Hacker trap script

[Bagi Zoltán]

I would like to declare that this is not a genuine post, so i already posted it on an other forum as well, but now i know that i should have post it here firstly.

This script arsenal will help to fight against hacker, won't make your script more secure so if it is open for a certain attack this won't solve the programing bug, but will make the entrance more difficoult.

Let's see what are the functions:

• validate the Googlebot, the msnbot and the Yahoo! Slurp so when someone proxify the the site it won't cause content duplication,
• make possible to ban certain user agents, IPs as well,
• inspect the requested URL string so when someone would like to manipulate the mysql database via injection method the trap will reward it with a very elegant IP ban (this function must be modify in accordance of the website and the needs) ,

This is the core code called security.php

PHP Code:

  <?php
$ua = $_SERVER['HTTP_USER_AGENT'];
$webadress = $_SERVER['REQUEST_URI'];
$ip = $_SERVER['REMOTE_ADDR'];
$target = file(dirname(__FILE__)."/ip-logfile.txt");
$sqltarget = file(dirname(__FILE__)."/sql-injection.txt");
$ualist = file(dirname(__FILE__)."/banned-ua.txt");
$loc = dirname(__FILE__);

//if the visitor said to be a robot
if(strstr($ua, 'msnbot') || stristr($ua, 'Googlebot') || stristr($ua, 'Yahoo! Slurp')){
//we must validate it
require "$loc/security-proxy-checker.php";
}
else{

//visitors with banned user agents are not allowed to access
foreach($ualist as $item){
$item = trim($item);
if(stristr($ua, $item)){
require "$loc/message.php";
exit;}}
//visitors with banned IPs are not allowed to access
foreach($target as $item){
$item = trim($item);
if(stristr($ip, $item)){
require "$loc/message.php";
exit;
}}

//let's inspect the requested URL string
foreach($sqltarget as $sqlitem){
$sqlitem = trim($sqlitem);
if(stristr($webadress, $sqlitem)){
require "$loc/index.php";
exit;}}}
?>

As you may recognise the script uses txt files which stores the banned user agents / IPs and typical string particulars which might be used during the sql injection attack.

Very important part of the solution is the index.php file with the following code

PHP Code:

  <?php
$ip = $_SERVER["REMOTE_ADDR"];
$webadress = $_SERVER['REQUEST_URI'];
$loc = dirname(__FILE__);
$logfile = "$loc/ip-logfile.txt";
$urllogfile = "$loc/requested-string.txt";
$time = date("F j, Y, g:i a"); 
require "$loc/message.php";
//Let's start the statistic module
//store the IP as first step
$fp = fopen($logfile, 'a');
fputs($fp, "$ip
");
fclose($fp);
$fpstring = fopen($urllogfile, 'a');
//Put the string and some very importent parameter into a control logfile so if somebody was banned without any reason we will have the chance to fix that
fputs($fpstring, "$ip requested this string $webadress this time $time
");
fclose($fpstring);
exit;
?>

My favourite part of the whole thing is the message.php which stores my greetings to the attackers, very nice one so nothing rough.

Attaching you may find the whole archived folder (with Hungarian comments in the files). In order to implement the trap all you need to do is to upload the files into an optional folder let's name it core for instance and place this code to the very front of the files you would like to protect.

PHP Code:

PHP Code:

<?php require "/thisisthepathof/core/security.php"; ?>

And one more thing. Don't forget to restict the crawl of the optional core folder where the files are stored in the robots.txt file, this may catch some extra bad guy.

I warrant nothing but this works very well at my site. I regularly check the requested-string.txt to see if somebody had been banned accidentally. But i regularly smile on the catchings.
Thanks

ps. today i realized that at my Hungarian blog some very strange URLs has been restricted for instance /Databases/vicndatadata.mdb or /Reg/User_Reg.asp. I though that is something that i don't need it and since i know that WP is written in php and i use permalinks i completed my sql-injection.txt file with this two lines:

.asp
.mdb

restricting the access of these certain file extensions, and my security logs become very busy since then
I'm going to ask Cyrus to help me extend the protection covering leeching and xss attacks as well, but don't tell him, he knows nothing about my purpose

[gkd_uk]

Great post Bagi - rep added

[temi]

Thanks for sharing Bagi

[deluxdon]

Useful post bagi. Thanks for sharing it with us.

DON.

[Bagi Zoltán]

It is my pleasure to read your responses.

[Lovely]

It is a nice script Bagi Zoltán, thanks for sharing it. I wonder if there is any hacker and anti virus script that can work with server?

[espmartin]

Bagi, you should begin a security consulting service! Serious!!!!

I'll be your first client. PM me bro!!!

[Bagi Zoltán]

Lovely, sadly i don't know as much about how to identify viruses with php but sadly my toolkit is limited only on server side scripts. As far as i know viruses are not really able to catch via script, but secure gateways such as zorp, which identify the unnatural package transmissions.

Martin, thank you for your kind words i am thinking on this, but i need to learn hacking as first. Of course i am thinking on ethical hacking, but you must know how to attack a script/server to know how to defend it, so it will be a long way and i am only at the startline at the monent. My sister work for an information security company called Kurt, i guess you have never heard about it, but there works one of the biggest hackers on the whole planet. He was disqualified from the hacker world champion because he used some tool which was not allowed I want him to be my mentor. Sweet dreams

I would like to release only FREE defending scripts in the future which cover wider area of web based attacks that might be installaed easily for everyone.

[magyar]

Very nice. Thank you.

[Bagi Zoltán]

This is a schame that you use our nation as user member and got banned. Next time you should choose something else when you go spammming.