function ParseFile($servername, $fullpath)
{
events("[{$servername}]: Parsing {$fullpath}", __FUNCTION__, __LINE__);
$unix = new unix();
$size = @filesize($fullpath);
events("[{$servername}]: open {$fullpath} {$size} bytes", __FUNCTION__, __LINE__);
$handle = @fopen($fullpath, "r");
if (!$handle) {
events("[{$servername}]: open {$fullpath} fatal, unable to open ", __FUNCTION__, __LINE__);
return;
}
$c = 0;
$d = 0;
$t = time();
$WORKARRAY = array();
while (!feof($handle)) {
$d++;
$line = trim(fgets($handle, 4096));
if ($line == null) {
continue;
}
if (!preg_match('#(.*?)\\s+(.*?)\\s+(.*?)\\s+\\[(.*?)\\]\\s+([A-Z]+)\\s+(.*?)\\s+HTTP.*?\\/.*?"([0-9]+)"\\s+([0-9]+)\\s+"(.*?)"\\s+"(.*?)"\\s+"(.*?)"#', $line, $re)) {
events("[{$servername}]: {{$line}} unable to parse...", __FUNCTION__, __LINE__);
continue;
}
while (list($a, $b) = each($re)) {
$re[$a] = mysql_escape_string2($b);
}
$c++;
$md5 = md5($re[0]);
$ipaddr = $re[1];
$time = strtotime($re[4]);
$proto = $re[5];
$uri = $re[6];
$code = $re[7];
$size = $re[8];
$UserAgent = $re[10];
$Country = mysql_escape_string2(GeoLoc($ipaddr));
$currDate = date("Y-m-d H:i:s");
$linesql = "('{$md5}','{$currDate}','{$ipaddr}','{$proto}','{$uri}','{$code}','{$size}','{$UserAgent}','{$Country}')";
$table = "hour_" . date("YmdH", $time);
$WORKARRAY[$table][] = $linesql;
if ($c > 500) {
if (!ParseArray($servername, $WORKARRAY)) {
return;
}
$WORKARRAY = array();
$c = 0;
}
}
if (count($WORKARRAY) > 0) {
if (!ParseArray($servername, $WORKARRAY)) {
return;
}
}
$timeTOScan = $unix->distanceOfTimeInWords($t, time(), true);
events("[{$servername}]: {$fullpath} {$timeTOScan} {$d} lines", __FUNCTION__, __LINE__);
if ($d == 0) {
@unlink($fullpath);
}
$sys = new mysql_storelogs();
$filedate = date('Y-m-d H:i:s', filemtime($fullpath));
$sys->ROTATE_TOMYSQL($fullpath, $filedate);
}
function nginx_attack()
{
$zDate = date('Y-m-d H:i:s');
$HTTP_HOST = $_SERVER["HTTP_HOST"];
$servername = $HTTP_HOST;
$HTTP_X_REAL_IP = $_SERVER["HTTP_X_REAL_IP"];
if ($HTTP_X_REAL_IP == "127.0.0.1") {
return;
}
$q = new mysql_squid_builder();
$timekey = date('YmdH');
$table = "ngixattck_{$timekey}";
$url = base64_decode($_GET["uencode"]);
$localport = $_GET["localport"];
if ($GLOBALS["VERBOSE"]) {
Debuglogs("{$HTTP_HOST} {$HTTP_X_REAL_IP} {$table}", __FUNCTION__, __LINE__);
}
if (!is_numeric($localport)) {
$localport = 80;
}
$ports[] = 80;
$ports[] = 443;
if ($localport != 80) {
if ($localport != 443) {
$ports[] = $localport;
}
}
$hostname = null;
$country = null;
if (!isset($_SESSION["nginx_exploits_fw"][$servername])) {
$ligne = mysql_fetch_array($q->QUERY_SQL("SELECT maxaccess,sendlogs FROM nginx_exploits_fw WHERE servername='{$servername}'"));
$md5 = md5("{$zDate}{$servername}{$HTTP_X_REAL_IP}");
$md5L = md5("{$servername}{$HTTP_X_REAL_IP}");
$maxaccess = $ligne["maxaccess"];
$sendlogs = $ligne["sendlogs"];
if (!is_numeric($maxaccess)) {
$maxaccess = 0;
}
$_SESSION["nginx_exploits_fw"][$servername]["maxaccess"] = $maxaccess;
$_SESSION["nginx_exploits_fw"][$servername]["sendlogs"] = $sendlogs;
Debuglogs("{$servername}, maxaccess={$maxaccess}, sendlogs={$ligne["sendlogs"]} table={$table}", __FUNCTION__, __LINE__);
} else {
$maxaccess = $_SESSION["nginx_exploits_fw"][$servername]["maxaccess"];
$sendlogs = $_SESSION["nginx_exploits_fw"][$servername]["sendlogs"];
}
if (!isset($_SESSION["nginx_exploits_fw"]["BLOCKED"])) {
if ($maxaccess > 0) {
$sendlogs = 1;
$ligne = mysql_fetch_array($q->QUERY_SQL("SELECT COUNT(keyr) as tcount FROM `{$table}` WHERE ipaddr='{$HTTP_X_REAL_IP}' and `servername`='{$servername}'"));
if (!$q->ok) {
Debuglogs("{$q->mysql_error}");
}
$Count = $ligne["tcount"];
Debuglogs("Current {$Count} time(s)/{$maxaccess}", __FUNCTION__, __LINE__);
$Count++;
$ligne = mysql_fetch_array($q->QUERY_SQL("SELECT `ipaddr` FROM `nginx_exploits_fwev` WHERE zmd5='{$md5L}'"));
Debuglogs("{$md5L} = `{$ligne["ipaddr"]}", __FUNCTION__, __LINE__);
if ($ligne["ipaddr"] == null) {
if ($Count > $maxaccess) {
$hostname = gethostbyaddr($HTTP_X_REAL_IP);
Debuglogs("{$HTTP_X_REAL_IP} -> BAN !!! ( count {$Count} <-> {$maxaccess} )");
$ipchain = new iptables_chains();
$ipchain->servername = gethostbyaddr($HTTP_X_REAL_IP);
$ipchain->serverip = $HTTP_X_REAL_IP;
$ipchain->EventsToAdd = "Reverse Proxy 403 error";
$ipchain->add_xchain($ports, "ArticaInstantNginx");
$sock = new sockets();
$sock->getFrameWork("cmd.php?iptables-nginx-compile=yes");
$country = mysql_escape_string2(GeoLoc($HTTP_X_REAL_IP));
$sql = "INSERT IGNORE INTO nginx_exploits_fwev (`zmd5`,`servername`,`zDate`,`ipaddr`,`hostname`,`country`)\n\t\t\t\tVALUES('{$md5L}','{$servername}','{$zDate}','{$HTTP_X_REAL_IP}','{$hostname}','{$country}');";
Debuglogs($sql);
$q->QUERY_SQL($sql);
if (!$q->ok) {
Debuglogs($q->mysql_error);
}
if ($q->ok) {
$_SESSION["nginx_exploits_fw"]["BLOCKED"] = true;
}
}
}
}
}
if ($sendlogs == 1) {
if ($country == null) {
$country = mysql_escape_string2(GeoLoc($HTTP_X_REAL_IP));
}
if ($hostname == null) {
$hostname = gethostbyaddr($HTTP_X_REAL_IP);
}
$family = $q->GetFamilySites($hostname);
$q->check_nginx_attacks_RT($timekey);
$sql = "INSERT IGNORE INTO {$table} (`keyr`,`servername`,`zDate`,`ipaddr`,`familysite`,`hostname`,`country`)\n\t\tVALUES('{$md5}','{$servername}','{$zDate}','{$HTTP_X_REAL_IP}','{$family}','{$hostname}','{$country}');";
Debuglogs("{$servername}: Attack from {$hostname} [{$HTTP_X_REAL_IP}] - {$country} ");
$q->QUERY_SQL($sql);
if (!$q->ok) {
Debuglogs($q->mysql_error);
}
}
}
