function ParseFile($servername, $fullpath) { events("[{$servername}]: Parsing {$fullpath}", __FUNCTION__, __LINE__); $unix = new unix(); $size = @filesize($fullpath); events("[{$servername}]: open {$fullpath} {$size} bytes", __FUNCTION__, __LINE__); $handle = @fopen($fullpath, "r"); if (!$handle) { events("[{$servername}]: open {$fullpath} fatal, unable to open ", __FUNCTION__, __LINE__); return; } $c = 0; $d = 0; $t = time(); $WORKARRAY = array(); while (!feof($handle)) { $d++; $line = trim(fgets($handle, 4096)); if ($line == null) { continue; } if (!preg_match('#(.*?)\\s+(.*?)\\s+(.*?)\\s+\\[(.*?)\\]\\s+([A-Z]+)\\s+(.*?)\\s+HTTP.*?\\/.*?"([0-9]+)"\\s+([0-9]+)\\s+"(.*?)"\\s+"(.*?)"\\s+"(.*?)"#', $line, $re)) { events("[{$servername}]: {{$line}} unable to parse...", __FUNCTION__, __LINE__); continue; } while (list($a, $b) = each($re)) { $re[$a] = mysql_escape_string2($b); } $c++; $md5 = md5($re[0]); $ipaddr = $re[1]; $time = strtotime($re[4]); $proto = $re[5]; $uri = $re[6]; $code = $re[7]; $size = $re[8]; $UserAgent = $re[10]; $Country = mysql_escape_string2(GeoLoc($ipaddr)); $currDate = date("Y-m-d H:i:s"); $linesql = "('{$md5}','{$currDate}','{$ipaddr}','{$proto}','{$uri}','{$code}','{$size}','{$UserAgent}','{$Country}')"; $table = "hour_" . date("YmdH", $time); $WORKARRAY[$table][] = $linesql; if ($c > 500) { if (!ParseArray($servername, $WORKARRAY)) { return; } $WORKARRAY = array(); $c = 0; } } if (count($WORKARRAY) > 0) { if (!ParseArray($servername, $WORKARRAY)) { return; } } $timeTOScan = $unix->distanceOfTimeInWords($t, time(), true); events("[{$servername}]: {$fullpath} {$timeTOScan} {$d} lines", __FUNCTION__, __LINE__); if ($d == 0) { @unlink($fullpath); } $sys = new mysql_storelogs(); $filedate = date('Y-m-d H:i:s', filemtime($fullpath)); $sys->ROTATE_TOMYSQL($fullpath, $filedate); }
function nginx_attack() { $zDate = date('Y-m-d H:i:s'); $HTTP_HOST = $_SERVER["HTTP_HOST"]; $servername = $HTTP_HOST; $HTTP_X_REAL_IP = $_SERVER["HTTP_X_REAL_IP"]; if ($HTTP_X_REAL_IP == "127.0.0.1") { return; } $q = new mysql_squid_builder(); $timekey = date('YmdH'); $table = "ngixattck_{$timekey}"; $url = base64_decode($_GET["uencode"]); $localport = $_GET["localport"]; if ($GLOBALS["VERBOSE"]) { Debuglogs("{$HTTP_HOST} {$HTTP_X_REAL_IP} {$table}", __FUNCTION__, __LINE__); } if (!is_numeric($localport)) { $localport = 80; } $ports[] = 80; $ports[] = 443; if ($localport != 80) { if ($localport != 443) { $ports[] = $localport; } } $hostname = null; $country = null; if (!isset($_SESSION["nginx_exploits_fw"][$servername])) { $ligne = mysql_fetch_array($q->QUERY_SQL("SELECT maxaccess,sendlogs FROM nginx_exploits_fw WHERE servername='{$servername}'")); $md5 = md5("{$zDate}{$servername}{$HTTP_X_REAL_IP}"); $md5L = md5("{$servername}{$HTTP_X_REAL_IP}"); $maxaccess = $ligne["maxaccess"]; $sendlogs = $ligne["sendlogs"]; if (!is_numeric($maxaccess)) { $maxaccess = 0; } $_SESSION["nginx_exploits_fw"][$servername]["maxaccess"] = $maxaccess; $_SESSION["nginx_exploits_fw"][$servername]["sendlogs"] = $sendlogs; Debuglogs("{$servername}, maxaccess={$maxaccess}, sendlogs={$ligne["sendlogs"]} table={$table}", __FUNCTION__, __LINE__); } else { $maxaccess = $_SESSION["nginx_exploits_fw"][$servername]["maxaccess"]; $sendlogs = $_SESSION["nginx_exploits_fw"][$servername]["sendlogs"]; } if (!isset($_SESSION["nginx_exploits_fw"]["BLOCKED"])) { if ($maxaccess > 0) { $sendlogs = 1; $ligne = mysql_fetch_array($q->QUERY_SQL("SELECT COUNT(keyr) as tcount FROM `{$table}` WHERE ipaddr='{$HTTP_X_REAL_IP}' and `servername`='{$servername}'")); if (!$q->ok) { Debuglogs("{$q->mysql_error}"); } $Count = $ligne["tcount"]; Debuglogs("Current {$Count} time(s)/{$maxaccess}", __FUNCTION__, __LINE__); $Count++; $ligne = mysql_fetch_array($q->QUERY_SQL("SELECT `ipaddr` FROM `nginx_exploits_fwev` WHERE zmd5='{$md5L}'")); Debuglogs("{$md5L} = `{$ligne["ipaddr"]}", __FUNCTION__, __LINE__); if ($ligne["ipaddr"] == null) { if ($Count > $maxaccess) { $hostname = gethostbyaddr($HTTP_X_REAL_IP); Debuglogs("{$HTTP_X_REAL_IP} -> BAN !!! ( count {$Count} <-> {$maxaccess} )"); $ipchain = new iptables_chains(); $ipchain->servername = gethostbyaddr($HTTP_X_REAL_IP); $ipchain->serverip = $HTTP_X_REAL_IP; $ipchain->EventsToAdd = "Reverse Proxy 403 error"; $ipchain->add_xchain($ports, "ArticaInstantNginx"); $sock = new sockets(); $sock->getFrameWork("cmd.php?iptables-nginx-compile=yes"); $country = mysql_escape_string2(GeoLoc($HTTP_X_REAL_IP)); $sql = "INSERT IGNORE INTO nginx_exploits_fwev (`zmd5`,`servername`,`zDate`,`ipaddr`,`hostname`,`country`)\n\t\t\t\tVALUES('{$md5L}','{$servername}','{$zDate}','{$HTTP_X_REAL_IP}','{$hostname}','{$country}');"; Debuglogs($sql); $q->QUERY_SQL($sql); if (!$q->ok) { Debuglogs($q->mysql_error); } if ($q->ok) { $_SESSION["nginx_exploits_fw"]["BLOCKED"] = true; } } } } } if ($sendlogs == 1) { if ($country == null) { $country = mysql_escape_string2(GeoLoc($HTTP_X_REAL_IP)); } if ($hostname == null) { $hostname = gethostbyaddr($HTTP_X_REAL_IP); } $family = $q->GetFamilySites($hostname); $q->check_nginx_attacks_RT($timekey); $sql = "INSERT IGNORE INTO {$table} (`keyr`,`servername`,`zDate`,`ipaddr`,`familysite`,`hostname`,`country`)\n\t\tVALUES('{$md5}','{$servername}','{$zDate}','{$HTTP_X_REAL_IP}','{$family}','{$hostname}','{$country}');"; Debuglogs("{$servername}: Attack from {$hostname} [{$HTTP_X_REAL_IP}] - {$country} "); $q->QUERY_SQL($sql); if (!$q->ok) { Debuglogs($q->mysql_error); } } }