. */ /** * This file is part of AbyssGuard. * * AbyssGuard is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * AbyssGuard is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with AbyssGuard. If not, see . * * Modifications by JaTu Apr 11 2013 */ include dirname(__FILE__) . DIRECTORY_SEPARATOR . "config.php"; if ($logging == true && $logfile == "") { $logging = false; } if ($agactive != true || $ipblacklist == "" && $httpblkey == "" && $checkheaders == false && $commonhacks == false) { return; } $badcookie = md5("abyssguardban"); abyssGuard(); function abyssGuard() { global $httpblkey, $checkheaders, $ipwhitelist, $ipblacklist, $logging, $browsers, $robots, $badagents1, $badagents2, $commonhacks, $badcookie, $hackreq, $acceptexempt, $httbllastactivity, $httblthreatscore, $cookiename; $ip = $_SERVER["REMOTE_ADDR"]; $agent = (isset($_SERVER["HTTP_USER_AGENT"])) ? $_SERVER[HTTP_USER_AGENT] : ""; $uri = $_SERVER["REQUEST_URI"]; $accept = (isset($_SERVER["HTTP_ACCEPT"])) ? $_SERVER["HTTP_ACCEPT"] : ""; $request = $_SERVER["REQUEST_METHOD"]; $protocol = $_SERVER["SERVER_PROTOCOL"]; $hosth = $_SERVER["HTTP_HOST"]; $isrobot = ""; $chheaders = 1; $date = date("d/m/Y"); $cookievalue = md5($ip . $date); $cookiename = md5($cookiename); $robotcookie = md5("abyssguardrobot"); $referer = (isset($_SERVER["HTTP_REFERER"])) ? $_SERVER["HTTP_REFERER"] : ""; if (in_array($ip, $ipwhitelist)) { writeCookie($cookiename, $cookievalue); return; } if (isset($_COOKIE[$badcookie])) { blockAccess($_COOKIE[$badcookie]); return; } if (in_array($ip, $ipblacklist)) { $message = "Blacklisted IP address"; if ($logging == true) { writeLog($ip, $agent, $request, $uri, $hosth, $accept, $protocol, $message, $referer); } blockAccess($message); return; } if ($commonhacks == true) { foreach ($hackreq as $hackrequest) { if (strpos(urldecode($uri), $hackrequest) !== false) { if (strpos(urldecode($uri), "/wp-login.php?redirect_to=") === false && strpos(urldecode($uri), "?fb_action_ids=") === false && strpos(urldecode($uri), "fb_action_types=og.likes") === false) { $message = "Hack attempt"; if ($logging == true) { writeLog($ip, $agent, $request, $uri, $hosth, $accept, $protocol, $message, $referer); } blockAccess($message); return; } } } if ($request == "POST" && strpos($uri, "/wp-comments-post.php") !== false) { if ($referer == "" || $referer != "" && strpos($referer, $hosth) === false || $referer != "" && strpos($referer, "incorrect-captcha") !== false) { $message = "Spam attempt"; if ($logging == true) { writeLog($ip, $agent, $request, $uri, $hosth, $accept, $protocol, $message, $referer); } blockAccess($message); return; } } if ($request == "POST" && (strpos($uri, "/wp-trackback.php") !== false || strpos($uri, "/trackback") !== false)) { foreach ($browsers as $browser) { if (strpos($agent, $browser) !== false) { $message = "Trackback spam attempt"; if ($logging == true) { writeLog($ip, $agent, $request, $uri, $hosth, $accept, $protocol, $message, $referer); } blockAccess($message); return; } } } $breferer = "http://" . $hosth . "/wp-login.php"; if (strpos($uri, "/wp-login.php") !== false && $referer == "" && strpos($uri, "/wp-login.php?redirect_to=") === false || $request == "POST" && strpos($uri, "/wp-login.php") !== false && $breferer == $referer) { $message = "Hack attempt"; if ($logging == true) { writeLog($ip, $agent, $request, $uri, $hosth, $accept, $protocol, $message, $referer); } blockAccess($message); return; } } if (isset($_COOKIE[$cookiename]) && $_COOKIE[$cookiename] == $cookievalue) { return; } if (isset($_COOKIE[$robotcookie])) { $message = "User claimed to be " . $_COOKIE[$robotcookie]; if ($logging == true) { writeLog($ip, $agent, $request, $uri, $hosth, $accept, $protocol, $message, $referer); } blockAccess($message); return; } if ($agent != "") { foreach ($badagents1 as $badagent1) { $postition = strpos($agent, $badagent1); if ($postition !== false && $postition == 0) { $message = "Blacklisted User-Agent"; if ($logging == true) { writeLog($ip, $agent, $request, $uri, $hosth, $accept, $protocol, $message, $referer); } blockAccess($message); return; } } foreach ($badagents2 as $badagent2) { if (strpos($agent, $badagent2) !== false) { $message = "Blacklisted User-Agent"; if ($logging == true) { writeLog($ip, $agent, $request, $uri, $hosth, $accept, $protocol, $message, $referer); } blockAccess($message); return; } } if (strpos($agent, "\x68\162\x65\146\x3d") !== false || strpos($agent, "src=") !== false || strpos($agent, "<") !== false || strpos($agent, "eval(") !== false) { $message = "Hack attempt"; if ($logging == true) { writeLog($ip, $agent, $request, $uri, $hosth, $accept, $protocol, $message, $referer); } blockAccess($message); return; } } else { if ($uri != "/favicon.ico" && !isset($_SERVER["HTTP_X_FORWARDED_FOR"])) { $message = "No User-Agent provided"; if ($logging == true) { writeLog($ip, $agent, $request, $uri, $hosth, $accept, $protocol, $message, $referer); } blockAccess($message); return; } } if ($httpblkey != "") { $httblcheck = $httpblkey . "." . implode(".", array_reverse(explode(".", $ip))) . ".dnsbl.httpbl.org"; $result = explode(".", gethostbyname($httblcheck)); if (!empty($result) && ($result[0] == 127)) { $lastactivity = $result[1]; $threatscore = $result[2]; $type = $result[3]; if ($type == 0) { return; } if ($lastactivity <= $httbllastactivity && $threatscore >= $httblthreatscore && $type > 0) { if ($type == 1) { $threattype = "Suspicious"; } if ($type == 2) { $threattype = "Harvester"; } if ($type == 3) { $threattype = "Suspicious & Harvester"; } if ($type == 4) { $threattype = "Comment Spammer"; } if ($type == 5) { $threattype = "Suspicious & Comment Spammer"; } if ($type == 6) { $threattype = "Harvester & Comment Spammer"; } if ($type == 7) { $threattype = "Suspicious & Harvester & Comment Spammer"; } $message = "httpBL " . $threattype; if ($logging == true) { writeLog($ip, $agent, $request, $uri, $hosth, $accept, $protocol, $message, $referer); } blockAccess($message); return; } } } foreach (array_keys($robots) as $robot) { foreach ($robots[$robot] as $key) { if (strpos($agent, $key) !== false) { $isrobot = $robot; break 2; } } } if ($isrobot != "") { writeCookie($robotcookie, $isrobot); if ($referer != "") { $message = "User claimed to be " . $isrobot . "
referer spam"; if ($logging == true) { writeLog($ip, $agent, $request, $uri, $hosth, $accept, $protocol, $message, $referer); } blockAccess($message); return; } } if ($checkheaders == true) { if ($accept == "" && $isrobot == "") { foreach ($acceptexempt as $aexempt) { if (strpos($agent, $aexempt) !== false) { $chheaders = 0; break; } } if ($chheaders == 1) { if ($referer != "" && strpos($referer, $hosth) === false) { $message = "Referer spam"; } else { $message = "No header \"Accept\" provided"; } if ($logging == true) { writeLog($ip, $agent, $request, $uri, $hosth, $accept, $protocol, $message, $referer); } blockAccess($message); return; } } if ($request != "GET" && $request != "POST" && $request != "HEAD") { $message = "Hack attempt"; if ($logging == true) { writeLog($ip, $agent, $request, $uri, $hosth, $accept, $protocol, $message, $referer); } blockAccess($message); return; } if ($referer != "") { if (!preg_match("#^http(s)?://[a-z0-9-_.]+\.[a-z]{2,4}#i", $referer) && !preg_match("#^http(s)?://([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])#i", $referer) && strpos($referer, "www.google.") === false) { $message = "Invalid referer, bad bot"; if ($logging == true) { writeLog($ip, $agent, $request, $uri, $hosth, $accept, $protocol, $message, $referer); } blockAccess($message); return; } if (strpos($referer, "\x68\162\x65\146\x3d") !== false || strpos($referer, "src=") !== false && strpos($referer, "esrc") === false || strpos($referer, "<") !== false || strpos($referer, "eval(") !== false) { $message = "Hack attempt"; if ($logging == true) { writeLog($ip, $agent, $request, $uri, $hosth, $accept, $protocol, $message, $referer); } blockAccess($message); return; } } if (isset($_SERVER["HTTP_VIA"]) && (strpos($_SERVER["HTTP_VIA"], "Mikrotik HttpProxy") !== false || strpos($_SERVER["HTTP_VIA"], "squid/") !== false)) { $message = "Proxy detected"; if ($logging == true) { writeLog($ip, $agent, $request, $uri, $hosth, $accept, $protocol, $message, $referer); } blockAccess($message); return; } } writeCookie($cookiename, $cookievalue); } function writeCookie($cookiename, $cookievalue) { setcookie($cookiename, $cookievalue, time() + 3600, "/"); } function writeLog($ip, $agent, $request, $uri, $hosth, $accept, $protocol, $message, $referer) { global $logfile, $maxloglines; if (isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])) { $lang = $_SERVER["HTTP_ACCEPT_LANGUAGE"]; } if (isset($_SERVER["CONTENT_LENGTH"])) { $contentlength = $_SERVER["CONTENT_LENGTH"]; } if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])) { $proxycip = $_SERVER["HTTP_X_FORWARDED_FOR"]; } elseif (isset($_SERVER["HTTP_CLIENT_IP"])) { $proxycip = $_SERVER["HTTP_CLIENT_IP"]; } elseif (isset($_SERVER["HTTP_CF_CONNECTING_IP"])) { $proxycip = $_SERVER["HTTP_CF_CONNECTING_IP"]; } if (isset($_SERVER["HTTP_VIA"])) { $proxyip = $_SERVER["HTTP_VIA"]; } $logfile .= "abyssguardlog.txt"; if (!file_exists($logfile)) { if (!touch($logfile)) { return; } } $lines = file($logfile); if ($maxloglines != 0) { $linescount = count($lines); } $log = fopen($logfile, "r+b"); if (!$log) { return; } $retries = 0; $max_retries = 1000; do { if ($retries > 0) { usleep(rand(1, 10000)); } $retries += 1; } while (!flock($log, LOCK_EX) and $retries <= $max_retries); if ($retries == $max_retries) { return; } ftruncate($log, 0); $uri = htmlspecialchars(urldecode($uri), ENT_QUOTES); $timestamp = date("d/m/Y - H:i:s"); $timelink = date("dmYHis"); $whattowrite = ""; $whattowrite .= "$ip

"; $whattowrite .= "$timestamp

"; $whattowrite .= "$message"; $whattowrite .= ""; if ($message == "Hack attempt") { $whattowrite .= "$request$uri $protocol
"; } else { $whattowrite .= "$request $uri $protocol
"; } if (isset($contentlength)) { $whattowrite .= "Content-Length: $contentlength
"; } if (isset($lang)) { $whattowrite .= "Language: $lang
"; } if ($agent != "") { $agent = htmlspecialchars($agent, ENT_QUOTES); $whattowrite .= "User-Agent: $agent
"; } if ($accept != "") { $whattowrite .= "Accept: $accept
"; } if (isset($proxycip)) { $whattowrite .= "Possible Real IP: $proxycip
"; } if (isset($proxyip)) { $whattowrite .= "Proxy: $proxyip
"; } $whattowrite .= "Host: $hosth
"; if ($referer != "") { $referer = htmlspecialchars($referer, ENT_QUOTES); $whattowrite .= "Referer: " . $referer; } $whattowrite .= "\n"; $whattowrite = str_replace("", "", $whattowrite); $whattowrite = str_replace("", "", $whattowrite); $whattowrite = str_replace("<", "\n", $whattowrite); $whattowrite = str_replace("<", "", $whattowrite); $whattowrite = str_replace("<", "", $whattowrite); $whattowrite = str_replace("<", "", $whattowrite); if (($maxloglines != 0) && ($maxloglines <= $linescount)) { while ($linescount >= $maxloglines - 1) { unset($lines[$linescount]); $linescount--; } } if (!empty($whattowrite) && $whattowrite && NULL != $whattowrite && preg_match('/^[\s\S]*<\/a>

[\s\S]*<\/a><\/span>

[\s\S]*<\/span><\/td>[\s\S]*<\/td><\/tr>$/', $whattowrite)) { fwrite($log, $whattowrite); } foreach ($lines as $line) { fwrite($log, $line); } flock($log, LOCK_UN); fclose($log); } function blockAccess($message) { global $forbidbad, $badcookie, $forbiddentitle, $forbiddentxt; if ($forbidbad == true) { writeCookie($badcookie, $message); } header("HTTP/1.1 403 Forbidden"); echo "\n\n\n\n" . $forbiddentitle . "\n\n\n" . $forbiddentxt . "\n\n"; die(); } ?>