beetraham
Regular
Joined: Dec 13, 2003
Posts: 94
Location: Finland (EU)
|
 Posted:
Wed Oct 06, 2004 8:09 pm |
|
How-To receive ALERTS on *untrusted-IP(s)* accessing admin.php?
As there is basically no reason for any other than PHP-Nuke site's trusted Administrator's to access *admin.php* page, you may optionally find it useful to *monitor the the unathorized admin.php accesses*, thus having an illuminated basis for the decission making process related to further required actions.
In order to receive email based information on hostile/malicious parties either *brute-forcing* or *just accessing* your PHP-Nuke site's *admin.php*, please find enclosed a modification for the PHP-Nuke's *admin.php* page;
| Quote: | Additional notices:
Should you choose to apply this mod, please note the following:
* this mod may have effects on performance, when logged in as an Admin (the routine is performed at all Admin associated page instances)
* remove the unneeded sections in code to optimize the performance
* should you choose to add more Admins, then you should ALWAYS note SPEFICALLY the following;
[original array] :
$arr = array('admin1', 'admin2', 'admin3', 'admin4', 'alert');
[modfied array] :
$arr = array('admin1', 'admin2', 'admin3', 'admin4', 'admin5', 'alert');
Meaning, the *added* admins must be placed before the the last element in the array - and why's that? Because the array will be *scanned* concecutively according to the declaration order - i.e. when performed otherwise the struct will cause false positive alarms as the *added trusted admin* would never get to experince *while loop "break"* resulting to *unalarmed script output*. |
|------------> FIND LINE :
<FILE> : "admin.php"
| Quote: |
require_once("mainfile.php");
|
|------------> ADD FOLLOWING CODE (JUST ABOVE THE FOUND LINE)
<FILE> : "admin.php"
| Quote: |
// BEGINNING OF ARRAY BASED ARGUMENT LIST PROCESSING SECTION ----->
//
// PHP code snippet for receiving emailed ALERTS of *untrusted-IP(s)* admin.php accesses
//
// by beetraham aka. ZenoCide (c) 2004 (http://www.ec-clan.org/downloads.html)
//
// declaring the the array to be used as an argument list for the performed *trusted IP* checks
$arr = array('admin1', 'admin2', 'admin3', 'admin4', 'alert');
// declaring trusted IP's
$ipadmin1="67.15.57.171"; // to be edited (trusted Admin1)
$ipadmin2="67.15.57.172"; // to be edited (trusted Admin2)
$ipadmin3="67.15.57.173"; // to be edited (trusted Admin3)
$ipadmin4="67.15.57.174"; // to be edited (trusted Admin4)
// declaring email alert related specifics
$acceptemail=1; // set to "1" to receive mail, to "0" not to receive
$to='admin@yoursite'; // recipient email address - needed
$alertsubject="ALERT: *admin.php* access detected at *$sitename*"; // change the subject as seen appropriate
// retrieving information out of the visitor IP hitting the page
$ip=getenv("REMOTE_ADDR"); // this will be compared to trusted list of IP(s)
//
// initializing the performed checks (please note that *DYNAMIC* Admin IP's will cause detected alert EACH TIME!
//
while (list(, $val) = each($arr)) {
// we should never reach this branch, but if do, we'll send an alert, since the IP is not considered trustworthy!
if ($val == 'alert') {
// beginning of email routine
$date=date("m/d/Y H:i:s");
if($acceptemail==1) {
mail($to,$alertsubject,"\n
-------------------------------
- ADMIN.PHP PAGE ACCESS ALERT -
-------------------------------
ACCESS DATE&TIME: $date
IP ADDRESS : $ip
: CHECK [ARIN]--> http://ws.arin.net/cgi-bin/whois.pl?queryinput=".$ip."
: CHECK [RIPE]--> http://www.ripe.net/perl/whois?form_type=simple&full_query_string=&searchtext=".$ip."
HTTP HOST : $HTTP_HOST
HTTP REFERER : $HTTP_REFERER
FROM IP ADDRESS : $SERVER_ADDR
ALERTING SRC FILE : $SCRIPT_FILENAME");
}
// end of email routine
break;
}
if ($val == 'admin1') {
// if the IP gets evaluated as trusted, hence we'll do nothing!
if($ip==$ipadmin1) {
break;
}
}
if ($val == 'admin2') {
// if the IP gets evaluated as trusted, hence we'll do nothing!
if($ip==$ipadmin2) {
break;
}
}
if ($val == 'admin3') {
// if the IP gets evaluated as trusted, hence we'll do nothing!
if($ip==$ipadmin3) {
break;
}
}
if ($val == 'admin4') {
// if the IP gets evaluated as trusted, hence we'll do nothing!
if($ip==$ipadmin4) {
break;
}
}
}
// END OF ARRAY BASED ARGUMENT LIST PROCESSING SECTION
|
|------------> THUS, THE MODIFIED CODE SHOULD LOOK VERY SIMILAR TO:
<FILE> : "admin.php"
| Quote: |
<?php
/************************************************************************/
/* PHP-NUKE: Advanced Content Management System */
/* ============================================ */
/* */
/* Copyright (c) 2002 by Francisco Burzi */
/* http://phpnuke.org */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/* */
/************************************************************************/
/* Additional security checking code 2003 by chatserv */
/* http://www.nukefixes.com -- http://www.nukeresources.com */
/************************************************************************/
//
// BEGINNING OF ARRAY BASED ARGUMENT LIST PROCESSING SECTION ----->
//
// PHP code snippet for receiving emailed ALERTS of *untrusted-IP(s)* admin.php accesses
//
// by beetraham aka. ZenoCide (c) 2004 (http://www.ec-clan.org/downloads.html)
//
// declaring the the array to be used as an argument list for the performed *trusted IP* checks
$arr = array('admin1', 'admin2', 'admin3', 'admin4', 'alert');
// declaring trusted IP's
$ipadmin1="67.15.57.171"; // to be edited (trusted Admin1)
$ipadmin2="67.15.57.172"; // to be edited (trusted Admin2)
$ipadmin3="67.15.57.173"; // to be edited (trusted Admin3)
$ipadmin4="67.15.57.174"; // to be edited (trusted Admin4)
// declaring email alert related specifics
$acceptemail=1; // set to "1" to receive mail, to "0" not to receive
$to='admin@yoursite'; // recipient email address - needed
$alertsubject="ALERT: *admin.php* access detected at *$sitename*"; // change the subject as seen appropriate
// retrieving information out of the visitor IP hitting the page
$ip=getenv("REMOTE_ADDR"); // this will be compared to trusted list of IP(s)
//
// initializing the performed checks (please note that *DYNAMIC* Admin IP's will cause detected alert EACH TIME!
//
while (list(, $val) = each($arr)) {
// we should never reach this branch, but if do, we'll send an alert, since the IP is not considered trustworthy!
if ($val == 'alert') {
// beginning of email routine
$date=date("m/d/Y H:i:s");
if($acceptemail==1) {
mail($to,$alertsubject,"\n
-------------------------------
- ADMIN.PHP PAGE ACCESS ALERT -
-------------------------------
ACCESS DATE&TIME: $date
IP ADDRESS : $ip
: CHECK [ARIN]--> http://ws.arin.net/cgi-bin/whois.pl?queryinput=".$ip."
: CHECK [RIPE]--> http://www.ripe.net/perl/whois?form_type=simple&full_query_string=&searchtext=".$ip."
HTTP HOST : $HTTP_HOST
HTTP REFERER : $HTTP_REFERER
FROM IP ADDRESS : $SERVER_ADDR
ALERTING SRC FILE : $SCRIPT_FILENAME");
}
// end of email routine
break;
}
if ($val == 'admin1') {
// if the IP gets evaluated as trusted, hence we'll do nothing!
if($ip==$ipadmin1) {
break;
}
}
if ($val == 'admin2') {
// if the IP gets evaluated as trusted, hence we'll do nothing!
if($ip==$ipadmin2) {
break;
}
}
if ($val == 'admin3') {
// if the IP gets evaluated as trusted, hence we'll do nothing!
if($ip==$ipadmin3) {
break;
}
}
if ($val == 'admin4') {
// if the IP gets evaluated as trusted, hence we'll do nothing!
if($ip==$ipadmin4) {
break;
}
}
}
// END OF ARRAY BASED ARGUMENT LIST PROCESSING SECTION
require_once("mainfile.php");
|
Tested, used, no complaints.
Hope that someone finds it applicable.
Thanks,
-beetraham
PS. (Oct-11-2004) added the colour code blue designated query links (lines) to allow performing REGIONAL (ARIN, RIPE) Queries via received Email Alerts. |
Last edited by beetraham on Sun Oct 10, 2004 5:44 pm; edited 1 time in total |
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
