function nginx_attack() { $zDate = date('Y-m-d H:i:s'); $HTTP_HOST = $_SERVER["HTTP_HOST"]; $servername = $HTTP_HOST; $HTTP_X_REAL_IP = $_SERVER["HTTP_X_REAL_IP"]; if ($HTTP_X_REAL_IP == "127.0.0.1") { return; } $q = new mysql_squid_builder(); $timekey = date('YmdH'); $table = "ngixattck_{$timekey}"; $url = base64_decode($_GET["uencode"]); $localport = $_GET["localport"]; if ($GLOBALS["VERBOSE"]) { Debuglogs("{$HTTP_HOST} {$HTTP_X_REAL_IP} {$table}", __FUNCTION__, __LINE__); } if (!is_numeric($localport)) { $localport = 80; } $ports[] = 80; $ports[] = 443; if ($localport != 80) { if ($localport != 443) { $ports[] = $localport; } } $hostname = null; $country = null; if (!isset($_SESSION["nginx_exploits_fw"][$servername])) { $ligne = mysql_fetch_array($q->QUERY_SQL("SELECT maxaccess,sendlogs FROM nginx_exploits_fw WHERE servername='{$servername}'")); $md5 = md5("{$zDate}{$servername}{$HTTP_X_REAL_IP}"); $md5L = md5("{$servername}{$HTTP_X_REAL_IP}"); $maxaccess = $ligne["maxaccess"]; $sendlogs = $ligne["sendlogs"]; if (!is_numeric($maxaccess)) { $maxaccess = 0; } $_SESSION["nginx_exploits_fw"][$servername]["maxaccess"] = $maxaccess; $_SESSION["nginx_exploits_fw"][$servername]["sendlogs"] = $sendlogs; Debuglogs("{$servername}, maxaccess={$maxaccess}, sendlogs={$ligne["sendlogs"]} table={$table}", __FUNCTION__, __LINE__); } else { $maxaccess = $_SESSION["nginx_exploits_fw"][$servername]["maxaccess"]; $sendlogs = $_SESSION["nginx_exploits_fw"][$servername]["sendlogs"]; } if (!isset($_SESSION["nginx_exploits_fw"]["BLOCKED"])) { if ($maxaccess > 0) { $sendlogs = 1; $ligne = mysql_fetch_array($q->QUERY_SQL("SELECT COUNT(keyr) as tcount FROM `{$table}` WHERE ipaddr='{$HTTP_X_REAL_IP}' and `servername`='{$servername}'")); if (!$q->ok) { Debuglogs("{$q->mysql_error}"); } $Count = $ligne["tcount"]; Debuglogs("Current {$Count} time(s)/{$maxaccess}", __FUNCTION__, __LINE__); $Count++; $ligne = mysql_fetch_array($q->QUERY_SQL("SELECT `ipaddr` FROM `nginx_exploits_fwev` WHERE zmd5='{$md5L}'")); Debuglogs("{$md5L} = `{$ligne["ipaddr"]}", __FUNCTION__, __LINE__); if ($ligne["ipaddr"] == null) { if ($Count > $maxaccess) { $hostname = gethostbyaddr($HTTP_X_REAL_IP); Debuglogs("{$HTTP_X_REAL_IP} -> BAN !!! ( count {$Count} <-> {$maxaccess} )"); $ipchain = new iptables_chains(); $ipchain->servername = gethostbyaddr($HTTP_X_REAL_IP); $ipchain->serverip = $HTTP_X_REAL_IP; $ipchain->EventsToAdd = "Reverse Proxy 403 error"; $ipchain->add_xchain($ports, "ArticaInstantNginx"); $sock = new sockets(); $sock->getFrameWork("cmd.php?iptables-nginx-compile=yes"); $country = mysql_escape_string2(GeoLoc($HTTP_X_REAL_IP)); $sql = "INSERT IGNORE INTO nginx_exploits_fwev (`zmd5`,`servername`,`zDate`,`ipaddr`,`hostname`,`country`)\n\t\t\t\tVALUES('{$md5L}','{$servername}','{$zDate}','{$HTTP_X_REAL_IP}','{$hostname}','{$country}');"; Debuglogs($sql); $q->QUERY_SQL($sql); if (!$q->ok) { Debuglogs($q->mysql_error); } if ($q->ok) { $_SESSION["nginx_exploits_fw"]["BLOCKED"] = true; } } } } } if ($sendlogs == 1) { if ($country == null) { $country = mysql_escape_string2(GeoLoc($HTTP_X_REAL_IP)); } if ($hostname == null) { $hostname = gethostbyaddr($HTTP_X_REAL_IP); } $family = $q->GetFamilySites($hostname); $q->check_nginx_attacks_RT($timekey); $sql = "INSERT IGNORE INTO {$table} (`keyr`,`servername`,`zDate`,`ipaddr`,`familysite`,`hostname`,`country`)\n\t\tVALUES('{$md5}','{$servername}','{$zDate}','{$HTTP_X_REAL_IP}','{$family}','{$hostname}','{$country}');"; Debuglogs("{$servername}: Attack from {$hostname} [{$HTTP_X_REAL_IP}] - {$country} "); $q->QUERY_SQL($sql); if (!$q->ok) { Debuglogs($q->mysql_error); } } }