ursus contionabundo: "Solstice": missratene Sonnenwende der "1337-Elite" Scriptkiddies

Beitrag lesen

Was hastn wieder angestellt?

Aus Versehen in die Logfiles geschaut...

Apche-Config (.htacces) des Default-Hosts: (Aufruf mit IP...)

ErrorDocument 404 /404.php
RewriteEngine on
RewriteRule ^/login\.cgi /404.php

404.php:

<?php

$noblocks = [
	'192.168.1.',
	'127.'
];
$blocktime = 60; # Minuten

$angriffe=explode(
"\n", 
'/a2billing/
/adm/
/admin/
/administrator.php
/backup/
/composer.php
/data.php
/db/
/dbadmin
/db.init.php
/db.php
/db_pma.php
/dmpr/
/drupal.php
/editor.php
/horde/
/login.cgi
/manager/
/msd/
/muhstik/
/mx.php
/myadmin/
/MyAdmin/
/myadmin2/
/mysql
/mysql/
/mysql_admin/
/mysql-admin/
/mysqladmin/
/mysqldump
/mysqldumper/
/mysqlmanager/
/mysql.php
/noxdir/
/.php/
/phpadmin/
/phpma/
/phpmy/
/phpmyadmin/
/phppma/
/pma/
/pma2/
/setup.php
/shell.php
/solstice
/spider.php
/sqlmanager/
/sqlweb/
/system.php
/thinkphp
/tomcat.php
/toor.php
/typo3/
/vhcs/
/vhcs2/
/webdav/
/websql/
/wp-admin/
/wp-admin.php
/wp-config.php
/wp-content/
/xampp/
HelloThinkPHP
');


if ( empty( $_SERVER['REMOTE_ADDR'] ) ) {
	echo __FILE__ . " executed in CLI: Nothing to do." . PHP_EOL;
	exit;
}

foreach ( $noblocks as $noblock ) {
	if ( false !== strpos( $_SERVER['REMOTE_ADDR'], $noblock ) ) {
		echo '<p>REMOTE_ADDR "' . $_SERVER['REMOTE_ADDR'] . '" matching "' . $noblock . '" : Nothing to do!</p>';
		iLoveSkriptKiddies();
		exit;
	}
}

$flagFound = false;
$haystack = strtolower( $_SERVER['REQUEST_URI'] );
foreach ( $angriffe as $s ) {
	$needle = strtolower( trim( $needle ) );
	if ( $needle && ! false === strpos( $haystack, $needle ) ) {
		$flagFound = true;
		break;	
	}
}

if ( $flagFound ) {
	http_response_code(403);
?><!DOCTYPE html>
<html lang="en">
	<head>
		<title>403 Forbidden</title>
	</head>	
	<body>
	<h1>403 Forbidden</h1>
	<p>Nice try! Requests from <?=$_SERVER['REMOTE ADDR']; ?> are blocked now.</p>';
	<?php
	iLoveSkriptKiddies();
	echo '</body>
</html>';
	$cmd = '/usr/bin/sudo /usr/sbin/fwblock4time ' . $_SERVER['REMOTE_ADDR'] . ' ' . $blocktime . '; echo $? | tail -n1';
	$result = intval(`$cmd`);
	if ( 0 == $result ) {
		error_log('Angriffsversuch: ' . $_SERVER['REMOTE_ADDR'] . " wurde fuer $blocktime Minuten in der Firewall blockiert.");
	} else {
		error_log( "Error $result from execute $cmd" );
	}
 } else {
	http_response_code( 404 );
	echo '<h1>Not found</h1><p>Warning: This is a honeypot...</p>';
}

function iLoveSkriptKiddies() {
    ## sed a nice greeting image
}

Läuft. Wirft Angreifer für eine Stunde bei IP-Tables ein.

Wer es testen will: http://77.180.117.82/myadmin/ (nur heute erreichbar)