Guest User

Better Web Scanner Drop

a guest
May 30th, 2012
84
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. So the idea is to add some PHP to your custom 404 page.
  2.  
  3. <?php
  4. function startsWith($haystack, $needle)
  5. {
  6. $length = strlen($needle);
  7. return (substr($haystack, 0, $length) === $needle);
  8. }
  9. function startsWithBlocked($needle)
  10. {
  11. $blockStarts = array(
  12. "/wp-content/",
  13. "/w00tw00t"
  14. );
  15. foreach($blockStarts as $i => $value)
  16. {
  17. if(startsWith($needle, $value))
  18. {
  19. return true;
  20. }
  21. }
  22. return false;
  23. }
  24. function isBlockablePage($needle)
  25. {
  26. $blockPages = array(
  27. "/pma",
  28. "/myadmin",
  29. "/admin",
  30. "/phpmyadmin",
  31. "/php-my-admin",
  32. "/wp-login.php",
  33. "/w00tw00t.at.blackhats.romanian.anti-sec:)",
  34. "/webcalendar",
  35. "/calendar",
  36. "/dbadmin",
  37. "/mysql",
  38. "/includes",
  39. "/public_calendar",
  40. "/web-calendar",
  41. "/webcalendar",
  42. "/calendar",
  43. "/wcalendar",
  44. "/w00tw00t.at.isc.sans.dfind:)"
  45. );
  46. return in_array($needle, $blockPages);
  47. }
  48. function Block($needle)
  49. {
  50. $lower = strtolower($needle);
  51. if(startsWith($lower, "//"))
  52. {
  53. $length = strlen($lower);
  54. $lower = substr($lower, 1, $length - 1);
  55. }
  56. return (startsWithBlocked($lower) || isBlockablePage($lower));
  57. }
  58.  
  59. if(Block($_SERVER['REQUEST_URI']))
  60. {
  61. $ip = $_SERVER['REMOTE_ADDR'];
  62. system("echo +$ip >> /proc/net/xt_recent/scandrop");
  63. }
  64. ?>
  65.  
  66. These are just some of the ones I've seen. I added the starts with checks, as well as added some url sanitation.
  67.  
  68. You need xt_recent in iptables, but it usually comes with it in my experience.
  69. Here is one way you can have iptables use this.
  70.  
  71.  
  72. iptables -N httpscandrop
  73. iptables -A httpscandrop -m recent ! --rcheck --name scandrop --rsource -j RETURN
  74. iptables -A httpscandrop -j DROP
  75. iptables -I INPUT 1 -j httpscandrop
  76.  
  77. run "touch /proc/net/xt_recent/scandrop" then allow your web user write access to the file any way you want to.
  78.  
  79. There are various ways around this method, but these scans aren't so annoying that I want to actually write an Apache module for it.
RAW Paste Data