Hacker trap script

[Bagi Zoltán]

I would like to declare that this is not a genuine post, so i already posted it on an other forum as well, but now i know that i should have post it here firstly.

This script arsenal will help to fight against hacker, won't make your script more secure so if it is open for a certain attack this won't solve the programing bug, but will make the entrance more difficoult.

Let's see what are the functions:

• validate the Googlebot, the msnbot and the Yahoo! Slurp so when someone proxify the the site it won't cause content duplication,
• make possible to ban certain user agents, IPs as well,
• inspect the requested URL string so when someone would like to manipulate the mysql database via injection method the trap will reward it with a very elegant IP ban (this function must be modify in accordance of the website and the needs) ,

This is the core code called security.php

  <?php
$ua = $_SERVER['HTTP_USER_AGENT'];
$webadress = $_SERVER['REQUEST_URI'];
$ip = $_SERVER['REMOTE_ADDR'];
$target = file(dirname(__FILE__)."/ip-logfile.txt");
$sqltarget = file(dirname(__FILE__)."/sql-injection.txt");
$ualist = file(dirname(__FILE__)."/banned-ua.txt");
$loc = dirname(__FILE__);

//if the visitor said to be a robot
if(strstr($ua, 'msnbot') || stristr($ua, 'Googlebot') || stristr($ua, 'Yahoo! Slurp')){
//we must validate it
require "$loc/security-proxy-checker.php";
}
else{

//visitors with banned user agents are not allowed to access
foreach($ualist as $item){
$item = trim($item);
if(stristr($ua, $item)){
require "$loc/message.php";
exit;}}
//visitors with banned IPs are not allowed to access
foreach($target as $item){
$item = trim($item);
if(stristr($ip, $item)){
require "$loc/message.php";
exit;
}}

//let's inspect the requested URL string
foreach($sqltarget as $sqlitem){
$sqlitem = trim($sqlitem);
if(stristr($webadress, $sqlitem)){
require "$loc/index.php";
exit;}}}
?>

As you may recognise the script uses txt files which stores the banned user agents / IPs and typical string particulars which might be used during the sql injection attack.

Very important part of the solution is the index.php file with the following code

  <?php
$ip = $_SERVER["REMOTE_ADDR"];
$webadress = $_SERVER['REQUEST_URI'];
$loc = dirname(__FILE__);
$logfile = "$loc/ip-logfile.txt";
$urllogfile = "$loc/requested-string.txt";
$time = date("F j, Y, g:i a"); 
require "$loc/message.php";
//Let's start the statistic module
//store the IP as first step
$fp = fopen($logfile, 'a');
fputs($fp, "$ip
");
fclose($fp);
$fpstring = fopen($urllogfile, 'a');
//Put the string and some very importent parameter into a control logfile so if somebody was banned without any reason we will have the chance to fix that
fputs($fpstring, "$ip requested this string $webadress this time $time
");
fclose($fpstring);
exit;
?>

My favourite part of the whole thing is the message.php which stores my greetings to the attackers, very nice one so nothing rough.

Attaching you may find the whole archived folder (with Hungarian comments in the files). In order to implement the trap all you need to do is to upload the files into an optional folder let's name it core for instance and place this code to the very front of the files you would like to protect.

PHP Code:

<?php require "/thisisthepathof/core/security.php"; ?>

And one more thing. Don't forget to restict the crawl of the optional core folder where the files are stored in the robots.txt file, this may catch some extra bad guy.

I warrant nothing but this works very well at my site. I regularly check the requested-string.txt to see if somebody had been banned accidentally. But i regularly smile on the catchings.
Thanks

ps. today i realized that at my Hungarian blog some very strange URLs has been restricted for instance /Databases/vicndatadata.mdb or /Reg/User_Reg.asp. I though that is something that i don't need it and since i know that WP is written in php and i use permalinks i completed my sql-injection.txt file with this two lines:

.asp
.mdb

restricting the access of these certain file extensions, and my security logs become very busy since then:good:
I'm going to ask Cyrus to help me extend the protection covering leeching and xss attacks as well, but don't tell him, he knows nothing about my purpose:yahoo:

 

[gkd_uk]

Great post Bagi - rep added

 

[temi]

Thanks for sharing Bagi

 

[deluxdon]

Useful post bagi. Thanks for sharing it with us.

DON.

 

[Bagi Zoltán]

It is my pleasure to read your responses.

 

[Lovely]

It is a nice script Bagi Zoltán, thanks for sharing it. I wonder if there is any hacker and anti virus script that can work with server?

 

[espmartin]

Bagi, you should begin a security consulting service! Serious!!!!

I'll be your first client. PM me bro!!!

 

[Bagi Zoltán]

Lovely, sadly i don't know as much about how to identify viruses with php but sadly my toolkit is limited only on server side scripts. As far as i know viruses are not really able to catch via script, but secure gateways such as zorp, which identify the unnatural package transmissions.

Martin, thank you for your kind words i am thinking on this, but i need to learn hacking as first. Of course i am thinking on ethical hacking, but you must know how to attack a script/server to know how to defend it, so it will be a long way and i am only at the startline at the monent. My sister work for an information security company called Kurt, i guess you have never heard about it, but there works one of the biggest hackers on the whole planet. He was disqualified from the hacker world champion because he used some tool which was not allowed I want him to be my mentor. Sweet dreams

I would like to release only FREE defending scripts in the future which cover wider area of web based attacks that might be installaed easily for everyone.

 

[magyar]

Very nice. Thank you.

 

[Bagi Zoltán]

This is a schame that you use our nation as user member and got banned. Next time you should choose something else when you go spammming.

 

[Resonate]

Excellent Bagi, Would it be ok to pass this script on to a few people i know as they will find it excellent value.

 

[Bagi Zoltán]

Reso, it is all yours. Have fun with it, but please tell him/her that the log file need to be checked after installing for some days.

 

[Resonate]

Reso, it is all yours. Have fun with it, but please tell him/her that the log file need to be checked after installing for some days.

Will do buddy, i will refer them to this thread if they decide to use it :good:

Your a Star :yahoo:

 

[Scripter]

Wow Bagi! I standing applause to you indeed!

 

[Bagi Zoltán]

Ohh Scripter, i am to shy for it

 

[temi]

BTW Zoli,
you were going to upload this script at the download section, it does not seem to be there yet

 

[Bagi Zoltán]

Temi, you are quite right. I have just uploaded the archived package.

 

[temi]

Cheers Zoli, rep added

 

[Dimitar Christoff]

maintenance of such a script - as nice as it is - will be time consuming and costly.

there may be other ways but at the cost of performance...

 

[seopaul]

more security the better, when you run mission critical websites where down time will effect not just sales but give staff nothing todo the costs of poor security far out weigh the cost of providing good solid security.

ive got my own lil collection of functions designed to keep a online persitant browser based game safe... where cheating is the name of the game for some... and hacking the script is fair game... at least thats what my members seam to think.

you just need to make sure your system is safe with a back up system waiting on standby totake over... or work side by side to totally baffel a hacker to the point he dosnt care anymore... well that dosnt genrally happen but hey...

i think this and dimitar's mod_security suggestion is a good mix for people who dont get hacked consently... after all if your sites dont get hacked regualy how are you going to know what you need to defend aggenst...

rep added bagi allthough im not using this its very cool that you have offered it to other programmers