From b2f474244f6d4268fbe05868d380b9e74015eddf Mon Sep 17 00:00:00 2001 From: =?utf8?q?Roland=20H=C3=A4der?= Date: Thu, 28 Jul 2016 09:50:24 +0200 Subject: [PATCH] Continued improving: - introduced crackerTrackerRequestMethod() to encapsulate $_SERVER['REQUEST_METHOD'] retrival - this allows the script being used on console now - check also user-agent string for bad occurrences (difference not yet logged) MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Roland Häder --- libs/lib_detector.php | 61 ++++++++++++++++++++++++++----------------- libs/lib_general.php | 24 ++++++++++++++--- 2 files changed, 57 insertions(+), 28 deletions(-) diff --git a/libs/lib_detector.php b/libs/lib_detector.php index 976ac54..5ed9917 100644 --- a/libs/lib_detector.php +++ b/libs/lib_detector.php @@ -38,10 +38,9 @@ function initCrackerTrackerArrays () { // Whitelist some absolute query strings (see below) $GLOBALS['ctracker_whitelist'] = array( - 'cmd=new', // LinPHA - 'cmd=edit', // LinPHA - 'cmd=lostpw', // LinPHA - 'secure_session=1', // Mantis Bug Tracker + 'cmd=new', // LinPHA + 'cmd=edit', // LinPHA + 'cmd=lostpw', // LinPHA ); // Attacks we should detect and block @@ -52,7 +51,7 @@ function initCrackerTrackerArrays () { 'union(', 'union=', // $GLOBAL/$_SERVER array elements - 'HTTP_USER_AGENT', 'HTTP_HOST', 'HTTP_PHP', '_SESSION','CFG_ROOT', + 'HTTP_USER_AGENT', 'HTTP_HOST', 'HTTP_PHP', '_SESSION', 'CFG_ROOT', 'DOCUMENT_ROOT', '_SERVER', // Sensitive files @@ -63,8 +62,8 @@ function initCrackerTrackerArrays () { // Other Linux/FreeBSD/??? programs (sometimes with space) 'traceroute ', 'ping ', 'bin/xterm', 'bin/./xterm', 'lsof ', - 'telnet ', 'wget ', 'bin/id', 'uname\x20', 'uname ', 'killall', - 'diff ', 'kill ', 'locate ', 'grep ', 'vi ', 'mv ', + 'telnet ', 'wget ', 'bin/perl', 'bin/id', 'uname\x20', 'uname ', + 'killall', 'diff ', 'kill ', 'locate ', 'grep ', 'vi ', 'mv ', 'rmdir ', 'mcd ', 'mrd ', 'rm ', ' mcd', ' mrd', ' rm', 'passwd ', ' passwd', 'mdir ', ' mdir', 'cp ', ' cp', 'esystem ', 'chr ', ' chr', 'wget ', ' wget', ' cmd', @@ -162,31 +161,45 @@ function initCrackerTrackerArrays () { ); // Init more elements - $GLOBALS['ctracker_post_track'] = ''; - $GLOBALS['ctracker_checkworm'] = ''; - $GLOBALS['ctracker_check_post'] = ''; + $GLOBALS['ctracker_post_track'] = ''; + $GLOBALS['ctracker_checked_get'] = ''; + $GLOBALS['ctracker_checked_post'] = ''; + $GLOBALS['ctracker_checked_ua'] = ''; } // Checks for worms function isCrackerTrackerWormDetected () { // Check against the whole list - $GLOBALS['ctracker_checkworm'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerQueryString())); + $GLOBALS['ctracker_checked_get'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerQueryString())); + $GLOBALS['ctracker_checked_ua'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerUserAgent())); + + /* + * If it differs to original and the *whole* request string is not in + * whitelist then blog the attempt. + */ + $isWorm = ( + ( + $GLOBALS['ctracker_checked_get'] != crackerTrackerQueryString() && (!in_array(crackerTrackerQueryString(), $GLOBALS['ctracker_whitelist'])) + ) || ( + $GLOBALS['ctracker_checked_ua'] != crackerTrackerUserAgent() + ) + ); + //* DEBUG-DIE: */ die('isWorm='.intval($isWorm).PHP_EOL.'get="'.$GLOBALS['ctracker_checked_get'].'"'.PHP_EOL.'"'.crackerTrackerQueryString().'"'.PHP_EOL.'ua="'.$GLOBALS['ctracker_checked_ua'].'"'.PHP_EOL.'"'.crackerTrackerUserAgent().'"'.PHP_EOL); - // If it differs to original and the *whole* request string is not in whitelist - // then blog the attempt - return ($GLOBALS['ctracker_checkworm'] != crackerTrackerQueryString() && (!in_array(crackerTrackerQueryString(), $GLOBALS['ctracker_whitelist']))); + // Return it + return $isWorm; } // Checks POST data function isCrackerTrackerPostAttackDetected () { // Implode recursive the whole $_POST array - $GLOBALS['ctracker_post_track'] = urldecode(implode_r('', $_POST)); + $GLOBALS['ctracker_post_track'] = urldecode(implode_r('&', $_POST)); // Check for suspicious POST data - $GLOBALS['ctracker_check_post'] = str_ireplace($GLOBALS['ctracker_post_blacklist'], '*', $GLOBALS['ctracker_post_track']); + $GLOBALS['ctracker_checked_post'] = urldecode(str_ireplace($GLOBALS['ctracker_post_blacklist'], '*', $GLOBALS['ctracker_post_track'])); // Is it detected? - return ((isCrackerTrackerWormDetected()) || ($GLOBALS['ctracker_check_post'] != $GLOBALS['ctracker_post_track'])); + return ((isCrackerTrackerWormDetected()) || ($GLOBALS['ctracker_checked_post'] != $GLOBALS['ctracker_post_track'])); } // Prepares a mail and send it out @@ -200,7 +213,7 @@ function sendCrackerTrackerMail () { Remote-IP : ' . determineCrackerTrackerRealRemoteAddress() . ' User-Agent : ' . crackerTrackerUserAgent() . ' Request-string : ' . crackerTrackerQueryString() . ' -Filtered string : ' . $GLOBALS['ctracker_checkworm'] . ' +Filtered string : ' . $GLOBALS['ctracker_checked_get'] . ' Server : ' . crackerTrackerServerName() . ' Script : ' . crackerTrackerScriptName() . ' Referrer : ' . crackerTrackerReferer() . ' @@ -235,7 +248,7 @@ function crackerTrackerSendMail ($mail, $recipient = NULL, $subject = NULL) { $rowData = array( 'remote_addr' => determineCrackerTrackerRealRemoteAddress(), 'proxy_addr' => getenv('REMOTE_ADDR'), - 'check_worm' => $GLOBALS['ctracker_checkworm'], + 'check_worm' => $GLOBALS['ctracker_checked_get'], 'server_name' => crackerTrackerServerName() ); @@ -278,13 +291,13 @@ function sendCrackerTrackerPostMail () { Remote-IP : '.determineCrackerTrackerRealRemoteAddress().' User-Agent : '.crackerTrackerUserAgent().' Request-string : '.crackerTrackerQueryString().' -Filtered string : '.$GLOBALS['ctracker_checkworm'].' +Filtered string : '.$GLOBALS['ctracker_checked_get'].' Server : '.crackerTrackerServerName().' Script : '.crackerTrackerScriptName().' Referrer : '.crackerTrackerReferer().' ----------------------------------------------------- POST string : '.$GLOBALS['ctracker_post_track'].' -Filtered POST string : '.$GLOBALS['ctracker_check_post'].' +Filtered POST string : '.$GLOBALS['ctracker_checked_post'].' ----------------------------------------------------- '; @@ -339,12 +352,12 @@ function crackerTrackerLogAttack () { 'user_agent' => crackerTrackerUserAgent(), 'get_data' => crackerTrackerQueryString(), 'post_data' => $GLOBALS['ctracker_post_track'], - 'check_worm' => $GLOBALS['ctracker_checkworm'], - 'check_post' => $GLOBALS['ctracker_check_post'], + 'check_worm' => $GLOBALS['ctracker_checked_get'], + 'check_post' => $GLOBALS['ctracker_checked_post'], 'server_name' => crackerTrackerServerName(), 'script_name' => crackerTrackerScriptName(), 'referer' => crackerTrackerReferer(), - 'request_method' => $_SERVER['REQUEST_METHOD'], + 'request_method' => crackerTrackerRequestMethod(), 'proxy_used' => $proxyUsed, 'first_attempt' => 'NOW()' ); diff --git a/libs/lib_general.php b/libs/lib_general.php index 8d5dd1e..4180c9d 100644 --- a/libs/lib_general.php +++ b/libs/lib_general.php @@ -150,7 +150,7 @@ function crackerTrackerUserAgent () { // Is the entry there? if (isset($_SERVER['HTTP_USER_AGENT'])) { // Then use it securely - $ua = crackerTrackerSecureString($_SERVER['HTTP_USER_AGENT']); + $ua = crackerTrackerSecureString(urldecode($_SERVER['HTTP_USER_AGENT'])); } // END - if // Return it @@ -199,7 +199,7 @@ function crackerTrackerReferer () { $referer = '-'; // Is it there? - if (isset($_SERVER['HTTP_REFERER'])) { + if (!empty($_SERVER['HTTP_REFERER'])) { // Then use it securely $referer = crackerTrackerSecureString(urldecode($_SERVER['HTTP_REFERER'])); } // END - if @@ -208,6 +208,21 @@ function crackerTrackerReferer () { return $referer; } +// Detects request method +function crackerTrackerRequestMethod () { + // Default is NULL + $method = NULL; + + // Is it set? + if (!empty($_SERVER['REQUEST_METHOD'])) { + // Then use it + $method = $_SERVER['REQUEST_METHOD']; + } // END - if + + // Return it + return $method; +} + // Detects the scripts path function crackerTrackerScriptPath () { // Should always be there! @@ -514,8 +529,9 @@ function unsetCtrackerData () { 'ctracker_post_blacklist', 'ctracker_header', 'ctracker_post_track', - 'ctracker_checkworm', - 'ctracker_check_post', + 'ctracker_checked_get', + 'ctracker_checked_post', + 'ctracker_checked_ua', 'ctracker_last_sql', 'ctracker_last_result', 'ctracker_config', -- 2.39.5