Continued improving:

- introduced crackerTrackerRequestMethod() to encapsulate $_SERVER['REQUEST_METHOD'] retrival
- this allows the script being used on console now
- check also user-agent string for bad occurrences (difference not yet logged)

Signed-off-by: Roland Häder <rhaeder@cho-time.de>

diff --git a/libs/lib_detector.php b/libs/lib_detector.php
index 976ac546e72247538d66199cbd2904e613c34291..5ed9917842e8886f5390ce17cfb0c246078fb631 100644 (file)
--- a/libs/lib_detector.php
+++ b/libs/lib_detector.php
@@ -38,10 +38,9 @@ function initCrackerTrackerArrays () {
 
        // Whitelist some absolute query strings (see below)
        $GLOBALS['ctracker_whitelist'] = array(
-               'cmd=new',          // LinPHA
-               'cmd=edit',         // LinPHA
-               'cmd=lostpw',       // LinPHA
-               'secure_session=1', // Mantis Bug Tracker
+               'cmd=new',    // LinPHA
+               'cmd=edit',   // LinPHA
+               'cmd=lostpw', // LinPHA
        );
 
        // Attacks we should detect and block
@@ -52,7 +51,7 @@ function initCrackerTrackerArrays () {
                'union(', 'union=',
 
                // $GLOBAL/$_SERVER array elements
-               'HTTP_USER_AGENT', 'HTTP_HOST', 'HTTP_PHP', '_SESSION','CFG_ROOT',
+               'HTTP_USER_AGENT', 'HTTP_HOST', 'HTTP_PHP', '_SESSION', 'CFG_ROOT',
                'DOCUMENT_ROOT', '_SERVER',
 
                // Sensitive files
@@ -63,8 +62,8 @@ function initCrackerTrackerArrays () {
 
                // Other Linux/FreeBSD/??? programs (sometimes with space)
                'traceroute ', 'ping ', 'bin/xterm', 'bin/./xterm', 'lsof ',
-               'telnet ', 'wget ', 'bin/id', 'uname\x20', 'uname ', 'killall',
-               'diff ', 'kill ', 'locate ', 'grep ', 'vi ', 'mv ',
+               'telnet ', 'wget ', 'bin/perl', 'bin/id', 'uname\x20', 'uname ',
+               'killall', 'diff ', 'kill ', 'locate ', 'grep ', 'vi ', 'mv ',
                'rmdir ', 'mcd ', 'mrd ', 'rm ', ' mcd', ' mrd', ' rm',
                'passwd ', ' passwd', 'mdir ', ' mdir', 'cp ', ' cp',
                'esystem ', 'chr ', ' chr', 'wget ', ' wget', ' cmd',
@@ -162,31 +161,45 @@ function initCrackerTrackerArrays () {
        );
 
        // Init more elements
-       $GLOBALS['ctracker_post_track'] = '';
-       $GLOBALS['ctracker_checkworm']  = '';
-       $GLOBALS['ctracker_check_post'] = '';
+       $GLOBALS['ctracker_post_track']   = '';
+       $GLOBALS['ctracker_checked_get']  = '';
+       $GLOBALS['ctracker_checked_post'] = '';
+       $GLOBALS['ctracker_checked_ua']   = '';
 }
 
 // Checks for worms
 function isCrackerTrackerWormDetected () {
        // Check against the whole list
-       $GLOBALS['ctracker_checkworm'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerQueryString()));
+       $GLOBALS['ctracker_checked_get'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerQueryString()));
+       $GLOBALS['ctracker_checked_ua']  = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerUserAgent()));
+
+       /*
+        * If it differs to original and the *whole* request string is not in
+        * whitelist then blog the attempt.
+        */
+       $isWorm = (
+               (
+                       $GLOBALS['ctracker_checked_get'] != crackerTrackerQueryString() && (!in_array(crackerTrackerQueryString(), $GLOBALS['ctracker_whitelist']))
+               ) || (
+                       $GLOBALS['ctracker_checked_ua'] != crackerTrackerUserAgent()
+               )
+       );
+       //* DEBUG-DIE: */ die('isWorm='.intval($isWorm).PHP_EOL.'get="'.$GLOBALS['ctracker_checked_get'].'"'.PHP_EOL.'"'.crackerTrackerQueryString().'"'.PHP_EOL.'ua="'.$GLOBALS['ctracker_checked_ua'].'"'.PHP_EOL.'"'.crackerTrackerUserAgent().'"'.PHP_EOL);
 
-       // If it differs to original and the *whole* request string is not in whitelist
-       // then blog the attempt
-       return ($GLOBALS['ctracker_checkworm'] != crackerTrackerQueryString() && (!in_array(crackerTrackerQueryString(), $GLOBALS['ctracker_whitelist'])));
+       // Return it
+       return $isWorm;
 }
 
 // Checks POST data
 function isCrackerTrackerPostAttackDetected () {
        // Implode recursive the whole $_POST array
-       $GLOBALS['ctracker_post_track'] = urldecode(implode_r('', $_POST));
+       $GLOBALS['ctracker_post_track'] = urldecode(implode_r('&', $_POST));
 
        // Check for suspicious POST data
-       $GLOBALS['ctracker_check_post'] = str_ireplace($GLOBALS['ctracker_post_blacklist'], '*', $GLOBALS['ctracker_post_track']);
+       $GLOBALS['ctracker_checked_post'] = urldecode(str_ireplace($GLOBALS['ctracker_post_blacklist'], '*', $GLOBALS['ctracker_post_track']));
 
        // Is it detected?
-       return ((isCrackerTrackerWormDetected()) || ($GLOBALS['ctracker_check_post'] != $GLOBALS['ctracker_post_track']));
+       return ((isCrackerTrackerWormDetected()) || ($GLOBALS['ctracker_checked_post'] != $GLOBALS['ctracker_post_track']));
 }
 
 // Prepares a mail and send it out
@@ -200,7 +213,7 @@ function sendCrackerTrackerMail () {
 Remote-IP       : ' . determineCrackerTrackerRealRemoteAddress() . '
 User-Agent      : ' . crackerTrackerUserAgent() . '
 Request-string  : ' . crackerTrackerQueryString() . '
-Filtered string : ' . $GLOBALS['ctracker_checkworm'] . '
+Filtered string : ' . $GLOBALS['ctracker_checked_get'] . '
 Server          : ' . crackerTrackerServerName() . '
 Script          : ' . crackerTrackerScriptName() . '
 Referrer        : ' . crackerTrackerReferer() . '
@@ -235,7 +248,7 @@ function crackerTrackerSendMail ($mail, $recipient = NULL, $subject = NULL) {
        $rowData = array(
                'remote_addr' => determineCrackerTrackerRealRemoteAddress(),
                'proxy_addr'  => getenv('REMOTE_ADDR'),
-               'check_worm'  => $GLOBALS['ctracker_checkworm'],
+               'check_worm'  => $GLOBALS['ctracker_checked_get'],
                'server_name' => crackerTrackerServerName()
        );
 
@@ -278,13 +291,13 @@ function sendCrackerTrackerPostMail () {
 Remote-IP            : '.determineCrackerTrackerRealRemoteAddress().'
 User-Agent           : '.crackerTrackerUserAgent().'
 Request-string       : '.crackerTrackerQueryString().'
-Filtered string      : '.$GLOBALS['ctracker_checkworm'].'
+Filtered string      : '.$GLOBALS['ctracker_checked_get'].'
 Server               : '.crackerTrackerServerName().'
 Script               : '.crackerTrackerScriptName().'
 Referrer             : '.crackerTrackerReferer().'
 -----------------------------------------------------
 POST string          : '.$GLOBALS['ctracker_post_track'].'
-Filtered POST string : '.$GLOBALS['ctracker_check_post'].'
+Filtered POST string : '.$GLOBALS['ctracker_checked_post'].'
 -----------------------------------------------------
 ';
 
@@ -339,12 +352,12 @@ function crackerTrackerLogAttack () {
                'user_agent'     => crackerTrackerUserAgent(),
                'get_data'       => crackerTrackerQueryString(),
                'post_data'      => $GLOBALS['ctracker_post_track'],
-               'check_worm'     => $GLOBALS['ctracker_checkworm'],
-               'check_post'     => $GLOBALS['ctracker_check_post'],
+               'check_worm'     => $GLOBALS['ctracker_checked_get'],
+               'check_post'     => $GLOBALS['ctracker_checked_post'],
                'server_name'    => crackerTrackerServerName(),
                'script_name'    => crackerTrackerScriptName(),
                'referer'        => crackerTrackerReferer(),
-               'request_method' => $_SERVER['REQUEST_METHOD'],
+               'request_method' => crackerTrackerRequestMethod(),
                'proxy_used'     => $proxyUsed,
                'first_attempt'  => 'NOW()'
        );

diff --git a/libs/lib_general.php b/libs/lib_general.php
index 8d5dd1e93ae268deb63ba850cc1d3d0b5cc8f519..4180c9d75a52685a05f610847b968d47d6b6dfe4 100644 (file)
--- a/libs/lib_general.php
+++ b/libs/lib_general.php
@@ -150,7 +150,7 @@ function crackerTrackerUserAgent () {
        // Is the entry there?
        if (isset($_SERVER['HTTP_USER_AGENT'])) {
                // Then use it securely
-               $ua = crackerTrackerSecureString($_SERVER['HTTP_USER_AGENT']);
+               $ua = crackerTrackerSecureString(urldecode($_SERVER['HTTP_USER_AGENT']));
        } // END - if
 
        // Return it
@@ -199,7 +199,7 @@ function crackerTrackerReferer () {
        $referer = '-';
 
        // Is it there?
-       if (isset($_SERVER['HTTP_REFERER'])) {
+       if (!empty($_SERVER['HTTP_REFERER'])) {
                // Then use it securely
                $referer = crackerTrackerSecureString(urldecode($_SERVER['HTTP_REFERER']));
        } // END - if
@@ -208,6 +208,21 @@ function crackerTrackerReferer () {
        return $referer;
 }
 
+// Detects request method
+function crackerTrackerRequestMethod () {
+       // Default is NULL
+       $method = NULL;
+
+       // Is it set?
+       if (!empty($_SERVER['REQUEST_METHOD'])) {
+               // Then use it
+               $method = $_SERVER['REQUEST_METHOD'];
+       } // END - if
+
+       // Return it
+       return $method;
+}
+
 // Detects the scripts path
 function crackerTrackerScriptPath () {
        // Should always be there!
@@ -514,8 +529,9 @@ function unsetCtrackerData () {
                        'ctracker_post_blacklist',
                        'ctracker_header',
                        'ctracker_post_track',
-                       'ctracker_checkworm',
-                       'ctracker_check_post',
+                       'ctracker_checked_get',
+                       'ctracker_checked_post',
+                       'ctracker_checked_ua',
                        'ctracker_last_sql',
                        'ctracker_last_result',
                        'ctracker_config',