Simple site indexing for protection
It was written about 2 years ago ...
How does a hacker who found a bug in the site? Of course he is trying to get a web shell! Through any bug, he tries to flood this ill-fated shell or add malicious code to any of the files. He masks this shell under an unobtrusive name, such as config.php or something like that. Often, administrators do not even notice this. Well, let's write a code that will inform the admin that a file has been changed (if the hacker has entered malicious code into an existing file), or a new file has been added.
In order to understand whether any changes have been made in the structure of the site, you need to fix what is. We put in the database all folders and files (as well as the file size and the date of the last modification). Let the table with these values be called the indexer, here is the sql query for creating such a table:
[sql request]
create table indexer (object_id int not null primary key, object_name varchar (100) not null, object_type varchar (100) not null, object_path varchar (255) not null, object_size varchar (50) not null, object_date varchar (50) not null )
')
Explanations:
object_id - unique file / folder number
object_name - folder / file name
object_type - type (folder / file)
object_path - path to the folder / file
object_size - the size of the folder / file
object_date - the last modified date of the folder / file
Subsequently, we will read the diro and check the values in the database!
set up the following code:
form action = indexer.php method = "POST"
select name = do size = 2
option value = udateUpdate values in database / option
option value = checkCompare / option
option value = unwriteCheck / option
/ select
You can of course put all this in the database with your hands, but it is better to automate the process, especially if the project develops and is updated every day, then it is much more convenient to take this job on a simple script.
if (isset ($ _ REQUEST ["do"]) && $ _REQUEST ["do"] == "update") {
$ delete_table = mysql_query ("DELETE FROM indexer"); // delete past values
// located in the table
$ dir = $ _REQUEST ["dir"]; // name of the folder you want to // index
$ chdir = realpath ($ dir); // find out the real path to the folder
$ dir_open = opendir (realpath ($ chdir)); // open the diro
while ($ read_dir = readdir ($ dir_open)) {// read ...
// echo $ read_dir. "
";
if ($ read_dir == "." || $ read_dir == "..") {// if $ read_dir is equal. or // ... then skip ...
continue;
}
$ id_object = mysql_num_rows (mysql_query ("SELECT id FROM indexer")); // find out the number of // records
$ object_id ++; // increase
$ object_name = $ read_dir; // assign a name ...
$ object_type = is_dir ($ read_dir)? "Directory": "file"; // type of…
$ object_size = filesize ($ read_dir); // the size…
$ object_date = date ("dmy H: i: s", filemtime ($ read_dir)); // modification date ...
$ object_path = str_replace ("\\", "/", realpath ($ read_dir)); // and finally the way
if (is_file ($ read_dir)) {// perform the action if the object is a file
$ insert_table = mysql_query (“INSERT INTO indexer (id, object, object_type, object_path, object_size, object_date) VALUES ('$ id_object', '$ object', '$ object_type', '$ object_path', '$ object_size byte', '$ object_date') ");
}
else {// perform the action if the object is a folder
$ insert_table = mysql_query (“INSERT INTO indexer (id, object, object_type, object_path, object_date) VALUES ('$ id_object', '$ object', '$ object_type', '$ object_path', '$ object_date')”);
}
if ($ insert_table) {// if everything is successful, we inform ...
echo " $ read_dir successfully added to the database!
";
}
else {// or if unsuccessful :(
echo " ERROR in $ read_dir
";
}
}
closedir ($ dir_open);
}
So the database was filled, now we need to check if our hacker has removed something, by the way, I advise you to write a script that backs up the most important thing, I think you can write such a problem, if not, then tap on Asya or write a letter!
elseif (isset ($ _ REQUEST ["do"]) && $ _REQUEST ["do"] == "check") {
// select the objects that are folders
$ query_dir = mysql_query ("SELECT * FROM indexer WHERE object_type = 'directory'");
if ($ query_dir) {// if the query is executed ...
while ($ read = mysql_fetch_array ($ query_dir)) {
if (! is_dir ($ read ["object_path"])) {// if there is no such folder, then it // has been deleted!
echo " ". $ read ["object"]. "does not exist!
";
mail ("addr_admin", "subject_ of alarm_patch", "body of _powers") // send a letter to // unfortunate admin
}
}
}
// select the objects that are files
$ query_file = mysql_query ("SELECT * FROM indexer WHERE object_type = 'file'");
if ($ query_file) {
while ($ read = mysql_fetch_array ($ query_file)) {
if (! is_file ($ read ["object_path"])) {// if there is no such function anymore, then it is // deleted!
echo " ". $ read ["object"]. "does not exist!
";
mail ("addr_admin", "subject_ of alarm_patch", "body of _powers") // send a letter to // unfortunate admin
}
}
}
}
And now let's check if the hacker has added something strange! This is done very simply, first we specify the name of the directory that we want to check, then the values are entered into the array. After that, we select objects from the database that are folders, and then we cycle through the cycle, if we find a match, then the file exists and we assign the value $ 0 to the variable. After exiting the loop, we check the value of the $ error variable, if it has not changed, the folder was deleted! Do the same with the files. By the way, we forgot about checking file size. This is done very simply, after checking the file name, check the size:
$ error_size = 1;
$ size = sizeof ($ objects [$ i]);
if ($ size == $ db_object ["object_size"]) {
$ error_size = 0;
}
Here is the complete verification code:
elseif (isset ($ _ REQUEST ["do"]) && $ _REQUEST ["do"] == "unwrite") {
$ dir = $ _REQUEST ["dir"]; // get the name dir
$ chdir = realpath ($ dir); // find out the real way to Dir
$ dir_open = opendir (realpath ($ chdir)); // open ...
while ($ read_dir = readdir ($ dir_open)) {
if ($ read_dir == "." || $ read_dir == "..") {// if. or ... skip it
continue;
}
$ objects [] = $ read_dir; // write to array
}
for ($ i = 0; $ i <count ($ objects); $ i ++) {
if (is_dir ($ objects [$ i])) {// if the folder ...
// select from DB only objects that are folders
$ query_object = mysql_query ("SELECT * FROM indexer WHERE object_type = 'directory'");
if (query_object) {
$ error = 1;
while ($ db_object = mysql_fetch_array ($ query_object)) {
if ($ objects [$ i] == $ db_object ["object"]) {// if there is such a directory ...
$ error = 0; // reset the value
break; // exit loop
}
else {
continue;
}
}
}
if ($ error == 1) {
echo "
A directory was found which is not in the database - $ objects [$ i]
";
}
}
// the same actions, but only for files
if (is_file ($ objects [$ i])) {
$ query_object = mysql_query ("SELECT * FROM indexer WHERE object_type = 'file'");
if (query_object) {
$ error = 1;
while ($ db_object = mysql_fetch_array ($ query_object)) {
if ($ objects [$ i] == $ db_object ["object"]) {
$ error = 0;
break;
}
else {
continue;
}
}
}
if ($ error == 1) {
echo "
A file was found that is not in the database - $ objects [$ i]
";
}
}
}
}
You can also create a table in which those files and folders will be entered that are not in the database or those files that have changed in size! Here is what this table might look like:
create table error_object (id int not null primary key, object varchar (100) not null, object_type varchar (100) null, object_size varchar (100) not null, object_date varchar (100) not null, object_path varchar (100) not null)
How does a hacker who found a bug in the site? Of course he is trying to get a web shell! Through any bug, he tries to flood this ill-fated shell or add malicious code to any of the files. He masks this shell under an unobtrusive name, such as config.php or something like that. Often, administrators do not even notice this. Well, let's write a code that will inform the admin that a file has been changed (if the hacker has entered malicious code into an existing file), or a new file has been added.
In order to understand whether any changes have been made in the structure of the site, you need to fix what is. We put in the database all folders and files (as well as the file size and the date of the last modification). Let the table with these values be called the indexer, here is the sql query for creating such a table:
[sql request]
create table indexer (object_id int not null primary key, object_name varchar (100) not null, object_type varchar (100) not null, object_path varchar (255) not null, object_size varchar (50) not null, object_date varchar (50) not null )
')
Explanations:
object_id - unique file / folder number
object_name - folder / file name
object_type - type (folder / file)
object_path - path to the folder / file
object_size - the size of the folder / file
object_date - the last modified date of the folder / file
Subsequently, we will read the diro and check the values in the database!
set up the following code:
form action = indexer.php method = "POST"
select name = do size = 2
option value = udateUpdate values in database / option
option value = checkCompare / option
option value = unwriteCheck / option
/ select
You can of course put all this in the database with your hands, but it is better to automate the process, especially if the project develops and is updated every day, then it is much more convenient to take this job on a simple script.
if (isset ($ _ REQUEST ["do"]) && $ _REQUEST ["do"] == "update") {
$ delete_table = mysql_query ("DELETE FROM indexer"); // delete past values
// located in the table
$ dir = $ _REQUEST ["dir"]; // name of the folder you want to // index
$ chdir = realpath ($ dir); // find out the real path to the folder
$ dir_open = opendir (realpath ($ chdir)); // open the diro
while ($ read_dir = readdir ($ dir_open)) {// read ...
// echo $ read_dir. "
";
if ($ read_dir == "." || $ read_dir == "..") {// if $ read_dir is equal. or // ... then skip ...
continue;
}
$ id_object = mysql_num_rows (mysql_query ("SELECT id FROM indexer")); // find out the number of // records
$ object_id ++; // increase
$ object_name = $ read_dir; // assign a name ...
$ object_type = is_dir ($ read_dir)? "Directory": "file"; // type of…
$ object_size = filesize ($ read_dir); // the size…
$ object_date = date ("dmy H: i: s", filemtime ($ read_dir)); // modification date ...
$ object_path = str_replace ("\\", "/", realpath ($ read_dir)); // and finally the way
if (is_file ($ read_dir)) {// perform the action if the object is a file
$ insert_table = mysql_query (“INSERT INTO indexer (id, object, object_type, object_path, object_size, object_date) VALUES ('$ id_object', '$ object', '$ object_type', '$ object_path', '$ object_size byte', '$ object_date') ");
}
else {// perform the action if the object is a folder
$ insert_table = mysql_query (“INSERT INTO indexer (id, object, object_type, object_path, object_date) VALUES ('$ id_object', '$ object', '$ object_type', '$ object_path', '$ object_date')”);
}
if ($ insert_table) {// if everything is successful, we inform ...
echo " $ read_dir successfully added to the database!
";
}
else {// or if unsuccessful :(
echo " ERROR in $ read_dir
";
}
}
closedir ($ dir_open);
}
So the database was filled, now we need to check if our hacker has removed something, by the way, I advise you to write a script that backs up the most important thing, I think you can write such a problem, if not, then tap on Asya or write a letter!
elseif (isset ($ _ REQUEST ["do"]) && $ _REQUEST ["do"] == "check") {
// select the objects that are folders
$ query_dir = mysql_query ("SELECT * FROM indexer WHERE object_type = 'directory'");
if ($ query_dir) {// if the query is executed ...
while ($ read = mysql_fetch_array ($ query_dir)) {
if (! is_dir ($ read ["object_path"])) {// if there is no such folder, then it // has been deleted!
echo " ". $ read ["object"]. "does not exist!
";
mail ("addr_admin", "subject_ of alarm_patch", "body of _powers") // send a letter to // unfortunate admin
}
}
}
// select the objects that are files
$ query_file = mysql_query ("SELECT * FROM indexer WHERE object_type = 'file'");
if ($ query_file) {
while ($ read = mysql_fetch_array ($ query_file)) {
if (! is_file ($ read ["object_path"])) {// if there is no such function anymore, then it is // deleted!
echo " ". $ read ["object"]. "does not exist!
";
mail ("addr_admin", "subject_ of alarm_patch", "body of _powers") // send a letter to // unfortunate admin
}
}
}
}
And now let's check if the hacker has added something strange! This is done very simply, first we specify the name of the directory that we want to check, then the values are entered into the array. After that, we select objects from the database that are folders, and then we cycle through the cycle, if we find a match, then the file exists and we assign the value $ 0 to the variable. After exiting the loop, we check the value of the $ error variable, if it has not changed, the folder was deleted! Do the same with the files. By the way, we forgot about checking file size. This is done very simply, after checking the file name, check the size:
$ error_size = 1;
$ size = sizeof ($ objects [$ i]);
if ($ size == $ db_object ["object_size"]) {
$ error_size = 0;
}
Here is the complete verification code:
elseif (isset ($ _ REQUEST ["do"]) && $ _REQUEST ["do"] == "unwrite") {
$ dir = $ _REQUEST ["dir"]; // get the name dir
$ chdir = realpath ($ dir); // find out the real way to Dir
$ dir_open = opendir (realpath ($ chdir)); // open ...
while ($ read_dir = readdir ($ dir_open)) {
if ($ read_dir == "." || $ read_dir == "..") {// if. or ... skip it
continue;
}
$ objects [] = $ read_dir; // write to array
}
for ($ i = 0; $ i <count ($ objects); $ i ++) {
if (is_dir ($ objects [$ i])) {// if the folder ...
// select from DB only objects that are folders
$ query_object = mysql_query ("SELECT * FROM indexer WHERE object_type = 'directory'");
if (query_object) {
$ error = 1;
while ($ db_object = mysql_fetch_array ($ query_object)) {
if ($ objects [$ i] == $ db_object ["object"]) {// if there is such a directory ...
$ error = 0; // reset the value
break; // exit loop
}
else {
continue;
}
}
}
if ($ error == 1) {
echo "
A directory was found which is not in the database - $ objects [$ i]
";
}
}
// the same actions, but only for files
if (is_file ($ objects [$ i])) {
$ query_object = mysql_query ("SELECT * FROM indexer WHERE object_type = 'file'");
if (query_object) {
$ error = 1;
while ($ db_object = mysql_fetch_array ($ query_object)) {
if ($ objects [$ i] == $ db_object ["object"]) {
$ error = 0;
break;
}
else {
continue;
}
}
}
if ($ error == 1) {
echo "
A file was found that is not in the database - $ objects [$ i]
";
}
}
}
}
You can also create a table in which those files and folders will be entered that are not in the database or those files that have changed in size! Here is what this table might look like:
create table error_object (id int not null primary key, object varchar (100) not null, object_type varchar (100) null, object_size varchar (100) not null, object_date varchar (100) not null, object_path varchar (100) not null)
Source: https://habr.com/ru/post/26510/
All Articles