| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <003001c39009$49bbb690$050010ac@Estila>
Date: Sat, 11 Oct 2003 17:04:56 +0200
From: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh@...g-security.com>
To: "Full-Disclosure" <full-disclosure@...ts.netsys.com>
Cc: "BUGTRAQ" <bugtraq@...urityfocus.com>
Subject: Code for write the IPs to ban
Here is that i promised, ;-)
/\CUT FROM HERE/\
<?php
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$goalone = $_SERVER['HTTP_X_FORWARDED_FOR']."\r\n";
}
elseif (isset($_SERVER['HTTP_VIA'])) {
$goalone = $_SERVER['HTTP_VIA']."\r\n";
}
elseif (isset($_SERVER['REMOTE_ADDR'])) {
$goalone = $_SERVER['REMOTE_ADDR']."\r\n";
}
else {
$goalone = "Unknown";
}
$banning = fopen("BANED.TXT","a+");
fwrite($banning, $goalone);
fclose($banning)
?>
/\<<<EOF/\
Call this script from your protection routines , i have done one ( i reomved
the die line due to the inclusion of another one in the banning script ):
/\ NEW PROTECTION ROUTINES /\
foreach ($HTTP_GET_VARS as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*span*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*h1*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*table*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*body*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*pre*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*em*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*input*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*td*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*option*\"?[^>]*>", $secvalue)) ||
(eregi(";", $secvalue)) ||
(eregi("'", $secvalue)) ||
(eregi("ยด", $secvalue)) ||
(eregi("`", $secvalue)) ||
(eregi("+", $secvalue)) ||
(eregi("\"", $secvalue))) {
// NEW PREVENTION SYSTEM , USE THIS ONE
// proactive ;-)))))))))
include ("toban.php");
// My old prevention system
// die (";-) whereis lammer lammer: you");
}
}
/\<<<EOF/\
As you see , it is needed to include two files in your scripts:
One to include banip.php for block the access and another one to write
blocked addresses formatted with a file readable format.
;-)
ENJOY !
NOTES: i'm using this system in www.nsrg-security.com
the BANED.TXT is not in the web root , but soon i will put a /BANNED dir
with useful scripts for see wich boys are blocked in my server, these
functions will be available:
/BANNED/?0x00=show
/BANNED/?0x00=meornotme
/BANNED/?0x00=noban
and others.
Of course the only way for be again allowed to access is contacting the
admin;-)
soon i will add functions to the logging system for include "reasons" per
users like:
Blocked due to:
-[RULE]-> XSS attacks attempting.
Etc.
I think that i must provide these things to the community , these things are
important for the security in web servers.
I need a python developer , jelmer ? , an asp developer , who ? , and a jsp
developer for port these things.
a perl developer will be useful ( reeeeaaaaallyyyyy useful ) :-)
The best regards to the community and,
jelmer
morning_wood
etc
( people of the fantastic Full-Disclosure list )
-------------------------------
0x00->Lorenzo Hernandez Garcia-Hierro
0x01->/* not csh but sh */
0x02->$ PATH=pretending!/usr/ucb/which sense
0x03-> no sense in pretending!
__________________________________
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
No Secure Root Group Security Research Team
http://www.nsrg-security.com
______________________
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists