From 378878d64bce3f2bf0c32a7b47d5a6406d46b81a Mon Sep 17 00:00:00 2001 From: Roland Haeder Date: Thu, 31 Dec 2009 02:36:49 +0000 Subject: [PATCH] First implemenation --- .gitattributes | 8 ++ .gitignore | 1 + config/.htaccess | 1 + config/db_config.php.dist | 41 ++++++++ ctracker.php | 57 ++++++++++ libs/.htaccess | 1 + libs/lib_ | 26 +++++ libs/lib_connect.php | 155 +++++++++++++++++++++++++++ libs/lib_detector.php | 214 ++++++++++++++++++++++++++++++++++++++ libs/lib_general.php | 82 +++++++++++++++ 10 files changed, 586 insertions(+) create mode 100644 .gitignore create mode 100644 config/.htaccess create mode 100644 config/db_config.php.dist create mode 100644 ctracker.php create mode 100644 libs/.htaccess create mode 100644 libs/lib_ create mode 100644 libs/lib_connect.php create mode 100644 libs/lib_detector.php create mode 100644 libs/lib_general.php diff --git a/.gitattributes b/.gitattributes index 41cadca..cf92e91 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,8 +1,16 @@ * text=auto !eol +config/.htaccess -text +config/db_config.php.dist -text +/ctracker.php -text docs/COPYING -text docs/NEWS -text docs/README -text docs/THANKS -text docs/TODO -text docs/TODOs.txt -text +libs/.htaccess -text +libs/lib_ -text +libs/lib_connect.php -text +libs/lib_detector.php -text +libs/lib_general.php -text /todo-builder.sh -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..bc2af6d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +config/db_config.php diff --git a/config/.htaccess b/config/.htaccess new file mode 100644 index 0000000..3a42882 --- /dev/null +++ b/config/.htaccess @@ -0,0 +1 @@ +Deny from all diff --git a/config/db_config.php.dist b/config/db_config.php.dist new file mode 100644 index 0000000..4a4c683 --- /dev/null +++ b/config/db_config.php.dist @@ -0,0 +1,41 @@ + + * @version 3.0.0 + * @copyright Copyright (c) 2009 Cracker Tracker Team + * @license GNU GPL 3.0 or any newer version + * @link http://www.ship-simu.org + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +// Host name +$GLOBALS['ctracker_host'] = 'localhost'; + +// Database name +$GLOBALS['ctracker_dbname'] = 'ctracker'; + +// User +$GLOBALS['ctracker_user'] = 'ctracker'; + +// Password +$GLOBALS['ctracker_password'] = ''; + +// Debugging should be disabled by default +// $GLOBALS['ctracker_debug'] = true; + +// [EOF] +?> diff --git a/ctracker.php b/ctracker.php new file mode 100644 index 0000000..5f7bf94 --- /dev/null +++ b/ctracker.php @@ -0,0 +1,57 @@ + + * @version 3.0.0 + * @copyright Copyright (c) 2009 Cracker Tracker Team + * @license GNU GPL 3.0 or any newer version + * @link http://www.ship-simu.org + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +// Include files +include('config/db_config.php'); +include('libs/lib_general.php'); +include('libs/lib_detector.php'); +include('libs/lib_connect.php'); + +// Init +initCrackerTrackerArrays(); + +// If no email is defined, asume default. This code should be removed +if (!defined('__CTRACKER_EMAIL')) { + define('__CTRACKER_EMAIL', 'webmaster@mxchange.org'); +} // END - if + +// If it differs to original and the *whole* request string is not in whitelist +// then blog the attempt +if (isCrackerTrackerWormDetected()) { + // Send the email, this must be the last line because it contains a die() + sendCrackerTrackerMail(); +} // END - if + +// Suspicious POST data detected? +if (isCrackerTrackerPostAttackDetected()) { + // Send the email, this must be the last line because it contains a die() + sendCrackerTrackerPostMail(); +} // END - if + +// [EOF] +?> diff --git a/libs/.htaccess b/libs/.htaccess new file mode 100644 index 0000000..3a42882 --- /dev/null +++ b/libs/.htaccess @@ -0,0 +1 @@ +Deny from all diff --git a/libs/lib_ b/libs/lib_ new file mode 100644 index 0000000..4cb27ab --- /dev/null +++ b/libs/lib_ @@ -0,0 +1,26 @@ + + * @version 3.0.0 + * @copyright Copyright (c) 2009 Cracker Tracker Team + * @license GNU GPL 3.0 or any newer version + * @link http://www.ship-simu.org + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +// [EOF] +?> diff --git a/libs/lib_connect.php b/libs/lib_connect.php new file mode 100644 index 0000000..800b07e --- /dev/null +++ b/libs/lib_connect.php @@ -0,0 +1,155 @@ + + * @version 3.0.0 + * @copyright Copyright (c) 2009 Cracker Tracker Team + * @license GNU GPL 3.0 or any newer version + * @link http://www.ship-simu.org + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +// Function to aquire a database link +function aquireCrackerTrackerDatabaseLink () { + // Is the link up? + if (!isCrackerTrackerDatabaseLinkUp()) { + // Then connect to the database + $GLOBALS['ctracker_link'] = mysql_connect($GLOBALS['ctracker_host'], $GLOBALS['ctracker_user'], $GLOBALS['ctracker_password']) or crackerTrackerDatabaseError(__FUNCTION__, __LINE__); + + // Select the database + if (!mysql_select_db($GLOBALS['ctracker_dbname'], $GLOBALS['ctracker_link'])) { + // Attempt has failed + crackerTrackerDatabaseError(__FUNCTION__, __LINE__); + } // END - if + } // END - if +} + +// Checks if the link is up +function isCrackerTrackerDatabaseLinkUp () { + return ((isset($GLOBALS['ctracker_link'])) && (is_resource($GLOBALS['ctracker_link']))); +} + +// Database error detected +function crackerTrackerDatabaseError ($F, $L) { + // Should we debug? + if (isCrackerTrackerDebug()) { + // Output error + print 'Function : ' . $F . '
'; + print 'Line : ' . $L . '
'; + print 'MySQL error : ' . mysql_error() . '
'; + print 'Last SQL : '. $GLOBALS['ctracker_last_sql'] . '
'; + } // END - if + + // Currently only die here + crackerTrackerDie(); +} + +// Closes a maybe open database link +function crackerTrackerCloseDatabaseLink () { + // Is the link up? + if (isCrackerTrackerDatabaseLinkUp()) { + // Did it work? + if (!mysql_close($GLOBALS['ctracker_link'])) { + // Remove the link from global array + unset($GLOBALS['ctracker_link']); + + // Attempt has failed + crackerTrackerDatabaseError(__FUNCTION__, __LINE__); + } // END - if + } // END - if + + // Remove the link from global array + unset($GLOBALS['ctracker_link']); +} + +// Inserts given array, if IP/check_worm combination was not found +function crackerTrackerInsertArray ($rowData) { + // Is it found? + if (!isCrackerTrackerEntryFound($rowData)) { + // Insert first attempt stamp + $rowData['first_attempt'] = 'NOW()'; + $rowData['count'] = '1'; + + // Prepare SQL + $SQL = 'INSERT INTO `ctracker_data` (`' . implode('`,`', array_keys($rowData)) . '`) VALUES(' . implode_secure($rowData) . ')'; + + // Run it + runCrackerTrackerSql($SQL, __FUNCTION__, __LINE__); + } else { + // Only update the entry + updateCrackerTrackerEntry($rowData); + } +} + +// Updates a given entry by just counting it up +function updateCrackerTrackerEntry ($rowData) { + // Construct the SELECT query + $SQL = 'UPDATE `ctracker_data` SET `count`=`count`+1 WHERE `remote_addr`="' . crackerTrackerEscapeString($rowData['remote_addr']) . '" AND `check_worm` = "' . crackerTrackerEscapeString($rowData['check_worm']) . '" LIMIT 1'; + + // Run the SQL and check if we have one line + runCrackerTrackerSql($SQL, __FUNCTION__, __LINE__); +} + +// Checks if an entry with IP/check_worm combination is there +function isCrackerTrackerEntryFound ($rowData) { + // Construct the SELECT query + $SQL = 'SELECT `id` FROM `ctracker_data` WHERE `remote_addr`="' . crackerTrackerEscapeString($rowData['remote_addr']) . '" AND `check_worm` = "' . crackerTrackerEscapeString($rowData['check_worm']) . '" LIMIT 1'; + + // Run the SQL and check if we have one line + return (mysql_num_rows(runCrackerTrackerSql($SQL, __FUNCTION__, __LINE__)) == 1); +} + +// Escapes the string +function crackerTrackerEscapeString ($string) { + // Is the link up? + if (!isCrackerTrackerDatabaseLinkUp()) { + // Then we cant use mysql_real_escape_string! + $string = addslashes($string); + } elseif (function_exists('mysql_real_escape_string')) { + // Use mysql_real_escape_string() + $string = mysql_real_escape_string($string, $GLOBALS['ctracker_link']); + } elseif (function_exists('mysql_escape_string')) { + // Use deprecated function + $string = mysql_escape_string($string, $GLOBALS['ctracker_link']); + } else { + // Use fall-back (bad!) + $string = addslashes($string); + } + + // Return the secured string + return $string; +} // END - if + +// Runs an SQL query and checks for errors +function runCrackerTrackerSql ($SQL, $F, $L) { + // Is the link up? + if (!isCrackerTrackerDatabaseLinkUp()) { + // Abort here + crackerTrackerDie(); + } // END - if + + // Remember last SQL + $GLOBALS['ctracker_last_sql'] = $SQL; + + // Run the query + $GLOBALS['ctracker_last_result'] = mysql_query($SQL, $GLOBALS['ctracker_link']) or crackerTrackerDatabaseError(__FUNCTION__, __LINE__); + + // And return it + return $GLOBALS['ctracker_last_result']; +} + +// [EOF] +?> diff --git a/libs/lib_detector.php b/libs/lib_detector.php new file mode 100644 index 0000000..eb9ed1d --- /dev/null +++ b/libs/lib_detector.php @@ -0,0 +1,214 @@ + + * @version 3.0.0 + * @copyright Copyright (c) 2009 Cracker Tracker Team + * @license GNU GPL 3.0 or any newer version + * @link http://www.ship-simu.org + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +// Initializes all detector arrays +function initCrackerTrackerArrays () { + // Set error_reporting + if (isCrackerTrackerDebug()) { + // For debugging purposes, this is fine + @error_reporting(E_ALL, E_STRICT); + } else { + // No output + @error_reporting(0); + } + + // Whitelist some absolute query strings (see below) + $GLOBALS['whitelist'] = array( + 'cmd=new', // LinPHA + 'cmd=edit', // LinPHA + 'cmd=lostpw' // LinPHA + ); + + // Attacks we should detect and blok + $GLOBALS['wormprotector'] = array( + 'chr(', 'chr=', 'chr%20', '%20chr', 'wget%20', '%20wget', 'wget(', + 'cmd=', '%20cmd', 'cmd%20', 'rush=', '%20rush', 'rush%20', + 'union%20', '%20union', 'union(', 'union=', 'echr(', '%20echr', 'echr%20', 'echr=', + 'esystem(', 'esystem%20', 'cp%20', '%20cp', 'cp(', 'mdir%20', '%20mdir', 'mdir(', + 'mcd%20', 'mrd%20', 'rm%20', '%20mcd', '%20mrd', '%20rm', + 'mcd(', 'mrd(', 'rm(', 'mcd=', 'mrd=', 'mv%20', 'rmdir%20', 'mv(', 'rmdir(', + 'chmod(', 'chmod%20', '%20chmod', 'chmod(', 'chmod=', 'chown%20', 'chgrp%20', 'chown(', 'chgrp(', + 'locate%20', 'grep%20', 'locate(', 'grep(', 'diff%20', 'kill%20', 'kill(', 'killall', + 'passwd%20', '%20passwd', 'passwd(', 'telnet%20', 'vi(', 'vi%20', 'cgi-', '.eml', + 'insert%20into', 'select%20', 'nigga(', '%20nigga', 'nigga%20', 'fopen', 'fwrite', '%20like', 'like%20', + '$_request', '$_get', '$request', '$get', '.system', 'HTTP_PHP', '&aim', '%20getenv', 'getenv%20', + 'new_password', '&icq','/etc/passwd','/etc/shadow', '/etc/groups', '/etc/gshadow', + 'HTTP_USER_AGENT', 'HTTP_HOST', 'wget%20', 'uname\x20-a', 'bin/id', '/bin/', '/chgrp', + '/chown', '/usr/bin', 'g\+\+', 'bin/python', 'bin/tclsh', 'bin/nasm', 'perl%20', 'traceroute%20', + 'ping%20', '.pl', 'bin/xterm', 'lsof%20', '.conf', 'motd%20', 'HTTP/1.', '.inc.php', '.lib.php', + 'config.php', 'file\://', 'window.open', '