'bin/./tclsh', 'bin/nasm', 'bin/./nasm', '/perl', 'perl ', 'cmd.exe',
'nc.exe', 'ftp.exe',
+ // php.ini settings
+ 'allow_url_fopen', 'allow_url_include', 'auto_prepend_file', 'disable_functions', 'safe_mode',
+
// PHP commands/scripts
- 'fopen', 'fwrite', 'phpinfo()', '\<?', '?\>',
+ 'fopen', 'fwrite', 'phpinfo()', '\<?', '?\>', 'base64_decode', 'file_put_contents',
+ 'set_magic_quotes_runtime', 'set_magic_quotes_runtime', 'display_errors', 'passthru',
// Typical PHP script remote-inclusions and typical include file names
'.inc.php', '.lib.php', '.class.php', 'config.php', '.inc', '_php',
'php_', 'class_', '_class.php', 'db_mysql.inc',
+ // PHP arrays
+ '_PHPLIB',
+
// Generic remote inclusion
'=http://', '=https://',
'path=', 'sql=',
// Attempts to insert links into a badly secured URL
'%3E%3C',
+ // /proc/ and other forbidden paths
+ 'proc/self/environ',
+
// @TODO Misc/unsorted
'cgi-', '.eml', '$_request', '$_get', '$request', '$get', '.system',
'&aim', 'new_password', '&icq', '.conf', 'motd ', 'HTTP/1.',
'wwwacl', '.js', '.jsp', 'server-info', 'server-status',
'secure_site, ok', 'chunked', 'org.apache', '/servlet/con',
'<script', 'mod_gzip_status', '.system', 'http_',
- 'uol.com', ',0x', '(0x',
+ 'uol.com', ',0x', '(0x'
);
// Block these words found in POST requests
// Prepare array for database insert
$rowData = array(
- 'remote_addr' => determineCrackerTrackerRealRemoteAddress(),
- 'proxy_addr' => getenv('REMOTE_ADDR'),
- 'user_agent' => crackerTrackerUserAgent(),
- 'get_data' => crackerTrackerQueryString(),
- 'post_data' => $GLOBALS['ctracker_post_track'],
- 'check_worm' => $GLOBALS['ctracker_checkworm'],
- 'check_post' => $GLOBALS['ctracker_check_post'],
- 'server_name' => crackerTrackerServerName(),
- 'script_name' => crackerTrackerScriptName(),
- 'referer' => crackerTrackerReferer(),
- 'proxy_used' => $proxyUsed,
- 'first_attempt' => 'NOW()'
+ 'remote_addr' => determineCrackerTrackerRealRemoteAddress(),
+ 'proxy_addr' => getenv('REMOTE_ADDR'),
+ 'user_agent' => crackerTrackerUserAgent(),
+ 'get_data' => crackerTrackerQueryString(),
+ 'post_data' => $GLOBALS['ctracker_post_track'],
+ 'check_worm' => $GLOBALS['ctracker_checkworm'],
+ 'check_post' => $GLOBALS['ctracker_check_post'],
+ 'server_name' => crackerTrackerServerName(),
+ 'script_name' => crackerTrackerScriptName(),
+ 'referer' => crackerTrackerReferer(),
+ 'request_method' => $_SERVER['REQUEST_METHOD'],
+ 'proxy_used' => $proxyUsed,
+ 'first_attempt' => 'NOW()'
);
// Insert the array in database
if (isset($GLOBALS['ctracker_last_suspicious_entry'])) {
// Does the user have a ticket?
if (ifCrackerTrackerIpHasTicket()) {
- // Should we continue?
- if (isset($_POST['ctracker_continue'])) {
- // Set cookie
- sendCrackerTrackerCookie();
-
- // And redirect to same URL
- crackerTrackerRedirectSameUrl();
- } elseif (ifCrackerTrackerCookieIsSet()) {
- // Return here to normal program
- return;
- } else {
- // Load "Thank you" template
- crackerTrackerLoadTemplate('add_ticket_thanks');
- }
+ // Load "Thank you" template
+ crackerTrackerLoadTemplate('add_ticket_thanks');
} elseif ((isset($_POST['ctracker_add_ticket'])) && (!empty($_POST['name'])) && (!empty($_POST['email']))) {
// Add the ticket
addCrackerTrackerTicket($_POST);