antispam

1. <?php
2.  
3. print "Executing tcpdump\n";
4. $pid = exec('/usr/sbin/tcpdump -e -n -c 3000 -i eth1 \'(tcp dst port 25 or tcp src port 25) and tcp[tcpflags] & tcp-syn != 0\' 2>/dev/null > dump.txt & echo $!;');
5.  
6. if(empty($pid)) {
7.     print "Detected empty pid [$pid]\n";
8.     exit;
9. }
10.  
11. print "Sleeping\n";
12. sleep(12);
13. print "Killing tcpdump\n";
14. exec('kill -s INT ' . $pid);
15.  
16. $lines = explode("\n", file_get_contents('dump.txt'));
17. $ips = array();
18.  
19. foreach($lines as $line) {
20.     $line = trim($line);
21.     $parts = explode(' ', $line);
22.  
23.     if(count($parts) >= 12) {
24.         $ip1 = $parts[9];
25.         $ip2 = str_replace(':', '', $parts[11]);
26.  
27.         if(strlen($ip1) > 5 && strlen($ip2) > 5) {
28.             $ip1_actual = substr($ip1, 0, strrpos($ip1, '.'));
29.             $ip2_actual = substr($ip2, 0, strrpos($ip2, '.'));
30.             $ip1_partial = substr($ip1_actual, 0, strrpos($ip1_actual, '.')); //192.168.0.1 => 192.168.0
31.             $ip1_partial = substr($ip1_partial, 0, strrpos($ip1_partial, '.')); //192.168.0 => 192.168
32.             $ip2_partial = substr($ip2_actual, 0, strrpos($ip2_actual, '.')); //192.168.0.1 => 192.168.0
33.             $ip2_partial = substr($ip2_partial, 0, strrpos($ip2_partial, '.')); //192.168.0 => 192.168
34.  
35.             if(substr($ip1, -3) != '.25') {
36.                 if(!isset($ips[$ip1_actual])) {
37.                     $ips[$ip1_actual] = array();
38.                 }
39.  
40.                 $ips[$ip1_actual][] = $ip2_partial;
41.             }
42.  
43.             if(substr($ip2, -3) != '.25') {
44.                 if(!isset($ips[$ip2_actual])) {
45.                     $ips[$ip2_actual] = array();
46.                 }
47.  
48.                 $ips[$ip2_actual][] = $ip1_partial;
49.             }
50.         }
51.     }
52. }
53.  
54. mysql_connect('localhost', 'whmcs', 'password');
55. mysql_select_db('whmcs');
56. mysql_query("DELETE FROM antispam_hits WHERE time < DATE_SUB(NOW(), INTERVAL 3 HOUR)");
57.  
58. foreach($ips as $ip => $describe) {
59.     foreach($describe as $target) {
60.         $safe_source = mysql_real_escape_string($ip);
61.         $safe_target = mysql_real_escape_string($target);
62.  
63.         $result = mysql_query("SELECT user_id FROM yourvmlist WHERE ip = '$safe_source'");
64.         if($row = mysql_fetch_array($result)) {
65.             $user_id = $row[0];
66.             mysql_query("INSERT INTO antispam_hits (source_ip, target_ip) VALUES ('$safe_source', '$safe_target')");
67.         }
68.     }
69. }
70.  
71. $result = mysql_query("SELECT source_ip, COUNT(id), COUNT(DISTINCT target_ip) FROM antispam_hits WHERE time > DATE_SUB(NOW(), INTERVAL 25 MINUTE) GROUP BY source_ip");
72.  
73. while($row = mysql_fetch_array($result)) {
74.     $source_ip = $row[0];
75.     $count_all = $row[1];
76.     $count_unique = $row[2];
77.  
78.     if($count_all >= 18 && $count_unique >= 2) {
79.         exec('iptables -A FORWARD -p tcp --dport 25 -s ' . escapeshellarg($source_ip) . ' -j DROP');
80.         exec('iptables -A FORWARD -p tcp --sport 25 -d ' . escapeshellarg($source_ip) . ' -j DROP'); //for GRE tunnel and shit
81.         mail('youremail@example.com', 'blocked a guy', "blocked this guy -- {$source_ip}");
82.     }
83. }
84.  
85. ?>