EIOS/inc/class_SECUR.php

506 lines
23 KiB
PHP
Raw Permalink Normal View History

2023-12-28 15:39:22 +03:00
<?php
class class_SECUR
{
private $RE = '';
private $IP = '';
/**
* Класс для анализа ссылок которые нам поступают
*/
function __construct()
{
#$out['query'] = $_SERVER['QUERY_STRING'];
$this->RE = $out['reque'] = $_SERVER['REQUEST_URI'];
#$out['redir'] = $_SERVER['REDIRECT_URL'];
#$out['ip1'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
$this->IP = $out['ip2'] = $_SERVER['REMOTE_ADDR'];
$out['ua'] = $_SERVER['HTTP_USER_AGENT'];
if($this->IP!='37.29.121.162') {
$this->check_ban($this->IP);
$this->check_ua($out['ua']);
$this->check_url($out['reque']);
}
}
/**
* Проверям есть ли ИП в бане уже, более 3 банов сразу баним!
* если меньше то делаем задержку 1 секунда
* @param $ip
* @return void
*/
function check_ban($ip){
$file = 'tmp/ban/'.$ip.'.json';
if (file_exists($file)){
$json = json_decode(file_get_contents($file),1);
if($json['kol']>3) die('ошибка сервера 2');
else sleep(1);
}
}
/**
* Записываем подозрительные ИП и баним
* @return void
*/
function ban(){
$file = 'tmp/ban/'.$this->IP.'.json';
if (file_exists($file)){
$json = json_decode(file_get_contents($file),1);
$json['time'] = time();
$json['kol']++;
$json['url'][]=$this->RE;
file_put_contents($file,json_encode($json));
}else{
$json = array();
$json['time'] = time();
$json['kol'] = 1;
$json['url'][]=$this->RE;
file_put_contents($file,json_encode($json));
}
die('ошибка сервера 1');
}
/**
* Проверяем по словарю адресную строку и баним при совпадении
* @param $url
* @return void
*/
function check_url($url){
$slovar = $this->slovar();
foreach ($slovar as $key => $val){
if(strpos($url, $val)!==False){
$this->ban();
}
}
}
/**
* Проверяем ЮзерАгента и баним если это подозрительный
* @param $ua
* @return void
*/
function check_ua($ua){
$ban = false;
if(strpos($ua, 'Kali')!==False){
$ban = true;
}
if($ban){
$this->ban();
}
}
/**
* Словарь не наших слов в адресной строке
* @return array
*/
function slovar(){
$out = array();
$out[] = '../';
$out[] = '..%2F';
$out[] = '/etc';
$out[] = '/passwd';
//$out[] = '/admin';
$out[] = 'option=com';
$out[] = 'wp-config';
$out[] = 'wp-content';
$out[] = 'localPath';
$out[] = '.jsp';
$out[] = '/pwn';
$out[] = 'functionRouter';
$out[] = '/cgi-bin';
$out[] = 'instancemanager';
$out[] = '+CSCOU+';
$out[] = '/scripts/setup';
$out[] = '/ecp';
$out[] = 'adminer';
return $out;
}
function syssys_html_head(){
$out = '<!DOCTYPE html>
<!--[if IE 8]> <html lang="ru" class="ie8"> <![endif]-->
<!--[if IE 9]> <html lang="ru" class="ie9"> <![endif]-->
<!--[if !IE]><!--> <html lang="ru"> <!--<![endif]-->
<head>
<meta charset="utf-8" />
<title>Логи</title>
<meta content="width=device-width, initial-scale=1.0" name="viewport" />
<meta content="" name="description" />
<meta content="" name="author" />
<link href="/tpl/assets/bootstrap/css/bootstrap.min.css" rel="stylesheet" />
<link href="/tpl/assets/bootstrap/css/bootstrap-responsive.min.css" rel="stylesheet" />
<link href="/tpl/assets/font-awesome/css/font-awesome.css" rel="stylesheet" />
<link href="/tpl/css/style-responsive.css" rel="stylesheet" />
<link href="/tpl/css/style-default.css" rel="stylesheet" id="style_color" />
<script src="/tpl/js/jquery-1.8.3.min.js"></script>
</head>';
$out .= '<style>
.collapse, .collapse_trmain{cursor:pointer;}
.collapse_table, .collapse_tr{display: none;}
.show_log_html{
overflow: auto;
width: 100%;
height:380px;
background-color: #fff;
}
.show_log{
position: fixed;
top: 0px;
left:0px;
right:0px;
height:400px;
display:none;
background-color: #fff;
z-index: 100;
}
.table{
border: 1px solid #eee;
table-layout: fixed;
width: 100%;
margin-bottom: 20px;
}
.table th {
font-weight: bold;
padding: 5px;
background: #efefef;
border: 1px solid #dddddd;
}
.table td{
padding: 5px 10px;
border: 1px solid #eee;
text-align: left;
}
.table tbody tr:nth-child(odd){
background: #fff;
}
.table tbody tr:nth-child(even){
background: #F7F7F7;
}
</style>';
$out .= '<script>$(document).ready(function(){
$(".collapse").click(function(){
let id = $(this).data("id");
$("#ct_"+id).toggle();
return false;
});
$(".collapse_trmain").click(function(){
let id = $(this).data("id");
$("."+id).toggle();
return false;
});
$(".show_log_close").click(function(){
$(".show_log").hide();
return false;
})
$(".log_ip").click(function(){
$(".show_log_html").html("получаем");
let ip = $(this).data("ip");
$.ajax({
url: "/syssys/", cache: false, datatype: "json", type: "POST",
data: "ajdesSYS=showip&ip=" + ip,
success: function (data) {
$(".show_log_html").html(data.html);
$(".show_log").show();
}
});
return false;
});
});</script>';
$out .= '<a href="/syssys/">Измененные файлы за 12 часов</a> | <a href="/syssys/checkvirus/">Вирусные вставки</a>';
return $out;
}
function syssys_getcontentfile($file,$finds){
$out = array(); $out1 = '';
if($file!='inc/class_SECUR.php') {
/*
Например, мы хотим выбрать все ошибки из лог-файла, но знаем, что в следующей строчке после ошибки может содержаться полезная информация, тогда с помощью grep отобразим несколько строк. Ошибки будем искать в Xorg.log по шаблону "EE":
grep -A4 "EE" /var/log/xorg.0.log
Выведет строку с вхождением и 4 строчки после неё:
grep -B4 "EE" /var/log/xorg.0.log
Выведет целевую строку и 4 строчки до неё:
grep -C2 "EE" /var/log/xorg.0.log
Выведет по две строки с верху и снизу от вхождения.
* */
foreach ($finds as $key => $find) {
$command = 'grep "' . $find . '" ' . $file;
exec($command, $output);
$out = array_merge($out, $output);
}
$out1 = '<div style="overflow: auto;width:100%;height:120px;">';
foreach ($out as $k => $v)
$out1 .= htmlspecialchars($v) . '<br>';
$out1 .= '</div>';
}
return $out1;
}
function syssys(){
if ($_SESSION['user']['status'] != 99) exit();
$des = ''; if(isset($_GET['des'])) $des = $_GET['des'];
if($des=='checkvirus') {
echo $this->syssys_html_head();
echo '<h3>Вирусные вставки</h3>';
echo '<table class="table">';
echo '<tr>';
echo '<th class="span4">Дата</th>';
echo '<th class="span8">Файл</th>';
echo '</tr>';
$finds = array('featureShell(','eval(','p0wny');
$command = "grep -Rils --include=\*.php -e 'featureShell(' -e 'eval(' -e 'p0wny' /home/admin/web/eios.mkgtu.ru/public_html/*";
$output=array(); exec($command, $output);
if(count($output)) {
echo '<tr class="collapse_trmain error" data-id="tr1"><td colspan="2">[' . count($output) . '] featureShell p0wny eval( </td></tr>';
foreach ($output as $key => $file) {
$data = date('H:i:s d.m.Y', filectime($file));
echo '<tr class="collapse_tr tr1">';
echo '<td>' . $data . '</td>';
echo '<td>' . str_replace('/home/admin/web/eios.mkgtu.ru/public_html/', '', $file) . '</td>';
echo '</tr>';
echo '<tr class="collapse_tr tr1"><td colspan="2">'.$this->syssys_getcontentfile($file,$finds).'</td></tr>';
}
}
$finds = array('@$emaillist=$_POST','$emaillist=','$smtp_username=','$smtp_password=','Sender Anonym Email');
$command = "grep -Rils --include=\*.php -e '\@\$emaillist\=\$_POST' -e '\$emaillist=' -e '\$smtp_username=' -e '\$smtp_password=' -e 'Sender Anonym Email' /home/admin/web/eios.mkgtu.ru/public_html/*";
$output=array(); exec($command, $output);
if(count($output)) {
echo '<tr class="collapse_trmain error" data-id="tr2"><td colspan="2">[' . count($output) . '] $emaillist=$_POST $emaillist= $smtp_username= $smtp_password= Sender Anonym Email</td></tr>';
foreach ($output as $key => $file) {
$data = date('H:i:s d.m.Y', filectime($file));
echo '<tr class="collapse_tr tr2">';
echo '<td>' . $data . '</td>';
echo '<td>' . str_replace('/home/admin/web/eios.mkgtu.ru/public_html/', '', $file) . '</td>';
echo '</tr>';
echo '<tr class="collapse_tr tr1"><td colspan="2">'.$this->syssys_getcontentfile($file,$finds).'</td></tr>';
}
}
$finds = array('if(md5(md5($','h1>Loading...','b>Please wait a moment ...','... Please wait...</h3','You are here because one of your friends has invited you...','bankofamerica','http://hellosomeguys','rldailynews.com','--81a338--','; it.src = ');
$command = "grep -Rils --include=\*.{php,htm,html} -e 'if(md5(md5(\$' -e 'h1\>Loading...' -e 'b\>Please wait a moment ...\ You will be forwarded. \<' -e '... Please wait...\<\/h3' -e 'You are here because one of your friends has invited you...\ Redirecting...' -e 'bankofamerica' -e 'http:\/\/hellosomeguys' -e 'rldailynews.com' -e 'http\:\/\/.*doctor.*\.com' -e '\-\-81a338\-\-' -e '\; it.src = ' /home/admin/web/eios.mkgtu.ru/public_html/*";
$output=array(); exec($command, $output);
if(count($output)) {
echo '<tr class="collapse_trmain error" data-id="tr3"><td colspan="2">[' . count($output) . '] различные ботнетовские редиректы</td></tr>';
foreach ($output as $key => $file) {
$data = date('H:i:s d.m.Y', filectime($file));
echo '<tr class="collapse_tr tr3">';
echo '<td>' . $data . '</td>';
echo '<td>' . str_replace('/home/admin/web/eios.mkgtu.ru/public_html/', '', $file) . '</td>';
echo '</tr>';
echo '<tr class="collapse_tr tr1"><td colspan="2">'.$this->syssys_getcontentfile($file,$finds).'</td></tr>';
}
}
$finds = array('FilesMan','b=4594','e2aa4e','v58f57b98 = 0','forexam@pandion.im','pathToDomains','if(navigator.userAgent.match(','var vst = String.fromCharCode','Menu_files/jquery.js','i5463 == null','r57.gen.tr','/rsize.js','feelthesame.changeip.name','40,101,115,110,98,114,105,110','c99sh','Shell by',' sh_ver','.tcpflood','c999sh','Array(base64_decode','Attacker Perl File','bogel = ','(!function_exists("getmicrotime"))','$d=substr','WSO ','r57shell','msg=@gzinflate(@base64_decode(@str_replace','6POkiojiO7iY3ns1rn8',' mysql_safe','sql2_safe','aHR0cDovLzE3OC4yMTEu','php function _','encodeURIComponent(document.URL)','; if(isset($_REQUEST','UdpFlood','udp://1.1.1.1',' (md5($_POST[','header("Location: http','fx29sh_','c999sh_surl','c99sh','/request12.php','NlOThmMjgyODM0NjkyODdiYT');
$command = "grep -Rils --include=\*.{php,htm,html} -e 'FilesMan' -e 'b=4594' -e 'e2aa4e' -e 'v58f57b98 = 0' -e 'forexam\@pandion.im' -e 'pathToDomains' -e 'if(navigator.userAgent.match(' -e 'var vst = String.fromCharCode' -e 'Menu\_files\/jquery.js' -e 'i5463 == null' -e 'r57.gen.tr' -e '\/rsize.js' -e 'feelthesame.changeip.name' -e '40,101,115,110,98,114,105,110' -e 'c99sh' -e 'Shell by' -e ' sh_ver' -e '\.tcpflood' -e 'c999sh' -e 'Array(base64_decode' -e 'Attacker Perl File' -e 'bogel = ' -e '(\!function_exists(\"getmicrotime\"))' -e'\$d=substr' -e 'WSO ' -e 'r57shell' -e 'msg=@gzinflate(@base64_decode(@str_replace' -e '6POkiojiO7iY3ns1rn8' -e ' mysql_safe' -e 'sql2_safe' -e 'aHR0cDovLzE3OC4yMTEu' -e 'php function _' -e 'encodeURIComponent(document.URL)' -e '\; if(isset(\$_REQUEST' -e 'UdpFlood' -e 'udp\:\/\/1.1.1.1' -e '\ (md5(\$_POST\[' -e 'header(\"Location\: http' -e 'fx29sh_' -e 'c999sh_surl' -e 'c99sh' -e '\/request12.php' -e 'NlOThmMjgyODM0NjkyODdiYT' /home/admin/web/eios.mkgtu.ru/public_html/*";
$output=array(); exec($command, $output);
if(count($output)) {
echo '<tr class="collapse_trmain error" data-id="tr4"><td colspan="2">[' . count($output) . '] malware скрипты</td></tr>';
foreach ($output as $key => $file) {
$data = date('H:i:s d.m.Y', filectime($file));
echo '<tr class="collapse_tr tr4">';
echo '<td>' . $data . '</td>';
echo '<td>' . str_replace('/home/admin/web/eios.mkgtu.ru/public_html/', '', $file) . '</td>';
echo '</tr>';
echo '<tr class="collapse_tr tr1"><td colspan="2">'.$this->syssys_getcontentfile($file,$finds).'</td></tr>';
}
}
$finds = array('\%3C\%73\%63\%72\%69\%70\%74\%20\%74\%79\%70','kSKlBXYjNXZfhSZwF2YzVmb1h');
$command = "grep -Rils --include=\*.js -e '\%3C\%73\%63\%72\%69\%70\%74\%20\%74\%79\%70' -e 'kSKlBXYjNXZfhSZwF2YzVmb1h' /home/admin/web/eios.mkgtu.ru/public_html/*";
$output=array(); exec($command, $output);
if(count($output)) {
echo '<tr class="collapse_trmain error" data-id="tr5"><td colspan="2">[' . count($output) . '] различные malware в java скриптах</td></tr>';
foreach ($output as $key => $file) {
$data = date('H:i:s d.m.Y', filectime($file));
echo '<tr class="collapse_tr tr5">';
echo '<td>' . $data . '</td>';
echo '<td>' . str_replace('/home/admin/web/eios.mkgtu.ru/public_html/', '', $file) . '</td>';
echo '</tr>';
echo '<tr class="collapse_tr tr1"><td colspan="2">'.$this->syssys_getcontentfile($file,$finds).'</td></tr>';
}
}
echo '</table>';
//echo '<pre>'.print_r($output,1).'</pre>';
}
if($des=='') {
echo $this->syssys_html_head();
echo '<h3>Измененные файлы за 12 часов</h3>';
//print_r($_SESSION['user']);
if (isset($_POST['ajdesSYS'])) {
header('Content-Type: application/json; charset=utf-8');
$out = array();
if ($_POST['ajdesSYS'] == 'showip') {
$ip = $_POST['ip'];
$logs = $this->syssys_get_logs_IP($ip);
$html = '<table class="table">';
$html .= '<tr>';
$html .= '<th>Дата</th>';
$html .= '<th>IP</th>';
$html .= '<th>Метод</th>';
$html .= '<th>УРЛ</th>';
$html .= '<th>Код</th>';
$html .= '<th>Запрос</th>';
$html .= '<th>Юзерагент</th>';
$html .= '</tr>';
$html .= '<tbody>';
foreach ($logs as $key1 => $val1) {
$html .= '<tr>';
$html .= '<td>' . $val1['data'] . '</td>';
$html .= '<td>' . $val1['ip'] . '</td>';
$html .= '<td>' . $val1['method'] . '</td>';
$html .= '<td>' . $val1['urlp'] . '</td>';
$html .= '<td>' . $val1['code'] . '</td>';
$html .= '<td>' . $val1['url'] . '</td>';
$html .= '<td>' . $val1['ua'] . '</td>';
$html .= '</tr>';
}
$html .= '</tbody>';
$html .= '</table>';
$out['html'] = $html;
}
echo json_encode($out);
exit();
}
$output = array();
$command = 'find /home/admin/web/eios.mkgtu.ru/public_html/ -mmin -60 -print > /home/admin/web/eios.mkgtu.ru/public_html/lastf1.txt';
//смотрим изменения файлов за час = 60 12часов=720
$command = 'find /home/admin/web/eios.mkgtu.ru/public_html/ -type f -mmin -720 -print';
exec($command, $output);
$result = $this->syssys_parse_find($output);
//echo '<pre>'.print_r($this->syssys_parse_find($output),1).'</pre>';
echo '<div class="show_log"><div class="show_log_html">тут логи если щелкнуть по ИП</div><a href="#" class="show_log_close">Закрыть</a></div>';
echo '<table class="table">';
echo '<tr>';
echo '<th>Дата</th>';
echo '<th>Файл</th>';
echo '</tr>';
foreach ($result as $key => $val) {
$style = '';
if ($val['danger'] == 1) $style = 'style="color:red;"';
if (count($val['logs'])) {
echo '<tr class="collapse" data-id="' . $key . '">';
} else {
echo '<tr>';
}
echo '<td>' . $val['data_c'] . '</td>';
echo '<td ' . $style . '>' . $val['file'] . '</td>';
echo '</tr>';
if (count($val['logs'])) {
echo '<tr class="collapse_table" id="ct_' . $key . '">';
echo '<td colspan="2">';
echo '<table class="">';
echo '<tr>';
echo '<th>Дата</th>';
echo '<th>IP</th>';
echo '<th>Метод</th>';
echo '<th>УРЛ</th>';
echo '<th>Код</th>';
echo '<th>Запрос</th>';
echo '<th>Юзерагент</th>';
echo '</tr>';
echo '<tbody>';
foreach ($val['logs'] as $key1 => $val1) {
echo '<tr>';
echo '<td>' . $val1['data'] . '</td>';
echo '<td><a href="#" class="log_ip" data-ip="' . $val1['ip'] . '">' . $val1['ip'] . '</a></td>';
echo '<td>' . $val1['method'] . '</td>';
echo '<td>' . $val1['urlp'] . '</td>';
echo '<td>' . $val1['code'] . '</td>';
echo '<td>' . $val1['url'] . '</td>';
echo '<td>' . $val1['ua'] . '</td>';
echo '</tr>';
}
echo '</tbody>';
echo '</table>';
echo '</td>';
echo '</tr>';
}
}
echo '</table>';
}
exit();
}
function syssys_parse_find($output){
$out = array();
$m1=array('/home/admin/web/eios.mkgtu.ru/public_html/');
$m2=array('');
foreach($output as $key => $file){
$tmp['data_c'] = date('H:i:s d.m.Y',filectime($file));
$tmp['file'] = str_replace($m1,$m2,$file);
if (strpos($tmp['file'], '/templates_c/') !== false) continue;
if (strpos($tmp['file'], '/json.php') !== false) continue;
$pi = pathinfo($tmp['file']); $ext = mb_strtolower($pi['extension']);
if($ext=='json'||$ext=='png'||$ext=='jpg'||$ext=='jpeg'||$ext=='gif'||$ext=='doc'||$ext=='docx'||$ext=='pdf'||$ext=='xls'||$ext=='xlsx'||$ext=='zip'||$ext=='rar'||$ext=='plx'||$ext=='pptx'||$ext=='ppt') continue;
if (strpos($tmp['file'], '.php') !== false) {
$tmp['danger'] = 1;
$tmp['logs'] = $this->syssys_get_logs_acc($tmp['file']);
}else {
$tmp['danger'] = 0;
$tmp['logs'] = array();
}
$out[] = $tmp;
}
return $out;
}
function syssys_get_logs_acc($string){
$out = array();
$command = 'grep '.$string.' /var/log/httpd/domains/eios.mkgtu.ru.log';
$command = 'grep '.$string.' /home/admin/web/eios.mkgtu.ru/logs/eios.mkgtu.ru.log';
// [0] => 62.183.98.199 - - [12/Apr/2022:10:02:40 +0300] "GET /upload/iup/208/98062.php HTTP/1.0" 200 177818 "https://eios.mkgtu.ru/iup/student/edit/5400/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4495.0 Safari/537.36"
exec($command, $output);
foreach($output as $key => $line){
preg_match_all('|(.*) - - \[(.*)\] "(.*) (.*) (.*)" (.*) (.*) "(.*)" "(.*)"|isU',$line,$arr);
//echo count($arr[0]).'<pre>'.print_r($arr,1).'</pre>';
if(count($arr)>2){
$tmp=array();
$tmp['ip'] = $arr[1][0];
$tmp['data'] = $arr[2][0];
$tmp['method'] = $arr[3][0];
$tmp['urlp'] = $arr[4][0];
$tmp['http'] = $arr[5][0];
$tmp['code'] = $arr[6][0];
$tmp['size'] = $arr[7][0];
$tmp['url'] = $arr[8][0];
$tmp['ua'] = $arr[9][0];
$out[] = $tmp;
}else $out[]['line'] = $line;
}
return $out;
//echo '<pre>'.print_r($output,1).'</pre>';
}
function syssys_get_logs_IP($ip){
$out = array();
$command = 'grep '.$ip.' /home/admin/web/eios.mkgtu.ru/logs/eios.mkgtu.ru.log';
// [0] => 62.183.98.199 - - [12/Apr/2022:10:02:40 +0300] "GET /upload/iup/208/98062.php HTTP/1.0" 200 177818 "https://eios.mkgtu.ru/iup/student/edit/5400/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4495.0 Safari/537.36"
exec($command, $output);
foreach($output as $key => $line){
preg_match_all('|(.*) - - \[(.*)\] "(.*) (.*) (.*)" (.*) (.*) "(.*)" "(.*)"|isU',$line,$arr);
if(count($arr)>2){
$tmp=array();
$tmp['ip'] = $arr[1][0];
$tmp['data'] = $arr[2][0];
$tmp['method'] = $arr[3][0];
$tmp['urlp'] = $arr[4][0];
$tmp['http'] = $arr[5][0];
$tmp['code'] = $arr[6][0];
$tmp['size'] = $arr[7][0];
$tmp['url'] = $arr[8][0];
$tmp['ua'] = $arr[9][0];
$out[] = $tmp;
}else $out[]['line'] = $line;
}
return $out;
}
}