Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- So the idea is to add some PHP to your custom 404 page.
- <?php
- function startsWith($haystack, $needle)
- {
- $length = strlen($needle);
- return (substr($haystack, 0, $length) === $needle);
- }
- function startsWithBlocked($needle)
- {
- $blockStarts = array(
- "/wp-content/",
- "/w00tw00t"
- );
- foreach($blockStarts as $i => $value)
- {
- if(startsWith($needle, $value))
- {
- return true;
- }
- }
- return false;
- }
- function isBlockablePage($needle)
- {
- $blockPages = array(
- "/pma",
- "/myadmin",
- "/admin",
- "/phpmyadmin",
- "/php-my-admin",
- "/wp-login.php",
- "/w00tw00t.at.blackhats.romanian.anti-sec:)",
- "/webcalendar",
- "/calendar",
- "/dbadmin",
- "/mysql",
- "/includes",
- "/public_calendar",
- "/web-calendar",
- "/webcalendar",
- "/calendar",
- "/wcalendar",
- "/w00tw00t.at.isc.sans.dfind:)"
- );
- return in_array($needle, $blockPages);
- }
- function Block($needle)
- {
- $lower = strtolower($needle);
- if(startsWith($lower, "//"))
- {
- $length = strlen($lower);
- $lower = substr($lower, 1, $length - 1);
- }
- return (startsWithBlocked($lower) || isBlockablePage($lower));
- }
- if(Block($_SERVER['REQUEST_URI']))
- {
- $ip = $_SERVER['REMOTE_ADDR'];
- system("echo +$ip >> /proc/net/xt_recent/scandrop");
- }
- ?>
- These are just some of the ones I've seen. I added the starts with checks, as well as added some url sanitation.
- You need xt_recent in iptables, but it usually comes with it in my experience.
- Here is one way you can have iptables use this.
- iptables -N httpscandrop
- iptables -A httpscandrop -m recent ! --rcheck --name scandrop --rsource -j RETURN
- iptables -A httpscandrop -j DROP
- iptables -I INPUT 1 -j httpscandrop
- run "touch /proc/net/xt_recent/scandrop" then allow your web user write access to the file any way you want to.
- There are various ways around this method, but these scans aren't so annoying that I want to actually write an Apache module for it.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement