Linux programs (+ equal) + 'mcd=', 'mrd=', 'chmod=', 'chr=', 'rush=', 'echr=', + + // Paths + '/etc/', '/bin/', '/sbin/', '/self/', '/proc/', '../../','..//', '././', + '/home/ftp', '/home/./ftp', '/home/./www', '/home/www', '/www/virtual/', + '/www/./virtual/', + + // Uni* commands: + '/chgrp', '/chown', '/chmod', 'chown ', 'chmod ', 'chgrp ', + + // Compiler/interpreter + 'bin/g++ ', 'bin/c++ ', 'cc ', 'bin/python', 'bin/python', 'bin/tclsh', + 'bin/tclsh', 'bin/nasm', '/perl', 'cmd.exe', + 'nc.exe', 'ftp.exe', + + // php.ini settings + 'allow_url_fopen', 'allow_url_include', 'auto_prepend_file', 'disable_functions', 'safe_mode', + 'open_basedir', 'suhosin', 'cgi.force_redirect', 'cgi.redirect_status_env', + + // PHP commands/scripts + 'fopen', 'fwrite', 'phpinfo()', '\', 'base64_decode', 'file_put_contents', + 'set_magic_quotes_runtime', 'set_magic_quotes_runtime', 'display_errors', 'passthru', + + // Typical PHP script remote-inclusions and typical include file names + '.inc.php', '.lib.php', '.class.php', 'config.php', '.inc', '_php', + 'php_', 'class_', '_class.php', 'db_mysql.inc', + + // PHP arrays + '_phplib', '__callbackparam', + + // Generic remote inclusion + '=http://', '=https://', '=php://', + 'path=', 'sql=', + '=%7BQUOT%7D', '=%5C', '=%22http','=%22ftp','=%22file','=%27http','=%27ftp', + '=%27file', + + // Wrappers + 'data://', 'tcp://', 'udp://', 'raw://', 'javascript://', 'file://', 'ftp://', + + // Blocked "users" + 'nigga(', ' nigga', 'nigga ', 'starhack', 'busca', + + // Hidden HTML stuff + ' style=', 'style =', + 'overflow:auto', 'overflow: auto', + 'overflow :auto', 'overflow : auto', + 'display:hidden', 'display: hidden', + 'display :hidden', 'display : hidden', + 'height:0px', 'height: 0px','height:1px', 'height: 1px', + 'width:0px', 'width: 0px','width:1px', 'width: 1px', + + // Uncommon user websites + '~root', '~ftp', '~nobody', + + // Windows XP (?) hacks + 'xp_enumdsn', 'xp_availablemedia', 'xp_filelist', 'xp_cmdshell', + + // Attempts to insert links into a badly secured URL + '%3E%3C', + + // Request header being inserted + 'content-type', + + // /proc/ and other forbidden paths + 'proc/self/environ', + + // MySQL internal functions + 'name_const', + + // @TODO Misc/unsorted + 'cgi-', '.eml', '$_request', '$_get', '$request', '$get', '.system', + '&aim', 'new_password', '&icq', '.conf', 'motd ', 'HTTP/1.', + 'window.open', 'img src', 'img src', '.jsp', 'servlet', 'org.apache', + 'wwwacl', 'server-info', 'server-status', '/servlet/con', 'http_', + 'secure_site, ok', 'chunked', '', 'base64_decode', 'file_put_contents', + 'set_magic_quotes_runtime', 'set_magic_quotes_runtime', 'display_errors', 'passthru', + + // Typical PHP script remote-inclusions and typical include file names + '.inc.php', '.lib.php', '.class.php', 'config.php', '.inc', '_php', + 'php_', 'class_', '_class.php', 'db_mysql.inc', + + // PHP arrays + '_phplib', '__callbackparam', + + // Request header being inserted + 'content-type', + + // /proc/ and other forbidden paths + 'proc/self/environ', + ]; + + // BLock these words found in User-Agent + $GLOBALS['ctracker_ua_blacklist'] = array( + // Compiler/interpreter + 'bin/g++ ', 'bin/c++ ', 'cc ', 'bin/python', 'bin/python', 'bin/tclsh', + 'bin/tclsh', 'bin/nasm', '/perl', 'cmd.exe', + 'nc.exe', 'ftp.exe', 'wget ', 'system(', 'curl ', + + // php.ini settings + 'allow_url_fopen', 'allow_url_include', 'auto_prepend_file', 'disable_functions', 'safe_mode', + + // PHP commands/scripts + 'fopen', 'fwrite', 'phpinfo()', '\', 'base64_decode', 'file_put_contents', + 'set_magic_quotes_runtime', 'set_magic_quotes_runtime', 'display_errors', 'passthru', + + // Typical PHP script remote-inclusions and typical include file names + '.inc.php', '.lib.php', '.class.php', 'config.php', '.inc', '_php', + 'php_', 'class_', '_class.php', 'db_mysql.inc', + + // PHP arrays + '_phplib', '__callbackparam', + + // Request header being inserted + 'content-type', + + // /proc/ and other forbidden paths + 'proc/self/environ', ); // Block these words found in POST requests - $GLOBALS['ctracker_post_blacklist'] = array( + $GLOBALS['ctracker_post_blacklist'] = [ // This line is for detecting hidden link spam in wikis, forums, guestbooks, etc. - 'div style=', 'overflow:auto', 'height:1px', 'width:1px', 'display:hidden', 'style.display', + ' style=', 'overflow:auto', 'height:1px', 'width:1px', 'display:hidden', 'style.display', + // "Common" login names from VHCS exploiters ;-) 'starhack', 'DeLiMehmet', 'hisset', 'Hisset', 'delimert', 'MecTruy' - ); + ]; - // Load email header - $GLOBALS['ctracker_header'] = crackerTrackerLoadEmailTemplate('header'); + // Also block these requests (mostly you don't want CONNECT to some SMTP sites) + $GLOBALS['ctracker_blocked_methods'] = [ + 'CONNECT' => TRUE, + ]; // Init more elements - $GLOBALS['ctracker_post_track'] = ''; - $GLOBALS['ctracker_checkworm'] = ''; - $GLOBALS['ctracker_check_post'] = ''; + $GLOBALS['ctracker_post_track'] = ''; + $GLOBALS['ctracker_checked_get'] = ''; + $GLOBALS['ctracker_checked_post'] = ''; + $GLOBALS['ctracker_checked_ua'] = ''; } // Checks for worms function isCrackerTrackerWormDetected () { // Check against the whole list - $GLOBALS['ctracker_checkworm'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerQueryString())); + $GLOBALS['ctracker_checked_get'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerQueryString(TRUE))); + $GLOBALS['ctracker_checked_ua'] = urldecode(str_ireplace($GLOBALS['ctracker_ua_blacklist'], '*', crackerTrackerUserAgent(TRUE))); + + /* + * If it differs to original and the *whole* request string is not in + * whitelist then blog the attempt. + */ + $isWorm = ( + ( + $GLOBALS['ctracker_checked_get'] != crackerTrackerQueryString(TRUE) && (!in_array(crackerTrackerQueryString(TRUE), $GLOBALS['ctracker_whitelist'])) + ) || ( + $GLOBALS['ctracker_checked_ua'] != crackerTrackerUserAgent(TRUE) + ) || ( + isset($GLOBALS['ctracker_blocked_methods'][crackerTrackerRequestMethod()]) + ) + ); + //* DEBUG-DIE: */ die('isWorm='.intval($isWorm).PHP_EOL.'get='.PHP_EOL.'"'.$GLOBALS['ctracker_checked_get'].'"'.PHP_EOL.'"'.crackerTrackerQueryString().'"'.PHP_EOL.'ua='.PHP_EOL.'"'.$GLOBALS['ctracker_checked_ua'].'"'.PHP_EOL.'"'.crackerTrackerUserAgent().'"'.PHP_EOL); - // If it differs to original and the *whole* request string is not in whitelist - // then blog the attempt - return ($GLOBALS['ctracker_checkworm'] != crackerTrackerQueryString() && (!in_array(crackerTrackerQueryString(), $GLOBALS['ctracker_whitelist']))); + // Return it + return $isWorm; } // Checks POST data function isCrackerTrackerPostAttackDetected () { // Implode recursive the whole $_POST array - $GLOBALS['ctracker_post_track'] = urldecode(implode_r('', $_POST)); + $GLOBALS['ctracker_post_track'] = urldecode(implode_r('&', $_POST)); // Check for suspicious POST data - $GLOBALS['ctracker_check_post'] = str_ireplace($GLOBALS['ctracker_post_blacklist'], '*', $GLOBALS['ctracker_post_track']); + $GLOBALS['ctracker_checked_post'] = urldecode(str_ireplace($GLOBALS['ctracker_post_blacklist'], '*', crackerTrackerSanitize($GLOBALS['ctracker_post_track']))); // Is it detected? - return ((isCrackerTrackerWormDetected()) || ($GLOBALS['ctracker_check_post'] != $GLOBALS['ctracker_post_track'])); + return ((isCrackerTrackerWormDetected()) || ($GLOBALS['ctracker_checked_post'] != crackerTrackerSanitize($GLOBALS['ctracker_post_track']))); } // Prepares a mail and send it out @@ -117,17 +277,18 @@ function sendCrackerTrackerMail () { crackerTrackerLogAttack(); // Mail content - $mail = "Attack detected: + $mail = 'Attack detected: ----------------------------------------------------- -Remote-IP : " . determineCrackerTrackerRealRemoteAddress() . " -User-Agent : " . crackerTrackerUserAgent() . " -Request-string : " . crackerTrackerQueryString() . " -Filtered string : " . $GLOBALS['ctracker_checkworm'] . " -Server : " . crackerTrackerServerName() . " -Script : " . crackerTrackerScriptName() . " -Referrer : " . crackerTrackerReferer() . " +Remote-IP : ' . determineCrackerTrackerRealRemoteAddress() . ' +User-Agent : ' . crackerTrackerUserAgent() . ' +Request-string : ' . crackerTrackerQueryString() . ' +Filtered string : ' . $GLOBALS['ctracker_checked_get'] . ' +Server : ' . crackerTrackerServerName() . ' +Script : ' . crackerTrackerScriptName() . ' +Method : ' . crackerTrackerRequestMethod() . ' +Referrer : ' . crackerTrackerReferer() . ' ----------------------------------------------------- -"; +'; // Send it out crackerTrackerSendMail($mail); @@ -154,11 +315,13 @@ function sendCrackerTrackerTicketMails () { // Sends a mail out function crackerTrackerSendMail ($mail, $recipient = NULL, $subject = NULL) { // Construct dummy array - $rowData = array( - 'remote_addr' => determineCrackerTrackerRealRemoteAddress(), - 'check_worm' => $GLOBALS['ctracker_checkworm'], - 'server_name' => crackerTrackerServerName() - ); + $rowData = [ + 'remote_addr' => determineCrackerTrackerRealRemoteAddress(), + 'proxy_addr' => getenv('REMOTE_ADDR'), + 'check_get' => $GLOBALS['ctracker_checked_get'], + 'server_name' => crackerTrackerServerName(), + 'request_method' => crackerTrackerRequestMethod(), + ]; // Only send email if not yet found if (!isCrackerTrackerEntryFound($rowData)) { @@ -194,20 +357,21 @@ function sendCrackerTrackerPostMail () { crackerTrackerLogAttack(); // Mail text - $mail = "POST-Attack detected: + $mail = 'POST-Attack detected: ----------------------------------------------------- -Remote-IP : ".determineCrackerTrackerRealRemoteAddress()." -User-Agent : ".crackerTrackerUserAgent()." -Request-string : ".crackerTrackerQueryString()." -Filtered string : ".$GLOBALS['ctracker_checkworm']." -Server : ".crackerTrackerServerName()." -Script : ".crackerTrackerScriptName()." -Referrer : ".crackerTrackerReferer()." +Remote-IP : ' . determineCrackerTrackerRealRemoteAddress() . ' +User-Agent : ' . crackerTrackerUserAgent() . ' +Request-string : ' . crackerTrackerQueryString() . ' +Filtered string : ' . $GLOBALS['ctracker_checked_get'] . ' +Server : ' . crackerTrackerServerName() . ' +Script : ' . crackerTrackerScriptName() . ' +Method : ' . crackerTrackerRequestMethod() . ' +Referrer : ' . crackerTrackerReferer() . ' ----------------------------------------------------- -POST string : ".$GLOBALS['ctracker_post_track']." -Filtered POST string : ".$GLOBALS['ctracker_check_post']." +POST string : ' . $GLOBALS['ctracker_post_track'] . ' +Filtered POST string : ' . $GLOBALS['ctracker_checked_post'] . ' ----------------------------------------------------- -"; +'; // Send it out crackerTrackerSendMail($mail); @@ -254,19 +418,22 @@ function crackerTrackerLogAttack () { } // END - if // Prepare array for database insert - $rowData = array( - 'remote_addr' => determineCrackerTrackerRealRemoteAddress(), - 'user_agent' => crackerTrackerUserAgent(), - 'get_data' => crackerTrackerQueryString(), - 'post_data' => $GLOBALS['ctracker_post_track'], - 'check_worm' => $GLOBALS['ctracker_checkworm'], - 'check_post' => $GLOBALS['ctracker_check_post'], - 'server_name' => crackerTrackerServerName(), - 'script_name' => crackerTrackerScriptName(), - 'referer' => crackerTrackerReferer(), - 'proxy_used' => $proxyUsed, - 'first_attempt' => 'NOW()' - ); + $rowData = [ + 'remote_addr' => determineCrackerTrackerRealRemoteAddress(), + 'proxy_addr' => getenv('REMOTE_ADDR'), + 'user_agent' => crackerTrackerUserAgent(), + 'get_data' => crackerTrackerQueryString(), + 'post_data' => $GLOBALS['ctracker_post_track'], + 'check_ua' => $GLOBALS['ctracker_checked_ua'], + 'check_get' => $GLOBALS['ctracker_checked_get'], + 'check_post' => $GLOBALS['ctracker_checked_post'], + 'server_name' => crackerTrackerServerName(), + 'script_name' => crackerTrackerScriptName(), + 'referer' => crackerTrackerReferer(), + 'request_method' => crackerTrackerRequestMethod(), + 'proxy_used' => $proxyUsed, + 'first_attempt' => 'NOW()' + ]; // Insert the array in database crackerTrackerInsertArray('ctracker_data', $rowData); @@ -278,20 +445,8 @@ function crackerTrackerAlertCurrentUser () { if (isset($GLOBALS['ctracker_last_suspicious_entry'])) { // Does the user have a ticket? if (ifCrackerTrackerIpHasTicket()) { - // Should we continue? - if (isset($_POST['ctracker_continue'])) { - // Set cookie - sendCrackerTrackerCookie(); - - // And redirect to same URL - crackerTrackerRedirectSameUrl(); - } elseif (ifCrackerTrackerCookieIsSet()) { - // Return here to normal program - return; - } else { - // Load "Thank you" template - crackerTrackerLoadTemplate('add_ticket_thanks'); - } + // Load "Thank you" template + crackerTrackerLoadTemplate('add_ticket_thanks'); } elseif ((isset($_POST['ctracker_add_ticket'])) && (!empty($_POST['name'])) && (!empty($_POST['email']))) { // Add the ticket addCrackerTrackerTicket($_POST); @@ -307,6 +462,3 @@ function crackerTrackerAlertCurrentUser () { // And stop here die(); } - -// [EOF] -?>