Logo Search packages:      
Sourcecode: nanoweb version File versions  Download package

mod_worms.php

<?php

/*

Nanoweb Worms Detection Module
==============================

Copyright (C) 2002-2003 Vincent Negrier aka. sIX <six@aegis-corp.org>

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2, or (at your option)
any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

*/

class mod_worms {

      function mod_worms() {

            $this->modtype="core_before_decode";
            $this->modname="HTTP worms detection";
            $this->urls=array("/scripts/root.exe", "/default.ida");

      }

      function main() {

            global $conf, $query_string, $pri_err;

            if (strpos($query_string, "system(chr(") !== false) {
                  
                  $wormid = "phpbb";

            } else if ((strpos($query_string, "wget") !== false) && (strpos($query_string, "perl") !== false)) {

                  $wormid = "probable";

            }

            if (!isset($wormid)) return;
      
            if ($bt=access_query("wormsblocktime", 0)) {
                  
                  // Block source IP address
                  
                  $bsrc="mod_worms.".$wormid;
                  
                  if (strtolower($bt)=="perm") {
                  
                        nw_block_ip_address($GLOBALS["remote_ip"], "PERM", $bsrc);

                  } else {

                        nw_block_ip_address($GLOBALS["remote_ip"], "TEMP", $bsrc, time()+$bt);

                  }

            }
            
            if ($conf["global"]["wormsrun"]) while (list($key, $cmd)=each($conf["global"]["wormsrun"])) if ($cmd) {
            
                  // Do WormsRun
                  
                  $cmd=str_replace("$"."REMOTE_IP", $GLOBALS["remote_ip"], $cmd);
                  $cmd=str_replace("$"."REMOTE_HOST", $GLOBALS["remote_host"], $cmd);
            
                  exec($cmd);

            }

            if ($conf["global"]["wormswpoptext"]) {

                  // Do WormsWpopText
                  
                  while (list($key, $msgline)=each($conf["global"]["wormswpoptext"])) $msg.=$msgline."\n";
            
                  $msg=str_replace("$"."SERVERNAME", $conf[$vhost]["servername"][0], $msg);
                  $msg=str_replace("$"."SERVERADMIN", $conf[$vhost]["serveradmin"][0], $msg);

                  if ($p=@popen("wpop ".$GLOBALS["remote_ip"], "w")) {

                        fputs($p, $msg);
                        pclose($p);
                  
                  } else {

                        techo("mod_worms: unable to popen() wpop", NW_EL_WARNING);
                  
                  }

            }
            
            // Return 404 Not found
            
            $pri_err=404;
            return "";
      
      }

      function url(&$rq_err, &$out_contenttype, &$out_add_headers) {

            global $conf, $vhost;

            if (strpos($GLOBALS["http_uri"], "root.exe")!==false) $wormid="Nimda";
            else if ($GLOBALS["query_string"]{0}=="N") $wormid="CodeRed";
            else if ($GLOBALS["query_string"]{0}=="X") $wormid="CodeRed2";
            else $wormid="unknown";
            
            if ($bt=access_query("wormsblocktime", 0)) {
                  
                  // Block source IP address
                  
                  $bsrc="mod_worms.".$wormid;
                  
                  if (strtolower($bt)=="perm") {
                  
                        nw_block_ip_address($GLOBALS["remote_ip"], "PERM", $bsrc);

                  } else {

                        nw_block_ip_address($GLOBALS["remote_ip"], "TEMP", $bsrc, time()+$bt);

                  }

            }
            
            if ($conf["global"]["wormsrun"]) while (list($key, $cmd)=each($conf["global"]["wormsrun"])) if ($cmd) {
            
                  // Do WormsRun
                  
                  $cmd=str_replace("$"."REMOTE_IP", $GLOBALS["remote_ip"], $cmd);
                  $cmd=str_replace("$"."REMOTE_HOST", $GLOBALS["remote_host"], $cmd);
            
                  exec($cmd);

            }

            if ($conf["global"]["wormswpoptext"]) {

                  // Do WormsWpopText
                  
                  while (list($key, $msgline)=each($conf["global"]["wormswpoptext"])) $msg.=$msgline."\n";
            
                  $msg=str_replace("$"."SERVERNAME", $conf[$vhost]["servername"][0], $msg);
                  $msg=str_replace("$"."SERVERADMIN", $conf[$vhost]["serveradmin"][0], $msg);

                  if ($p=@popen("wpop ".$GLOBALS["remote_ip"], "w")) {

                        fputs($p, $msg);
                        pclose($p);
                  
                  } else {

                        techo("mod_worms: unable to popen() wpop", NW_EL_WARNING);
                  
                  }

            }
            
            // Return 404 Not found
            
            $rq_err=404;
            return("");
      
      }

}

?>

Generated by  Doxygen 1.6.0   Back to index