# Ross Markham's PHP IDS to log what attacks people # are trying and where abouts. It automatically stores# all attempts to the table "logger_logs". # logger_logs should have the following rows: # key (primary key, auto increment) # name (varchar, 200) # attack_type(varchar, 200) # page(varchar, 200) # to use include this at the very top of every page # # feel free to modify and distrubute this, but please # leave this message here - rossmarkham.com # # thanks System_meltdown - http://www.elites0ft.com # ###################################################*/ $server = "localhost"; $database = "databasename"; $dbuser = "root"; $dbpass = ""; $email = ""; // Set this to recive e-mails from EVERY exploit attempt! PHP's mail(); must be enabled $username = $_SERVER['REMOTE_ADDR']; $action[0] = ""; $no = 0; $full_attack_type = ""; foreach($_REQUEST as $var => $value) { $action[$no] = $value; $no = $no + 1; } // $_REQUEST checks for post, get cookie & file for($i = 0; $i < $no; $i++){ $attacktype = ""; //first check for XSS (BASIC checks... easily evaded) doesn't need to be fullproof only for logger, site is vulnerable anyway! if (preg_match('/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/ix ', $action[$i])){ $attacktype = "Cross site scripting"; } else { if (preg_match('/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/i ', $action[$i])){ $attacktype = "Cross site scripting"; } else { if (preg_match('/alert|script|\.js/i ', $action[$i])){ $attacktype = "Cross site scripting"; } else { if (preg_match('/((\%3C)|<)[^\n]+((\%3E)|>)/i ', $action[$i])){ $attacktype = "Cross site scripting"; }}}} //check for crlf/http response splitting if (preg_match('/%0a|%0d|\\\r|\\\n|\n|\r/i', $action[$i])){ $attacktype = "CRLF injection"; } //check for sql injection if (preg_match('/(\%27)|(\')|(\-\-)|(\%23)|(\#)/ix', $action[$i])){ $attacktype = "SQL injection"; } else{ if (preg_match('/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|\*|(\%3B)|(;))/i ', $action[$i])){ $attacktype = "SQL injection"; } else{ if (preg_match('/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix ', $action[$i])){ $attacktype = "SQL injection"; } else{ if (preg_match('/(()|(\%27)|(\'))union|select|insert|update|delete|drop/ix', $action[$i])){ $attacktype = "SQL injection"; } else{ if (preg_match('/exec(\s|\+)+(s|x)p\w+/ix ', $action[$i])){ $attacktype = "SQL injection"; }}}}} //check for remote file inclusion if (preg_match('(http|https|ftp|www)', $action[$i])){ $attacktype = "Remote file inclusion"; } //check for local file inclusion if (preg_match('/\.\./', $action[$i])){ $attacktype = "Local file inclusion"; } //check for null byte attack $non_null = str_replace("\\0", 'NULL byte detected', $action[$i]); if (preg_match('/NULL byte detected/', $non_null)){ $attacktype = "Poison null byte"; $non_null = ""; } //check for email injection if (preg_match('/cc:|Content-Type:|to:/ix', $action[$i])){ $attacktype = "Email header injection"; } //check for server side includes if (preg_match('/