Hacker Trap Script

[Resonate]

This script has been created by a friend of mine called Bagi. I thought i would share it with you all as it is an excellent achievement & an excellent security precaution to put into use.

Quote:

This script arsenal will help to fight against hacker, won't make your script more secure so if it is open for a certain attack this won't solve the programing bug, but will make the entrance more difficoult.

Let's see what are the functions:

• validate the Googlebot, the msnbot and the Yahoo! Slurp so when someone proxify the the site it won't cause content duplication,
• make possible to ban certain user agents, IPs as well,
• inspect the requested URL string so when someone would like to manipulate the mysql database via injection method the trap will reward it with a very elegant IP ban (this function must be modify in accordance of the website and the needs) ,

This is the core code called security.php

Code:

<?php 
$ua = $_SERVER['HTTP_USER_AGENT']; 
$webadress = $_SERVER['REQUEST_URI']; 
$ip = $_SERVER['REMOTE_ADDR']; 
$target = file(dirname(__FILE__)."/ip-logfile.txt"); 
$sqltarget = file(dirname(__FILE__)."/sql-injection.txt"); 
$ualist = file(dirname(__FILE__)."/banned-ua.txt"); 
$loc = dirname(__FILE__); 

//if the visitor said to be a robot 
if(strstr($ua, 'msnbot') || stristr($ua, 'Googlebot') || stristr($ua, 'Yahoo! Slurp')){ 
//we must validate it 
require "$loc/security-proxy-checker.php"; 
} 
else{ 

//visitors with banned user agents are not allowed to access 
foreach($ualist as $item){ 
$item = trim($item); 
if(stristr($ua, $item)){ 
require "$loc/message.php"; 
exit;}} 
//visitors with banned IPs are not allowed to access 
foreach($target as $item){ 
$item = trim($item); 
if(stristr($ip, $item)){ 
require "$loc/message.php"; 
exit; 
}} 

//let's inspect the requested URL string 
foreach($sqltarget as $sqlitem){ 
$sqlitem = trim($sqlitem); 
if(stristr($webadress, $sqlitem)){ 
require "$loc/index.php"; 
exit;}}} 
?>                

As you may recognize the script uses txt files which stores the banned user agents / IPs and typical string particulars which might be used during the sql injection attack.

Very important part of the solution is the index.php file with the following code
PHP Code:

Code:

<?php 
$ip = $_SERVER["REMOTE_ADDR"]; 
$webadress = $_SERVER['REQUEST_URI']; 
$loc = dirname(__FILE__); 
$logfile = "$loc/ip-logfile.txt"; 
$urllogfile = "$loc/requested-string.txt"; 
$time = date("F j, Y, g:i a");  
require "$loc/message.php"; 
//Let's start the statistic module 
//store the IP as first step 
$fp = fopen($logfile, 'a'); 
fputs($fp, "$ip 
"); 
fclose($fp); 
$fpstring = fopen($urllogfile, 'a'); 
//Put the string and some very importent parameter into a control logfile so if somebody was banned without any reason we will have the chance to fix that 
fputs($fpstring, "$ip requested this string $webadress this time $time 
"); 
fclose($fpstring); 
exit; 
?>                

My favorite part of the whole thing is the message.php which stores my greetings to the attackers, very nice one so nothing rough.

Attaching you may find the whole archived folder (with Hungarian comments in the files). In order to implement the trap all you need to do is to upload the files into an optional folder let's name it core for instance and place this code to the very front of the files you would like to protect.

Code:

                       <?php require "/thisisthepathof/core/security.php"; ?>

And one more thing. Don't forget to restict the crawl of the optional core folder where the files are stored in the robots.txt file, this may catch some extra bad guy.

I warrant nothing but this works very well at my site. I regularly check the requested-string.txt to see if somebody had been banned accidentally. But i regularly smile on the catchings.
Thanks

ps. today i realized that at my Hungarian blog some very strange URLs has been restricted for instance /Databases/vicndatadata.mdb or /Reg/User_Reg.asp. I though that is something that i don't need it and since i know that WP is written in php and i use permalinks i completed my sql-injection.txt file with this two lines:

Code:

.asp
.mdb

restricting the access of these certain file extensions, and my security logs become very busy since then
I'm going to ask Cyrus to help me extend the protection covering leeching and xss attacks as well, but don't tell him, he knows nothing about my purpose

[sherytiger]

Ahhh some questions, what will be the advantage of this script, and what this script will protect? :s

[kineticdc]

I was sad at how I am being attacked but I get the feeling you get more attacks than I do

[Resonate]

Quote:

Originally Posted by sherytiger

Ahhh some questions, what will be the advantage of this script, and what this script will protect? :s

I dont fully know the in's & out's of the script as of yet, i am testing it so will update you.

Quote:

Originally Posted by kineticdc

I was sad at how I am being attacked but I get the feeling you get more attacks than I do

Used to but i taught myself hacking techniques on how to hack forums, sites, servers & what ever else, not to use it badly i use the knowledge i have to protect my sites & so on. I would never pass anything i know onto anyone as i believe its wrong.

[sherytiger]

Ahan ... anyways thanks for providing us such useful stuffs.