From f096bc2997545e3209beb89317b596151e30bc23 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Roland=20H=C3=A4der?= <rhaeder@cho-time.de>
Date: Thu, 28 Jul 2016 09:50:24 +0200
Subject: [PATCH] Continued improving: - introduced
 crackerTrackerRequestMethod() to encapsulate $_SERVER['REQUEST_METHOD']
 retrival - this allows the script being used on console now - check also
 user-agent string for bad occurrences (difference not yet logged)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Signed-off-by: Roland Häder <rhaeder@cho-time.de>
---
 libs/lib_detector.php | 61 ++++++++++++++++++++++++++-----------------
 libs/lib_general.php  | 24 ++++++++++++++---
 2 files changed, 57 insertions(+), 28 deletions(-)

diff --git a/libs/lib_detector.php b/libs/lib_detector.php
index 976ac54..5ed9917 100644
--- a/libs/lib_detector.php
+++ b/libs/lib_detector.php
@@ -38,10 +38,9 @@ function initCrackerTrackerArrays () {
 
 	// Whitelist some absolute query strings (see below)
 	$GLOBALS['ctracker_whitelist'] = array(
-		'cmd=new',          // LinPHA
-		'cmd=edit',         // LinPHA
-		'cmd=lostpw',       // LinPHA
-		'secure_session=1', // Mantis Bug Tracker
+		'cmd=new',    // LinPHA
+		'cmd=edit',   // LinPHA
+		'cmd=lostpw', // LinPHA
 	);
 
 	// Attacks we should detect and block
@@ -52,7 +51,7 @@ function initCrackerTrackerArrays () {
 		'union(', 'union=',
 
 		// $GLOBAL/$_SERVER array elements
-		'HTTP_USER_AGENT', 'HTTP_HOST', 'HTTP_PHP', '_SESSION','CFG_ROOT',
+		'HTTP_USER_AGENT', 'HTTP_HOST', 'HTTP_PHP', '_SESSION', 'CFG_ROOT',
 		'DOCUMENT_ROOT', '_SERVER',
 
 		// Sensitive files
@@ -63,8 +62,8 @@ function initCrackerTrackerArrays () {
 
 		// Other Linux/FreeBSD/??? programs (sometimes with space)
 		'traceroute ', 'ping ', 'bin/xterm', 'bin/./xterm', 'lsof ',
-		'telnet ', 'wget ', 'bin/id', 'uname\x20', 'uname ', 'killall',
-		'diff ', 'kill ', 'locate ', 'grep ', 'vi ', 'mv ',
+		'telnet ', 'wget ', 'bin/perl', 'bin/id', 'uname\x20', 'uname ',
+		'killall', 'diff ', 'kill ', 'locate ', 'grep ', 'vi ', 'mv ',
 		'rmdir ', 'mcd ', 'mrd ', 'rm ', ' mcd', ' mrd', ' rm',
 		'passwd ', ' passwd', 'mdir ', ' mdir', 'cp ', ' cp',
 		'esystem ', 'chr ', ' chr', 'wget ', ' wget', ' cmd',
@@ -162,31 +161,45 @@ function initCrackerTrackerArrays () {
 	);
 
 	// Init more elements
-	$GLOBALS['ctracker_post_track'] = '';
-	$GLOBALS['ctracker_checkworm']  = '';
-	$GLOBALS['ctracker_check_post'] = '';
+	$GLOBALS['ctracker_post_track']   = '';
+	$GLOBALS['ctracker_checked_get']  = '';
+	$GLOBALS['ctracker_checked_post'] = '';
+	$GLOBALS['ctracker_checked_ua']   = '';
 }
 
 // Checks for worms
 function isCrackerTrackerWormDetected () {
 	// Check against the whole list
-	$GLOBALS['ctracker_checkworm'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerQueryString()));
+	$GLOBALS['ctracker_checked_get'] = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerQueryString()));
+	$GLOBALS['ctracker_checked_ua']  = urldecode(str_ireplace($GLOBALS['ctracker_get_blacklist'], '*', crackerTrackerUserAgent()));
+
+	/*
+	 * If it differs to original and the *whole* request string is not in
+	 * whitelist then blog the attempt.
+	 */
+	$isWorm = (
+		(
+			$GLOBALS['ctracker_checked_get'] != crackerTrackerQueryString() && (!in_array(crackerTrackerQueryString(), $GLOBALS['ctracker_whitelist']))
+		) || (
+			$GLOBALS['ctracker_checked_ua'] != crackerTrackerUserAgent()
+		)
+	);
+	//* DEBUG-DIE: */ die('isWorm='.intval($isWorm).PHP_EOL.'get="'.$GLOBALS['ctracker_checked_get'].'"'.PHP_EOL.'"'.crackerTrackerQueryString().'"'.PHP_EOL.'ua="'.$GLOBALS['ctracker_checked_ua'].'"'.PHP_EOL.'"'.crackerTrackerUserAgent().'"'.PHP_EOL);
 
-	// If it differs to original and the *whole* request string is not in whitelist
-	// then blog the attempt
-	return ($GLOBALS['ctracker_checkworm'] != crackerTrackerQueryString() && (!in_array(crackerTrackerQueryString(), $GLOBALS['ctracker_whitelist'])));
+	// Return it
+	return $isWorm;
 }
 
 // Checks POST data
 function isCrackerTrackerPostAttackDetected () {
 	// Implode recursive the whole $_POST array
-	$GLOBALS['ctracker_post_track'] = urldecode(implode_r('', $_POST));
+	$GLOBALS['ctracker_post_track'] = urldecode(implode_r('&', $_POST));
 
 	// Check for suspicious POST data
-	$GLOBALS['ctracker_check_post'] = str_ireplace($GLOBALS['ctracker_post_blacklist'], '*', $GLOBALS['ctracker_post_track']);
+	$GLOBALS['ctracker_checked_post'] = urldecode(str_ireplace($GLOBALS['ctracker_post_blacklist'], '*', $GLOBALS['ctracker_post_track']));
 
 	// Is it detected?
-	return ((isCrackerTrackerWormDetected()) || ($GLOBALS['ctracker_check_post'] != $GLOBALS['ctracker_post_track']));
+	return ((isCrackerTrackerWormDetected()) || ($GLOBALS['ctracker_checked_post'] != $GLOBALS['ctracker_post_track']));
 }
 
 // Prepares a mail and send it out
@@ -200,7 +213,7 @@ function sendCrackerTrackerMail () {
 Remote-IP       : ' . determineCrackerTrackerRealRemoteAddress() . '
 User-Agent      : ' . crackerTrackerUserAgent() . '
 Request-string  : ' . crackerTrackerQueryString() . '
-Filtered string : ' . $GLOBALS['ctracker_checkworm'] . '
+Filtered string : ' . $GLOBALS['ctracker_checked_get'] . '
 Server          : ' . crackerTrackerServerName() . '
 Script          : ' . crackerTrackerScriptName() . '
 Referrer        : ' . crackerTrackerReferer() . '
@@ -235,7 +248,7 @@ function crackerTrackerSendMail ($mail, $recipient = NULL, $subject = NULL) {
 	$rowData = array(
 		'remote_addr' => determineCrackerTrackerRealRemoteAddress(),
 		'proxy_addr'  => getenv('REMOTE_ADDR'),
-		'check_worm'  => $GLOBALS['ctracker_checkworm'],
+		'check_worm'  => $GLOBALS['ctracker_checked_get'],
 		'server_name' => crackerTrackerServerName()
 	);
 
@@ -278,13 +291,13 @@ function sendCrackerTrackerPostMail () {
 Remote-IP            : '.determineCrackerTrackerRealRemoteAddress().'
 User-Agent           : '.crackerTrackerUserAgent().'
 Request-string       : '.crackerTrackerQueryString().'
-Filtered string      : '.$GLOBALS['ctracker_checkworm'].'
+Filtered string      : '.$GLOBALS['ctracker_checked_get'].'
 Server               : '.crackerTrackerServerName().'
 Script               : '.crackerTrackerScriptName().'
 Referrer             : '.crackerTrackerReferer().'
 -----------------------------------------------------
 POST string          : '.$GLOBALS['ctracker_post_track'].'
-Filtered POST string : '.$GLOBALS['ctracker_check_post'].'
+Filtered POST string : '.$GLOBALS['ctracker_checked_post'].'
 -----------------------------------------------------
 ';
 
@@ -339,12 +352,12 @@ function crackerTrackerLogAttack () {
 		'user_agent'     => crackerTrackerUserAgent(),
 		'get_data'       => crackerTrackerQueryString(),
 		'post_data'      => $GLOBALS['ctracker_post_track'],
-		'check_worm'     => $GLOBALS['ctracker_checkworm'],
-		'check_post'     => $GLOBALS['ctracker_check_post'],
+		'check_worm'     => $GLOBALS['ctracker_checked_get'],
+		'check_post'     => $GLOBALS['ctracker_checked_post'],
 		'server_name'    => crackerTrackerServerName(),
 		'script_name'    => crackerTrackerScriptName(),
 		'referer'        => crackerTrackerReferer(),
-		'request_method' => $_SERVER['REQUEST_METHOD'],
+		'request_method' => crackerTrackerRequestMethod(),
 		'proxy_used'     => $proxyUsed,
 		'first_attempt'  => 'NOW()'
 	);
diff --git a/libs/lib_general.php b/libs/lib_general.php
index 8d5dd1e..4180c9d 100644
--- a/libs/lib_general.php
+++ b/libs/lib_general.php
@@ -150,7 +150,7 @@ function crackerTrackerUserAgent () {
 	// Is the entry there?
 	if (isset($_SERVER['HTTP_USER_AGENT'])) {
 		// Then use it securely
-		$ua = crackerTrackerSecureString($_SERVER['HTTP_USER_AGENT']);
+		$ua = crackerTrackerSecureString(urldecode($_SERVER['HTTP_USER_AGENT']));
 	} // END - if
 
 	// Return it
@@ -199,7 +199,7 @@ function crackerTrackerReferer () {
 	$referer = '-';
 
 	// Is it there?
-	if (isset($_SERVER['HTTP_REFERER'])) {
+	if (!empty($_SERVER['HTTP_REFERER'])) {
 		// Then use it securely
 		$referer = crackerTrackerSecureString(urldecode($_SERVER['HTTP_REFERER']));
 	} // END - if
@@ -208,6 +208,21 @@ function crackerTrackerReferer () {
 	return $referer;
 }
 
+// Detects request method
+function crackerTrackerRequestMethod () {
+	// Default is NULL
+	$method = NULL;
+
+	// Is it set?
+	if (!empty($_SERVER['REQUEST_METHOD'])) {
+		// Then use it
+		$method = $_SERVER['REQUEST_METHOD'];
+	} // END - if
+
+	// Return it
+	return $method;
+}
+
 // Detects the scripts path
 function crackerTrackerScriptPath () {
 	// Should always be there!
@@ -514,8 +529,9 @@ function unsetCtrackerData () {
 			'ctracker_post_blacklist',
 			'ctracker_header',
 			'ctracker_post_track',
-			'ctracker_checkworm',
-			'ctracker_check_post',
+			'ctracker_checked_get',
+			'ctracker_checked_post',
+			'ctracker_checked_ua',
 			'ctracker_last_sql',
 			'ctracker_last_result',
 			'ctracker_config',
-- 
2.39.2