Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
steve1
Regular
Regular


Joined: Dec 26, 2003
Posts: 50

PostPosted: Sat Mar 27, 2004 11:59 pm Reply with quote

I am interested in your feedback on this. I am thinking about a standard function that all security patches would implement. So instead of doing a "die" upon a hack attemp, the script would call a standard function which depending on the cirucumstances, would issue a warning or ban the ip (or ban the ip range).

I propose that the function would be based on Protector system, since so much work has already been done, and the admin headaches have been taken care of already. As a result, the hack attempts would be logged to protector tables. Lacking protector tables, a standard email will be issued to admin.

This is similar to Raven's union hack alert, but would be generalized and made available to security authors.

I am proposing a function call in the next article.

_________________
Only registered users can see links on this board! Get registered or login! :: Classifieds Section in 10 minutes<br> Only registered users can see links on this board! Get registered or login! Only registered users can see links on this board! Get registered or login! Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
steve1
PostPosted: Sun Mar 28, 2004 12:00 am Reply with quote

Function protector_alert($comment, $type, $arg, $severity_level)

input parameters:
$comment: security codes comments e.g. "hack happened xyz..."
$type: 0=url 1=Get 2=Post 3=Union ..
$arg: url if $type=0,1,2 $sql statement if $type=3
$severity: 0-10 ban=10, warnings are anything less than 10, they accumulate and if total is 10, ip is banned.

The code will write the ip number, the comments, type, arg, etc. to protector tables. If protector table does not exist, then emails the info to admin.

Protector table may have to be modified slightly to account for the parameters. We are also introducing a warning type, that does not ban automatically ... e.g. if a user types in a legit. sql union statement (e.g. in sql forums).

steve
 
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Sun Mar 28, 2004 8:00 pm Reply with quote

Cool, I did a downsized system like this I think users like the info even if they never do anything with it. Heck its fun when it comes right down to it.
 
View user's profile Send private message
steve1
PostPosted: Mon Mar 29, 2004 11:42 am Reply with quote

Well, to make it more clear, I am asking people who write secruity patches to implement something like this in their code. This is a programming discipline:

So for example, right now we do:
Code:
Code:


$topic_id = intval($_GET['t']);




instead, do this:
Code:

Code:


if (intval($_GET['t']) != $_GET['t']) {
  //hack detected
  protector_alert(....);
}
else {
  //normal process
  ...
 
sixonetonoffun
PostPosted: Mon Mar 29, 2004 12:21 pm Reply with quote

You'd have to make it something like
if($protector = true)
or did I miss protector getting added to the official distro?
But I like the idea Very Happy
 
steve1
PostPosted: Mon Mar 29, 2004 12:41 pm Reply with quote

sixonetonoffun wrote:
You'd have to make it something like
if($protector = true)
or did I miss protector getting added to the official distro?
But I like the idea Very Happy


True, the function will internally check for existance of protector tables. If they don't exist, then it simply emails (like Raven's). Otherwise, writes the content to the tables.

So this is ready to go when Protector is officially included (and it will be, 99% for sure).

steve
 
sixonetonoffun
PostPosted: Mon Mar 29, 2004 2:44 pm Reply with quote

Sorry I did read that in your 2nd post but forgot you already addressed this.
 
steve1
PostPosted: Mon Mar 29, 2004 4:00 pm Reply with quote

I have released ptap version 1.0 which implements the function described here.
Only registered users can see links on this board! Get registered or login!
 
sixonetonoffun
PostPosted: Mon Mar 29, 2004 5:11 pm Reply with quote

Geez, I'm not welcome there. I respect that so its blackholed at my firewall Rolling Eyes
Maybe another time.
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Mon Mar 29, 2004 6:26 pm Reply with quote

Seriously? What happens when you try?
 
View user's profile Send private message
sixonetonoffun
PostPosted: Mon Mar 29, 2004 7:32 pm Reply with quote

Raven,
Browser just times out I blocked their IP as a reminder to myself to not temp fate.

steve1,
I'm wondering if you did anything like if X-IP's get warned from the same hostname do a lookup of the domain block and autoban the entire block until the admin clears it? I've only got 2 levels ban and warn going. Ban for specific violations and ban for more then 6 warns. Right now all I'm warning on is No User-Agent. But its easy to expand now Very Happy

If not I might work on something in my "spare" time.
 
steve1
PostPosted: Mon Mar 29, 2004 7:37 pm Reply with quote

sixonetonoffun, I am working within the confines of Protector, so I did not have the luxury of a fancy banning system, the way you described. So in my model, you either get banned or get a warning. It is a single IP and not arange.

At the same time, if admin starts getting multiple emails (ptap provides automatic emails), then the admin can decide, through Protector interface, to do whatever one wishes with it.

I have seen too much security code being written where the trapped hacker simply sees a "die" and no ip blocking, so I decided to do something about it.

steve
 
sixonetonoffun
PostPosted: Mon Mar 29, 2004 7:47 pm Reply with quote

steve1,
Don't get me wrong you just renewed my interest in the whole concept.

Nothing fancy here just very crude simple functions:
if num rows $result >2
and such.
Luxury is I haven't shared any files with anyone yet so I can tweak the tables yet without causing others grief.
 
steve1
PostPosted: Mon Mar 29, 2004 8:15 pm Reply with quote

sixonetonoffun, reading your post again, I think the additional functionality that you are talking about ARE GREAT.

I would like to suggest that they be included within Protector. Protector is 99% sure to be included in the follow-on releases of Nuke. That way, our ideas have a good chance of being propagated, and improved by others.
 
sixonetonoffun
PostPosted: Tue Mar 30, 2004 12:08 am Reply with quote

Ok this isn't great because it requires fopen=on but it works. Basically its based on 4CM_Grabber.php Only registered users can see links on this board! Get registered or login!

Ravens code from hackattempt.php is better.
This will return the netrange from arins sadly they don't do lookups by hostname. So we just have to choose the ip to search by random basically from an array of matches so there will be a little more to do but this is a weak start in the right direction. I just wanted to see how hard it would be to get this much to work with.

Code:


<?php
// $hacker_ip = IP to search
$GrabURL = "http://ws.arin.net/cgi-bin/whois.pl?queryinput=".$hacker_ip."";  //-  Complete URL Of The Page Your Grabbing From!
$GrabStart = "NetRange";  //- HTML Code To Start Grab. Must Be A Unique Bit Of Code!
$GrabEnd = "CIDR";  //- HTML Code To End Grab. Must Be A Unique Bit Of Code!
$OpenFile = fopen("$GrabURL", "r"); //- DO NOT CHANGE
$RetrieveFile = fread($OpenFile, 200000);  //- Reduce This To Save Memory
$GrabData = eregi("$GrabStart(.*)$GrabEnd", $RetrieveFile, $DataPrint);
fclose($OpenFile); //- DO NOT CHANGE
$raw_info = strip_tags($DataPrint[1]);
$rangez = str_replace(":", "", "$raw_info");
$ban_range = trim($rangez);
?>
 
steve1
PostPosted: Tue Mar 30, 2004 12:29 am Reply with quote

sixonetonoffun, nice job. My question is at this point: what are we going to do with the ip range. Are we banning the whole range?

I think I would need geo information. If the IP is from certain countries, I just ban the range. If they are on a N.American dial up, then the range would represent a whole bunch of people... and I would not want to ban them. [edit: I see that arin also returns geo info. That could also be exposed..].

For example every credit card taken on a site of mine from a certain former USSR satellite country is fraud.

Any ideas? Disclaimer: I have not looked into Raven's code yet.
 
sixonetonoffun
PostPosted: Tue Mar 30, 2004 12:57 am Reply with quote

I'm thinking a Message (User from IP and Hostname has been banned from this site for 24hrs. Please contact site admin to lift ban if you feel this was done in error.) I use a dynamic image to show the admin email there.

I think an auto time limit say 24hrs could be done easily. Otherwise admin can manuelly remove sooner if wanted. I didn't consider geo but its a very good point. A lot of people will say this is all better done at the firewall level but the majority of us don't have that lux.

Something like this in (what I called) isbanned() function:
Code:


$Diff = (time() - $hacker_time))/60/60/24;
           if ($Diff > 1)  // 1 day ago ban lifted


I don't know how to approach the geo idea exactly without seeming to be discriminating big time against folks Wink

I don't have a manuel add IP to static ban function but that could be done too I guess.
 
steve1
PostPosted: Tue Mar 30, 2004 12:24 pm Reply with quote

Protector system (which I use) already has the feature of informing someone coming thru banned ip's, so I am not worried about that personally.

What is of interest to me is banning someone who comes in, gets banned, and then comes back in thru another ip.. my guess is that the other ip would also be in the same range.

So Protector could be modified in this way. Add a new field called range.
When hacker comes in and gets banned, save the range as well (using arin- thanks for the pointer).
Next time the hacker comes in (assuming using the same ISP), and we are going to ban him, just look up to see if in a pre-existing range, and then ban the whole range.

There would still be a maintenance problem with large ISP's (AOL, eg.). This could become a headache.

The easier approach:
-I think in my ptap code, I will also write arin's range and geo information to Protector tables. You quickly get an idea once you start looking at Geo's how to deal with the problem (as Geos stay in your memory, vs. IP numbers).

steve
 
sixonetonoffun
PostPosted: Tue Mar 30, 2004 2:52 pm Reply with quote

Yeah AOL is a real issue I have access to test from AOL but I haven't had the time to do it. The biggest trouble is getting the actual IP not the AOL proxy. If you've any tips on that one let me know. It would be hard to do short of getting them to do a direct file tranfere or an https connection (Which if is available should be exploited for all it worth. ie for logins at least.)

re: The easier approach.
Yes the info is there to get for the user to work with in htaccess which is going to do a lot better job. For the time being I'm either going with a 1hr or 1day auto ban though for percieved DoS attacks.
 
sixonetonoffun
PostPosted: Tue Mar 30, 2004 4:20 pm Reply with quote

Note* Why do automated lookups at all then? Just put a lookup url into the html output everyone else does. Thats what I did originally.

Edit* Forget that if we are comparing dialup users we need that at the time of attack info.
 
steve1
PostPosted: Tue Mar 30, 2004 6:00 pm Reply with quote

Don't really know what to do about AOL. I think I will just watch what's happening.

As far as automated lookups, it is not necessary until there is a lot of attack, otherwise as you say, URL will do.
 
sixonetonoffun
PostPosted: Tue Mar 30, 2004 11:21 pm Reply with quote

This is puttin the cart before the horse but rather then do an extensive lookup >Check>react I revamped the NSS code by Panoo. His method was to match a close range. Its a little hit and miss but what isn't here? So anyway here is the functions as I'm using/testing them now.
I call isBanned() in my header function before any html and call isWarned() right after the body tag.

Code:


        function isBanned()
        {
                global $ADVT_NAME, $ADMIN_EMAIL, $ADMIN_NAME, $ADVT_URL;
                dbConnect();
                $ip2 = @gethostbyname(gethostbyaddr("getenv('REMOTE_ADDR')"));
                $test = @gethostbyaddr(gethostbyname($ip2));
                $result = mysql_query("SELECT hacker_ip,attack_time from hackers WHERE hacker_ban='2'") or error( die());
                $ip = explode (".",$ip2);
                if (mysql_num_rows($result)>0) {
                while (list($hacker_ip,$attack_time) = mysql_fetch_row($result)) {
                $Diff = (time() - $attack_time)/60/60/24;
                if ($Diff < 1){ // 1 day ban lifted
                  $ban_ip = explode (".",$hacker_ip);
           if ($ip[0] == $ban_ip[0] && $ip[1] == $ban_ip[1]) {
      echo "<html><head></head><body><center><br><H1>$ADVT_NAME</H1><br><b>This system has interpreted your actions as malicious!!!<br>Your not allowed to use our services for a period of 24 Hours. Should you be detected performing additional malicious actions we will send all information to the ISP connected with your service. Most ISP's will terminate users who violate their Terms of Service. Attempting to deface, hack or steal from others using your internet connection would most certainly be in violation of any reputable ISP's Terms of Service.</b><br><br><img src=\"$ADVT_URL/images/hacker.jpg\" alt=\"Ooops busted!\"><br><br><b>Your IP address $ip2 and Hostname $test were recorded.</b></center>";
      echo "<P align=\"center\">If you have been banned without cause please contact our administrator.</P><P align=\"center\"><B>At the email address shown here</B>.</P><P align=\"center\"><img src='$ADVT_URL/admin.php' alt=\"Anti Spam Image\"/img></P><P> Describe what actions took place to cause you to become banned. If you have no idea just do the best you can to describe what took place. Include the reported IP and Hostname in all communications.</P></body></html>";
      exit;
   }
}else{
}

       if ($ip2 == '') { die();}
                   }
                 }
        }
        function isWarned()
        {
                global $ADVT_NAME, $ADMIN_EMAIL, $ADMIN_NAME, $ADVT_URL;
                dbConnect();
                $ip2 = @gethostbyname(gethostbyaddr("getenv('REMOTE_ADDR')"));
                $test = @gethostbyaddr(gethostbyname($ip2));
                $ip = explode (".",$ip2);
                $result = mysql_query("SELECT hacker_ip,hacker_hostname from hackers WHERE hacker_ip='$ip2' AND hacker_ban='1'") or error( die());
                if (mysql_num_rows($result)>0) {
                while (list($hacker_ip, $hacker_hostname) = mysql_fetch_row($result)) {
                  $ban_ip = explode (".",$hacker_ip);
           if ($ip[0] == $ban_ip[0] && $ip[1] == $ban_ip[1]) {
      
   }
   }
                echo "<div align=\"left\" class=\"warn\"><b>Warning!</b><small><br>Someone from:<br>IP <b>(</b>".$ip2."<b>)</b><br>Hostname <b>(</b>".$test."<b>)</b><br>Has been performing actions considered malicious.<br>This is evidenced to be <b>you</b> please contact our site administrator. <P align=\"left\"><img src='$ADVT_URL/admin.php' alt=\"Anti Spam Image\"/img></P><P>Send a detailed explanation of your actions to prevent your becoming banned from this site.</small></div>";
   
   
   if (mysql_num_rows($result)>1) {
      echo("<div align=\"left\" class=\"warn\"><b>Alert!</b><small><br>You have repeated your malicious acts resulting in your being suspended for 24hrs.</small></div>");
      include("ban.php");
      sleep(5);
      exit;
      
      }
       if ($ip2 == '') { die();}
                   }
        }
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©