Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> How To's
Author Message
beetraham
Regular
Regular



Joined: Dec 13, 2003
Posts: 94
Location: Finland (EU)

PostPosted: Wed Oct 06, 2004 8:09 pm Reply with quote

How-To receive ALERTS on *untrusted-IP(s)* accessing admin.php?

As there is basically no reason for any other than PHP-Nuke site's trusted Administrator's to access *admin.php* page, you may optionally find it useful to *monitor the the unathorized admin.php accesses*, thus having an illuminated basis for the decission making process related to further required actions.

In order to receive email based information on hostile/malicious parties either *brute-forcing* or *just accessing* your PHP-Nuke site's *admin.php*, please find enclosed a modification for the PHP-Nuke's *admin.php* page;

Quote:
Additional notices:

Should you choose to apply this mod, please note the following:
* this mod may have effects on performance, when logged in as an Admin (the routine is performed at all Admin associated page instances)
* remove the unneeded sections in code to optimize the performance
* should you choose to add more Admins, then you should ALWAYS note SPEFICALLY the following;

[original array] :
$arr = array('admin1', 'admin2', 'admin3', 'admin4', 'alert');
[modfied array] :
$arr = array('admin1', 'admin2', 'admin3', 'admin4', 'admin5', 'alert');

Meaning, the *added* admins must be placed before the the last element in the array - and why's that? Because the array will be *scanned* concecutively according to the declaration order - i.e. when performed otherwise the struct will cause false positive alarms as the *added trusted admin* would never get to experince *while loop "break"* resulting to *unalarmed script output*.



|------------> FIND LINE :

<FILE> : "admin.php"

Quote:

require_once("mainfile.php");


|------------> ADD FOLLOWING CODE (JUST ABOVE THE FOUND LINE)

<FILE> : "admin.php"

Quote:


// BEGINNING OF ARRAY BASED ARGUMENT LIST PROCESSING SECTION ----->
//
// PHP code snippet for receiving emailed ALERTS of *untrusted-IP(s)* admin.php accesses
//
// by beetraham aka. ZenoCide (c) 2004 (http://www.ec-clan.org/downloads.html)
//
// declaring the the array to be used as an argument list for the performed *trusted IP* checks
$arr = array('admin1', 'admin2', 'admin3', 'admin4', 'alert');
// declaring trusted IP's
$ipadmin1="67.15.57.171"; // to be edited (trusted Admin1)
$ipadmin2="67.15.57.172"; // to be edited (trusted Admin2)
$ipadmin3="67.15.57.173"; // to be edited (trusted Admin3)
$ipadmin4="67.15.57.174"; // to be edited (trusted Admin4)
// declaring email alert related specifics
$acceptemail=1; // set to "1" to receive mail, to "0" not to receive
$to='admin@yoursite'; // recipient email address - needed
$alertsubject="ALERT: *admin.php* access detected at *$sitename*"; // change the subject as seen appropriate
// retrieving information out of the visitor IP hitting the page
$ip=getenv("REMOTE_ADDR"); // this will be compared to trusted list of IP(s)
//
// initializing the performed checks (please note that *DYNAMIC* Admin IP's will cause detected alert EACH TIME!
//
while (list(, $val) = each($arr)) {
// we should never reach this branch, but if do, we'll send an alert, since the IP is not considered trustworthy!
if ($val == 'alert') {
// beginning of email routine
$date=date("m/d/Y H:i:s");
if($acceptemail==1) {
mail($to,$alertsubject,"\n
-------------------------------
- ADMIN.PHP PAGE ACCESS ALERT -
-------------------------------
ACCESS DATE&TIME: $date
IP ADDRESS : $ip
: CHECK [ARIN]--> [ Only registered users can see links on this board! Get registered or login! ]".$ip."
: CHECK [RIPE]--> [ Only registered users can see links on this board! Get registered or login! ]".$ip."

HTTP HOST : $HTTP_HOST
HTTP REFERER : $HTTP_REFERER
FROM IP ADDRESS : $SERVER_ADDR
ALERTING SRC FILE : $SCRIPT_FILENAME");
}
// end of email routine
break;
}
if ($val == 'admin1') {
// if the IP gets evaluated as trusted, hence we'll do nothing!
if($ip==$ipadmin1) {
break;
}
}
if ($val == 'admin2') {
// if the IP gets evaluated as trusted, hence we'll do nothing!
if($ip==$ipadmin2) {
break;
}
}
if ($val == 'admin3') {
// if the IP gets evaluated as trusted, hence we'll do nothing!
if($ip==$ipadmin3) {
break;
}
}
if ($val == 'admin4') {
// if the IP gets evaluated as trusted, hence we'll do nothing!
if($ip==$ipadmin4) {
break;
}
}
}
// END OF ARRAY BASED ARGUMENT LIST PROCESSING SECTION




|------------> THUS, THE MODIFIED CODE SHOULD LOOK VERY SIMILAR TO:

<FILE> : "admin.php"

Quote:

<?php
/************************************************************************/
/* PHP-NUKE: Advanced Content Management System */
/* ============================================ */
/* */
/* Copyright (c) 2002 by Francisco Burzi */
/* [ Only registered users can see links on this board! Get registered or login! ] */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/* */
/************************************************************************/
/* Additional security checking code 2003 by chatserv */
/* [ Only registered users can see links on this board! Get registered or login! ] -- [ Only registered users can see links on this board! Get registered or login! ] */
/************************************************************************/
//
// BEGINNING OF ARRAY BASED ARGUMENT LIST PROCESSING SECTION ----->
//
// PHP code snippet for receiving emailed ALERTS of *untrusted-IP(s)* admin.php accesses
//
// by beetraham aka. ZenoCide (c) 2004 (http://www.ec-clan.org/downloads.html)
//
// declaring the the array to be used as an argument list for the performed *trusted IP* checks
$arr = array('admin1', 'admin2', 'admin3', 'admin4', 'alert');
// declaring trusted IP's
$ipadmin1="67.15.57.171"; // to be edited (trusted Admin1)
$ipadmin2="67.15.57.172"; // to be edited (trusted Admin2)
$ipadmin3="67.15.57.173"; // to be edited (trusted Admin3)
$ipadmin4="67.15.57.174"; // to be edited (trusted Admin4)
// declaring email alert related specifics
$acceptemail=1; // set to "1" to receive mail, to "0" not to receive
$to='admin@yoursite'; // recipient email address - needed
$alertsubject="ALERT: *admin.php* access detected at *$sitename*"; // change the subject as seen appropriate
// retrieving information out of the visitor IP hitting the page
$ip=getenv("REMOTE_ADDR"); // this will be compared to trusted list of IP(s)
//
// initializing the performed checks (please note that *DYNAMIC* Admin IP's will cause detected alert EACH TIME!
//
while (list(, $val) = each($arr)) {
// we should never reach this branch, but if do, we'll send an alert, since the IP is not considered trustworthy!
if ($val == 'alert') {
// beginning of email routine
$date=date("m/d/Y H:i:s");
if($acceptemail==1) {
mail($to,$alertsubject,"\n
-------------------------------
- ADMIN.PHP PAGE ACCESS ALERT -
-------------------------------
ACCESS DATE&TIME: $date
IP ADDRESS : $ip
: CHECK [ARIN]--> [ Only registered users can see links on this board! Get registered or login! ]".$ip."
: CHECK [RIPE]--> [ Only registered users can see links on this board! Get registered or login! ]".$ip."

HTTP HOST : $HTTP_HOST
HTTP REFERER : $HTTP_REFERER
FROM IP ADDRESS : $SERVER_ADDR
ALERTING SRC FILE : $SCRIPT_FILENAME");
}
// end of email routine
break;
}
if ($val == 'admin1') {
// if the IP gets evaluated as trusted, hence we'll do nothing!
if($ip==$ipadmin1) {
break;
}
}
if ($val == 'admin2') {
// if the IP gets evaluated as trusted, hence we'll do nothing!
if($ip==$ipadmin2) {
break;
}
}
if ($val == 'admin3') {
// if the IP gets evaluated as trusted, hence we'll do nothing!
if($ip==$ipadmin3) {
break;
}
}
if ($val == 'admin4') {
// if the IP gets evaluated as trusted, hence we'll do nothing!
if($ip==$ipadmin4) {
break;
}
}
}
// END OF ARRAY BASED ARGUMENT LIST PROCESSING SECTION

require_once("mainfile.php");



Tested, used, no complaints.

Hope that someone finds it applicable.

Thanks,

-beetraham

PS. (Oct-11-2004) added the colour code blue designated query links (lines) to allow performing REGIONAL (ARIN, RIPE) Queries via received Email Alerts.


Last edited by beetraham on Sun Oct 10, 2004 5:44 pm; edited 1 time in total 
View user's profile Send private message
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Wed Oct 06, 2004 9:41 pm Reply with quote

Great tutorial, as usual! Please be aware that in the next release of Nuke Sentinel (v2.1.0), there is an Admin guard that you can set to handle attempts at admin.php - but not to be confused with the author exploit.
 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> How To's

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©