From fe20c13027a1266e8dd3c70ca397587df922bdde Mon Sep 17 00:00:00 2001 From: =?utf8?q?Roland=20H=C3=A4der?= Date: Mon, 1 Apr 2019 18:22:37 +0200 Subject: [PATCH] Continued: - uh, last commit was UA, now POST data - moved out server-config related to own "category" - added application/x-httpd-php as this is not ment to be placed in URL, UA and POST data MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Roland Häder --- libs/lib_detector.php | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/libs/lib_detector.php b/libs/lib_detector.php index 265e241..3b6dd58 100644 --- a/libs/lib_detector.php +++ b/libs/lib_detector.php @@ -151,13 +151,16 @@ function initCrackerTrackerArrays () { // MySQL internal functions 'name_const', + // Server configuration (e.g. Apache) + 'application/x-httpd-php', 'addtype', 'server-info', 'server-status', + // @TODO Misc/unsorted 'cgi-', '.eml', '$_request', '$_get', '$request', '$get', '.system', '&aim', 'new_password', '&icq', '.conf', 'motd ', 'HTTP/1.', 'window.open', 'img src', 'img src', '.jsp', 'servlet', 'org.apache', - 'wwwacl', 'server-info', 'server-status', '/servlet/con', 'http_', - 'secure_site, ok', 'chunked', '', 'base64_decode', 'file_put_contents', 'set_magic_quotes_runtime', 'set_magic_quotes_runtime', 'display_errors', 'passthru', + // Server configuration (e.g. Apache) + 'application/x-httpd-php', + // Typical PHP script remote-inclusions and typical include file names '.inc.php', '.lib.php', '.class.php', 'config.php', '.inc', '_php', 'php_', 'class_', '_class.php', 'db_mysql.inc', @@ -223,7 +229,13 @@ function initCrackerTrackerArrays () { // This line is for detecting hidden link spam in wikis, forums, guestbooks, etc. ' style=', 'overflow:auto', 'height:1px', 'width:1px', 'display:hidden', 'style.display', - // "Common" login names from VHCS exploiters ;-) + // Windows-related + 'cmd.exe', 'nc.exe', 'ftp.exe', 'powershell', 'system.net.webclient', + + // Server configuration (e.g. Apache) + 'application/x-httpd-php', + + // "Common" login names from VHCS exploiters 'starhack', 'DeLiMehmet', 'hisset', 'Hisset', 'delimert', 'MecTruy' ]; -- 2.39.5