EIOS/inc/class_SECUR.php

506 lines
23 KiB
PHP
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?php
class class_SECUR
{
private $RE = '';
private $IP = '';
/**
* Класс для анализа ссылок которые нам поступают
*/
function __construct()
{
#$out['query'] = $_SERVER['QUERY_STRING'];
$this->RE = $out['reque'] = $_SERVER['REQUEST_URI'];
#$out['redir'] = $_SERVER['REDIRECT_URL'];
#$out['ip1'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
$this->IP = $out['ip2'] = $_SERVER['REMOTE_ADDR'];
$out['ua'] = $_SERVER['HTTP_USER_AGENT'];
if($this->IP!='37.29.121.162') {
$this->check_ban($this->IP);
$this->check_ua($out['ua']);
$this->check_url($out['reque']);
}
}
/**
* Проверям есть ли ИП в бане уже, более 3 банов сразу баним!
* если меньше то делаем задержку 1 секунда
* @param $ip
* @return void
*/
function check_ban($ip){
$file = 'tmp/ban/'.$ip.'.json';
if (file_exists($file)){
$json = json_decode(file_get_contents($file),1);
if($json['kol']>3) die('ошибка сервера 2');
else sleep(1);
}
}
/**
* Записываем подозрительные ИП и баним
* @return void
*/
function ban(){
$file = 'tmp/ban/'.$this->IP.'.json';
if (file_exists($file)){
$json = json_decode(file_get_contents($file),1);
$json['time'] = time();
$json['kol']++;
$json['url'][]=$this->RE;
file_put_contents($file,json_encode($json));
}else{
$json = array();
$json['time'] = time();
$json['kol'] = 1;
$json['url'][]=$this->RE;
file_put_contents($file,json_encode($json));
}
die('ошибка сервера 1');
}
/**
* Проверяем по словарю адресную строку и баним при совпадении
* @param $url
* @return void
*/
function check_url($url){
$slovar = $this->slovar();
foreach ($slovar as $key => $val){
if(strpos($url, $val)!==False){
$this->ban();
}
}
}
/**
* Проверяем ЮзерАгента и баним если это подозрительный
* @param $ua
* @return void
*/
function check_ua($ua){
$ban = false;
if(strpos($ua, 'Kali')!==False){
$ban = true;
}
if($ban){
$this->ban();
}
}
/**
* Словарь не наших слов в адресной строке
* @return array
*/
function slovar(){
$out = array();
$out[] = '../';
$out[] = '..%2F';
$out[] = '/etc';
$out[] = '/passwd';
//$out[] = '/admin';
$out[] = 'option=com';
$out[] = 'wp-config';
$out[] = 'wp-content';
$out[] = 'localPath';
$out[] = '.jsp';
$out[] = '/pwn';
$out[] = 'functionRouter';
$out[] = '/cgi-bin';
$out[] = 'instancemanager';
$out[] = '+CSCOU+';
$out[] = '/scripts/setup';
$out[] = '/ecp';
$out[] = 'adminer';
return $out;
}
function syssys_html_head(){
$out = '<!DOCTYPE html>
<!--[if IE 8]> <html lang="ru" class="ie8"> <![endif]-->
<!--[if IE 9]> <html lang="ru" class="ie9"> <![endif]-->
<!--[if !IE]><!--> <html lang="ru"> <!--<![endif]-->
<head>
<meta charset="utf-8" />
<title>Логи</title>
<meta content="width=device-width, initial-scale=1.0" name="viewport" />
<meta content="" name="description" />
<meta content="" name="author" />
<link href="/tpl/assets/bootstrap/css/bootstrap.min.css" rel="stylesheet" />
<link href="/tpl/assets/bootstrap/css/bootstrap-responsive.min.css" rel="stylesheet" />
<link href="/tpl/assets/font-awesome/css/font-awesome.css" rel="stylesheet" />
<link href="/tpl/css/style-responsive.css" rel="stylesheet" />
<link href="/tpl/css/style-default.css" rel="stylesheet" id="style_color" />
<script src="/tpl/js/jquery-1.8.3.min.js"></script>
</head>';
$out .= '<style>
.collapse, .collapse_trmain{cursor:pointer;}
.collapse_table, .collapse_tr{display: none;}
.show_log_html{
overflow: auto;
width: 100%;
height:380px;
background-color: #fff;
}
.show_log{
position: fixed;
top: 0px;
left:0px;
right:0px;
height:400px;
display:none;
background-color: #fff;
z-index: 100;
}
.table{
border: 1px solid #eee;
table-layout: fixed;
width: 100%;
margin-bottom: 20px;
}
.table th {
font-weight: bold;
padding: 5px;
background: #efefef;
border: 1px solid #dddddd;
}
.table td{
padding: 5px 10px;
border: 1px solid #eee;
text-align: left;
}
.table tbody tr:nth-child(odd){
background: #fff;
}
.table tbody tr:nth-child(even){
background: #F7F7F7;
}
</style>';
$out .= '<script>$(document).ready(function(){
$(".collapse").click(function(){
let id = $(this).data("id");
$("#ct_"+id).toggle();
return false;
});
$(".collapse_trmain").click(function(){
let id = $(this).data("id");
$("."+id).toggle();
return false;
});
$(".show_log_close").click(function(){
$(".show_log").hide();
return false;
})
$(".log_ip").click(function(){
$(".show_log_html").html("получаем");
let ip = $(this).data("ip");
$.ajax({
url: "/syssys/", cache: false, datatype: "json", type: "POST",
data: "ajdesSYS=showip&ip=" + ip,
success: function (data) {
$(".show_log_html").html(data.html);
$(".show_log").show();
}
});
return false;
});
});</script>';
$out .= '<a href="/syssys/">Измененные файлы за 12 часов</a> | <a href="/syssys/checkvirus/">Вирусные вставки</a>';
return $out;
}
function syssys_getcontentfile($file,$finds){
$out = array(); $out1 = '';
if($file!='inc/class_SECUR.php') {
/*
Например, мы хотим выбрать все ошибки из лог-файла, но знаем, что в следующей строчке после ошибки может содержаться полезная информация, тогда с помощью grep отобразим несколько строк. Ошибки будем искать в Xorg.log по шаблону "EE":
grep -A4 "EE" /var/log/xorg.0.log
Выведет строку с вхождением и 4 строчки после неё:
grep -B4 "EE" /var/log/xorg.0.log
Выведет целевую строку и 4 строчки до неё:
grep -C2 "EE" /var/log/xorg.0.log
Выведет по две строки с верху и снизу от вхождения.
* */
foreach ($finds as $key => $find) {
$command = 'grep "' . $find . '" ' . $file;
exec($command, $output);
$out = array_merge($out, $output);
}
$out1 = '<div style="overflow: auto;width:100%;height:120px;">';
foreach ($out as $k => $v)
$out1 .= htmlspecialchars($v) . '<br>';
$out1 .= '</div>';
}
return $out1;
}
function syssys(){
if ($_SESSION['user']['status'] != 99) exit();
$des = ''; if(isset($_GET['des'])) $des = $_GET['des'];
if($des=='checkvirus') {
echo $this->syssys_html_head();
echo '<h3>Вирусные вставки</h3>';
echo '<table class="table">';
echo '<tr>';
echo '<th class="span4">Дата</th>';
echo '<th class="span8">Файл</th>';
echo '</tr>';
$finds = array('featureShell(','eval(','p0wny');
$command = "grep -Rils --include=\*.php -e 'featureShell(' -e 'eval(' -e 'p0wny' /home/admin/web/eios.mkgtu.ru/public_html/*";
$output=array(); exec($command, $output);
if(count($output)) {
echo '<tr class="collapse_trmain error" data-id="tr1"><td colspan="2">[' . count($output) . '] featureShell p0wny eval( </td></tr>';
foreach ($output as $key => $file) {
$data = date('H:i:s d.m.Y', filectime($file));
echo '<tr class="collapse_tr tr1">';
echo '<td>' . $data . '</td>';
echo '<td>' . str_replace('/home/admin/web/eios.mkgtu.ru/public_html/', '', $file) . '</td>';
echo '</tr>';
echo '<tr class="collapse_tr tr1"><td colspan="2">'.$this->syssys_getcontentfile($file,$finds).'</td></tr>';
}
}
$finds = array('@$emaillist=$_POST','$emaillist=','$smtp_username=','$smtp_password=','Sender Anonym Email');
$command = "grep -Rils --include=\*.php -e '\@\$emaillist\=\$_POST' -e '\$emaillist=' -e '\$smtp_username=' -e '\$smtp_password=' -e 'Sender Anonym Email' /home/admin/web/eios.mkgtu.ru/public_html/*";
$output=array(); exec($command, $output);
if(count($output)) {
echo '<tr class="collapse_trmain error" data-id="tr2"><td colspan="2">[' . count($output) . '] $emaillist=$_POST $emaillist= $smtp_username= $smtp_password= Sender Anonym Email</td></tr>';
foreach ($output as $key => $file) {
$data = date('H:i:s d.m.Y', filectime($file));
echo '<tr class="collapse_tr tr2">';
echo '<td>' . $data . '</td>';
echo '<td>' . str_replace('/home/admin/web/eios.mkgtu.ru/public_html/', '', $file) . '</td>';
echo '</tr>';
echo '<tr class="collapse_tr tr1"><td colspan="2">'.$this->syssys_getcontentfile($file,$finds).'</td></tr>';
}
}
$finds = array('if(md5(md5($','h1>Loading...','b>Please wait a moment ...','... Please wait...</h3','You are here because one of your friends has invited you...','bankofamerica','http://hellosomeguys','rldailynews.com','--81a338--','; it.src = ');
$command = "grep -Rils --include=\*.{php,htm,html} -e 'if(md5(md5(\$' -e 'h1\>Loading...' -e 'b\>Please wait a moment ...\ You will be forwarded. \<' -e '... Please wait...\<\/h3' -e 'You are here because one of your friends has invited you...\ Redirecting...' -e 'bankofamerica' -e 'http:\/\/hellosomeguys' -e 'rldailynews.com' -e 'http\:\/\/.*doctor.*\.com' -e '\-\-81a338\-\-' -e '\; it.src = ' /home/admin/web/eios.mkgtu.ru/public_html/*";
$output=array(); exec($command, $output);
if(count($output)) {
echo '<tr class="collapse_trmain error" data-id="tr3"><td colspan="2">[' . count($output) . '] различные ботнетовские редиректы</td></tr>';
foreach ($output as $key => $file) {
$data = date('H:i:s d.m.Y', filectime($file));
echo '<tr class="collapse_tr tr3">';
echo '<td>' . $data . '</td>';
echo '<td>' . str_replace('/home/admin/web/eios.mkgtu.ru/public_html/', '', $file) . '</td>';
echo '</tr>';
echo '<tr class="collapse_tr tr1"><td colspan="2">'.$this->syssys_getcontentfile($file,$finds).'</td></tr>';
}
}
$finds = array('FilesMan','b=4594','e2aa4e','v58f57b98 = 0','forexam@pandion.im','pathToDomains','if(navigator.userAgent.match(','var vst = String.fromCharCode','Menu_files/jquery.js','i5463 == null','r57.gen.tr','/rsize.js','feelthesame.changeip.name','40,101,115,110,98,114,105,110','c99sh','Shell by',' sh_ver','.tcpflood','c999sh','Array(base64_decode','Attacker Perl File','bogel = ','(!function_exists("getmicrotime"))','$d=substr','WSO ','r57shell','msg=@gzinflate(@base64_decode(@str_replace','6POkiojiO7iY3ns1rn8',' mysql_safe','sql2_safe','aHR0cDovLzE3OC4yMTEu','php function _','encodeURIComponent(document.URL)','; if(isset($_REQUEST','UdpFlood','udp://1.1.1.1',' (md5($_POST[','header("Location: http','fx29sh_','c999sh_surl','c99sh','/request12.php','NlOThmMjgyODM0NjkyODdiYT');
$command = "grep -Rils --include=\*.{php,htm,html} -e 'FilesMan' -e 'b=4594' -e 'e2aa4e' -e 'v58f57b98 = 0' -e 'forexam\@pandion.im' -e 'pathToDomains' -e 'if(navigator.userAgent.match(' -e 'var vst = String.fromCharCode' -e 'Menu\_files\/jquery.js' -e 'i5463 == null' -e 'r57.gen.tr' -e '\/rsize.js' -e 'feelthesame.changeip.name' -e '40,101,115,110,98,114,105,110' -e 'c99sh' -e 'Shell by' -e ' sh_ver' -e '\.tcpflood' -e 'c999sh' -e 'Array(base64_decode' -e 'Attacker Perl File' -e 'bogel = ' -e '(\!function_exists(\"getmicrotime\"))' -e'\$d=substr' -e 'WSO ' -e 'r57shell' -e 'msg=@gzinflate(@base64_decode(@str_replace' -e '6POkiojiO7iY3ns1rn8' -e ' mysql_safe' -e 'sql2_safe' -e 'aHR0cDovLzE3OC4yMTEu' -e 'php function _' -e 'encodeURIComponent(document.URL)' -e '\; if(isset(\$_REQUEST' -e 'UdpFlood' -e 'udp\:\/\/1.1.1.1' -e '\ (md5(\$_POST\[' -e 'header(\"Location\: http' -e 'fx29sh_' -e 'c999sh_surl' -e 'c99sh' -e '\/request12.php' -e 'NlOThmMjgyODM0NjkyODdiYT' /home/admin/web/eios.mkgtu.ru/public_html/*";
$output=array(); exec($command, $output);
if(count($output)) {
echo '<tr class="collapse_trmain error" data-id="tr4"><td colspan="2">[' . count($output) . '] malware скрипты</td></tr>';
foreach ($output as $key => $file) {
$data = date('H:i:s d.m.Y', filectime($file));
echo '<tr class="collapse_tr tr4">';
echo '<td>' . $data . '</td>';
echo '<td>' . str_replace('/home/admin/web/eios.mkgtu.ru/public_html/', '', $file) . '</td>';
echo '</tr>';
echo '<tr class="collapse_tr tr1"><td colspan="2">'.$this->syssys_getcontentfile($file,$finds).'</td></tr>';
}
}
$finds = array('\%3C\%73\%63\%72\%69\%70\%74\%20\%74\%79\%70','kSKlBXYjNXZfhSZwF2YzVmb1h');
$command = "grep -Rils --include=\*.js -e '\%3C\%73\%63\%72\%69\%70\%74\%20\%74\%79\%70' -e 'kSKlBXYjNXZfhSZwF2YzVmb1h' /home/admin/web/eios.mkgtu.ru/public_html/*";
$output=array(); exec($command, $output);
if(count($output)) {
echo '<tr class="collapse_trmain error" data-id="tr5"><td colspan="2">[' . count($output) . '] различные malware в java скриптах</td></tr>';
foreach ($output as $key => $file) {
$data = date('H:i:s d.m.Y', filectime($file));
echo '<tr class="collapse_tr tr5">';
echo '<td>' . $data . '</td>';
echo '<td>' . str_replace('/home/admin/web/eios.mkgtu.ru/public_html/', '', $file) . '</td>';
echo '</tr>';
echo '<tr class="collapse_tr tr1"><td colspan="2">'.$this->syssys_getcontentfile($file,$finds).'</td></tr>';
}
}
echo '</table>';
//echo '<pre>'.print_r($output,1).'</pre>';
}
if($des=='') {
echo $this->syssys_html_head();
echo '<h3>Измененные файлы за 12 часов</h3>';
//print_r($_SESSION['user']);
if (isset($_POST['ajdesSYS'])) {
header('Content-Type: application/json; charset=utf-8');
$out = array();
if ($_POST['ajdesSYS'] == 'showip') {
$ip = $_POST['ip'];
$logs = $this->syssys_get_logs_IP($ip);
$html = '<table class="table">';
$html .= '<tr>';
$html .= '<th>Дата</th>';
$html .= '<th>IP</th>';
$html .= '<th>Метод</th>';
$html .= '<th>УРЛ</th>';
$html .= '<th>Код</th>';
$html .= '<th>Запрос</th>';
$html .= '<th>Юзерагент</th>';
$html .= '</tr>';
$html .= '<tbody>';
foreach ($logs as $key1 => $val1) {
$html .= '<tr>';
$html .= '<td>' . $val1['data'] . '</td>';
$html .= '<td>' . $val1['ip'] . '</td>';
$html .= '<td>' . $val1['method'] . '</td>';
$html .= '<td>' . $val1['urlp'] . '</td>';
$html .= '<td>' . $val1['code'] . '</td>';
$html .= '<td>' . $val1['url'] . '</td>';
$html .= '<td>' . $val1['ua'] . '</td>';
$html .= '</tr>';
}
$html .= '</tbody>';
$html .= '</table>';
$out['html'] = $html;
}
echo json_encode($out);
exit();
}
$output = array();
$command = 'find /home/admin/web/eios.mkgtu.ru/public_html/ -mmin -60 -print > /home/admin/web/eios.mkgtu.ru/public_html/lastf1.txt';
//смотрим изменения файлов за час = 60 12часов=720
$command = 'find /home/admin/web/eios.mkgtu.ru/public_html/ -type f -mmin -720 -print';
exec($command, $output);
$result = $this->syssys_parse_find($output);
//echo '<pre>'.print_r($this->syssys_parse_find($output),1).'</pre>';
echo '<div class="show_log"><div class="show_log_html">тут логи если щелкнуть по ИП</div><a href="#" class="show_log_close">Закрыть</a></div>';
echo '<table class="table">';
echo '<tr>';
echo '<th>Дата</th>';
echo '<th>Файл</th>';
echo '</tr>';
foreach ($result as $key => $val) {
$style = '';
if ($val['danger'] == 1) $style = 'style="color:red;"';
if (count($val['logs'])) {
echo '<tr class="collapse" data-id="' . $key . '">';
} else {
echo '<tr>';
}
echo '<td>' . $val['data_c'] . '</td>';
echo '<td ' . $style . '>' . $val['file'] . '</td>';
echo '</tr>';
if (count($val['logs'])) {
echo '<tr class="collapse_table" id="ct_' . $key . '">';
echo '<td colspan="2">';
echo '<table class="">';
echo '<tr>';
echo '<th>Дата</th>';
echo '<th>IP</th>';
echo '<th>Метод</th>';
echo '<th>УРЛ</th>';
echo '<th>Код</th>';
echo '<th>Запрос</th>';
echo '<th>Юзерагент</th>';
echo '</tr>';
echo '<tbody>';
foreach ($val['logs'] as $key1 => $val1) {
echo '<tr>';
echo '<td>' . $val1['data'] . '</td>';
echo '<td><a href="#" class="log_ip" data-ip="' . $val1['ip'] . '">' . $val1['ip'] . '</a></td>';
echo '<td>' . $val1['method'] . '</td>';
echo '<td>' . $val1['urlp'] . '</td>';
echo '<td>' . $val1['code'] . '</td>';
echo '<td>' . $val1['url'] . '</td>';
echo '<td>' . $val1['ua'] . '</td>';
echo '</tr>';
}
echo '</tbody>';
echo '</table>';
echo '</td>';
echo '</tr>';
}
}
echo '</table>';
}
exit();
}
function syssys_parse_find($output){
$out = array();
$m1=array('/home/admin/web/eios.mkgtu.ru/public_html/');
$m2=array('');
foreach($output as $key => $file){
$tmp['data_c'] = date('H:i:s d.m.Y',filectime($file));
$tmp['file'] = str_replace($m1,$m2,$file);
if (strpos($tmp['file'], '/templates_c/') !== false) continue;
if (strpos($tmp['file'], '/json.php') !== false) continue;
$pi = pathinfo($tmp['file']); $ext = mb_strtolower($pi['extension']);
if($ext=='json'||$ext=='png'||$ext=='jpg'||$ext=='jpeg'||$ext=='gif'||$ext=='doc'||$ext=='docx'||$ext=='pdf'||$ext=='xls'||$ext=='xlsx'||$ext=='zip'||$ext=='rar'||$ext=='plx'||$ext=='pptx'||$ext=='ppt') continue;
if (strpos($tmp['file'], '.php') !== false) {
$tmp['danger'] = 1;
$tmp['logs'] = $this->syssys_get_logs_acc($tmp['file']);
}else {
$tmp['danger'] = 0;
$tmp['logs'] = array();
}
$out[] = $tmp;
}
return $out;
}
function syssys_get_logs_acc($string){
$out = array();
$command = 'grep '.$string.' /var/log/httpd/domains/eios.mkgtu.ru.log';
$command = 'grep '.$string.' /home/admin/web/eios.mkgtu.ru/logs/eios.mkgtu.ru.log';
// [0] => 62.183.98.199 - - [12/Apr/2022:10:02:40 +0300] "GET /upload/iup/208/98062.php HTTP/1.0" 200 177818 "https://eios.mkgtu.ru/iup/student/edit/5400/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4495.0 Safari/537.36"
exec($command, $output);
foreach($output as $key => $line){
preg_match_all('|(.*) - - \[(.*)\] "(.*) (.*) (.*)" (.*) (.*) "(.*)" "(.*)"|isU',$line,$arr);
//echo count($arr[0]).'<pre>'.print_r($arr,1).'</pre>';
if(count($arr)>2){
$tmp=array();
$tmp['ip'] = $arr[1][0];
$tmp['data'] = $arr[2][0];
$tmp['method'] = $arr[3][0];
$tmp['urlp'] = $arr[4][0];
$tmp['http'] = $arr[5][0];
$tmp['code'] = $arr[6][0];
$tmp['size'] = $arr[7][0];
$tmp['url'] = $arr[8][0];
$tmp['ua'] = $arr[9][0];
$out[] = $tmp;
}else $out[]['line'] = $line;
}
return $out;
//echo '<pre>'.print_r($output,1).'</pre>';
}
function syssys_get_logs_IP($ip){
$out = array();
$command = 'grep '.$ip.' /home/admin/web/eios.mkgtu.ru/logs/eios.mkgtu.ru.log';
// [0] => 62.183.98.199 - - [12/Apr/2022:10:02:40 +0300] "GET /upload/iup/208/98062.php HTTP/1.0" 200 177818 "https://eios.mkgtu.ru/iup/student/edit/5400/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4495.0 Safari/537.36"
exec($command, $output);
foreach($output as $key => $line){
preg_match_all('|(.*) - - \[(.*)\] "(.*) (.*) (.*)" (.*) (.*) "(.*)" "(.*)"|isU',$line,$arr);
if(count($arr)>2){
$tmp=array();
$tmp['ip'] = $arr[1][0];
$tmp['data'] = $arr[2][0];
$tmp['method'] = $arr[3][0];
$tmp['urlp'] = $arr[4][0];
$tmp['http'] = $arr[5][0];
$tmp['code'] = $arr[6][0];
$tmp['size'] = $arr[7][0];
$tmp['url'] = $arr[8][0];
$tmp['ua'] = $arr[9][0];
$out[] = $tmp;
}else $out[]['line'] = $line;
}
return $out;
}
}