From 481002578fb3a6dcb3ae5d3706c62ebf134bbcda Mon Sep 17 00:00:00 2001
From: Roland Haeder <roland@mxchange.org>
Date: Tue, 5 Jan 2010 02:33:20 +0000
Subject: [PATCH] Now detects proxy usage

---
 install/install.sql   |  1 +
 libs/lib_detector.php | 19 ++++++++++++++-----
 libs/lib_general.php  | 33 +++++++++++++++++++++++++++++++++
 3 files changed, 48 insertions(+), 5 deletions(-)

diff --git a/install/install.sql b/install/install.sql
index d3f4fb6..73b30c4 100644
--- a/install/install.sql
+++ b/install/install.sql
@@ -10,6 +10,7 @@ CREATE TABLE IF NOT EXISTS `ctracker_data` (
 	`server_name` tinytext NOT NULL COMMENT 'Server''s host name',
 	`script_name` varchar(255) NOT NULL COMMENT 'Full script name',
 	`referer` varchar(255) NOT NULL COMMENT 'Referer',
+	`proxy_used` enum('Y','N') NOT NULL DEFAULT 'N' COMMENT 'Proxy used?',
 	`first_attempt` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00' COMMENT 'First attempt',
 	`last_attempt` TIMESTAMP ON UPDATE CURRENT_TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT 'Last attempt',
 	`count` bigint(20) unsigned NOT NULL DEFAULT '0' COMMENT 'Counter',
diff --git a/libs/lib_detector.php b/libs/lib_detector.php
index 4ea881f..4459a58 100644
--- a/libs/lib_detector.php
+++ b/libs/lib_detector.php
@@ -107,7 +107,7 @@ function sendCrackerTrackerMail () {
 	// Mail content
 	$mail = "Attack detected:
 -----------------------------------------------------
-Remote-IP       : ".$_SERVER['REMOTE_ADDR']."
+Remote-IP       : ".determineRealRemoteAddress()."
 User-Agent      : ".$_SERVER['HTTP_USER_AGENT']."
 Request-string  : ".$_SERVER['QUERY_STRING']."
 Filtered string : ".$GLOBALS['checkworm']."
@@ -131,7 +131,7 @@ Referrer        : ".$_SERVER['HTTP_REFERRER']."
 function crackerTrackerSendMail ($mail) {
 	// Construct dummy array
 	$rowData = array(
-		'remote_addr' => $_SERVER['REMOTE_ADDR'],
+		'remote_addr' => determineRealRemoteAddress(),
 		'check_worm'  => $GLOBALS['checkworm'],
 		'server_name' => $_SERVER['SERVER_NAME']
 	);
@@ -160,7 +160,7 @@ function sendCrackerTrackerPostMail () {
 	// Mail text
 	$mail = "POST-Attack detected:
 -----------------------------------------------------
-Remote-IP            : ".$_SERVER['REMOTE_ADDR']."
+Remote-IP            : ".determineRealRemoteAddress()."
 User-Agent           : ".$_SERVER['HTTP_USER_AGENT']."
 Request-string       : ".$_SERVER['QUERY_STRING']."
 Filtered string      : ".$GLOBALS['checkworm']."
@@ -200,10 +200,18 @@ function crackerTrackerLogAttack () {
 	// Aquire database link
 	aquireCrackerTrackerDatabaseLink();
 
+	// By default no proxy is used
+	$proxyUsed = 'N';
+
+	// Did the attacker use a proxy?
+	if (isProxyUsed()) {
+		// Set it
+		$proxyUsed = 'Y';
+	} // END - if
 
 	// Prepare array for database insert
 	$rowData = array(
-		'remote_addr' => $_SERVER['REMOTE_ADDR'],
+		'remote_addr' => determineRealRemoteAddress(),
 		'user_agent'  => $_SERVER['HTTP_USER_AGENT'],
 		'get_data'    => $_SERVER['QUERY_STRING'],
 		'post_data'   => $GLOBALS['post_track'],
@@ -211,7 +219,8 @@ function crackerTrackerLogAttack () {
 		'check_post'  => $GLOBALS['check_post'],
 		'server_name' => $_SERVER['SERVER_NAME'],
 		'script_name' => $_SERVER['SCRIPT_NAME'],
-		'referer'     => $_SERVER['HTTP_REFERER']
+		'referer'     => $_SERVER['HTTP_REFERER'],
+		'proxy_used'  => $proxyUsed
 	);
 
 	// Insert the array in database
diff --git a/libs/lib_general.php b/libs/lib_general.php
index 19b7e28..b3db3ef 100644
--- a/libs/lib_general.php
+++ b/libs/lib_general.php
@@ -79,5 +79,38 @@ function isCrackerTrackerDebug () {
 	return ((isset($GLOBALS['ctracker_debug'])) && ($GLOBALS['ctracker_debug'] === true));
 }
 
+// Determines the real remote address
+function determineRealRemoteAddress () {
+	// Is a proxy in use?
+	if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+		// Proxy was used
+		$address = $_SERVER['HTTP_X_FORWARDED_FOR'];
+	} elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {
+		// Yet, another proxy
+		$address = $_SERVER['HTTP_CLIENT_IP'];
+	} else {
+		// The regular address when no proxy was used
+		$address = $_SERVER['REMOTE_ADDR'];
+	}
+
+	// This strips out the real address from proxy output
+	if (strstr($address, ',')) {
+		$addressArray = explode(',', $address);
+		$address = $addressArray[0];
+	} // END - if
+
+	// Return the result
+	return $address;
+}
+
+// Determine if a proxy was used
+function isProxyUsed () {
+	// Check if specific entries are set
+	$proxyUsed = ((isset($_SERVER['HTTP_X_FORWARDED_FOR'])) || (isset($_SERVER['HTTP_CLIENT_IP'])));
+
+	// Return result
+	return $proxyUsed;
+}
+
 // [EOF]
 ?>
-- 
2.39.5