[BETA] Log Highlight Requests v1.0.2

A place for MOD Authors to post and receive feedback on MODs still in development. No MODs within this forum should be used within a live environment! No new topics are allowed in this forum.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

IMPORTANT: MOD Development Forum rules

On February 1, 2009 this forum will be set to read only as part of retiring of phpBB2.
Post Reply
User avatar
lightdarkness
Registered User
Posts: 254
Joined: Fri Nov 21, 2003 1:13 am
Contact:

[BETA] Log Highlight Requests v1.0.2

Post by lightdarkness » Sun Dec 26, 2004 8:49 pm

Log Highlight Requests
This mod will log all activity used by the highlight function in viewtopic, so you can monitor potential exploiters, to then ban their IP.

Current Features
No malicious code can be run from the page that is viewable to the admin.
Shows all requests for the function.

Planned Features
When a highlight request comes through where there is a character that isn't a letter or a number, a email will automaticly be sent to the board admin.

To-Do List
Delete logs
Logs per page
Ban from log page
Restrict viewing to main admin

Screenshots of V1.0.2 to come soon

If you have any other ideas, please post them here, I am open to suggestions.

Download (1.0.2)
DOWNLOAD

Code: Select all

##############################################################
## MOD Title: Log Highlight Requests
## MOD Author: lightdarkness < lightdarkness@gmail.com > (Jay MacLean) http://www.lightdarkness42.com
## MOD Description:    This mod logs all highlight requests made in viewtopic.php to check
##		       for malicoius activity.
## MOD Version:    1.0.2
##
## Installation Level:    Easy
## Installation Time:    5 Minutes
## Files To Edit (5): viewtopic.php
##		      includes/constants.php
##		      language/lang_english/lang_admin.php
##		      admin/admin_board.php 
##		      templates/subSilver/admin/board_config_body.tpl
## Included Files:    highlight_body.tpl
##		      admin_highlight.php
##############################################################
## For Security Purposes, Please Check: http://www.phpbb.com/mods/ for the
## latest version of this MOD. Downloading this MOD from other sites could cause malicious code
## to enter into your phpBB Forum. As such, phpBB will not offer support for MOD's not offered
## in our MOD-Database, located at: http://www.phpbb.com/mods/
############################################################## 
## Author Notes: None
##
##############################################################
## MOD History:
##
##   2004-12-29 - Version 1.0.2
##	- Removed extranious code
##	- Config added
##	- Options to enable/disable
##	- Log only malicious, or all
##
##   2004-12-28 - Version 1.0.1
##	- Adds notes for known vunerabilities
##	- Blocks requests of certain length
##	- Now logs IP's using the phpBB encode_ip() function
##	- Dies on Santy & Spyki Detection (Shows critical error)
##
##   2004-12-26 - Version 1.0.0
##      - Initial Release
##
##############################################################
Last edited by lightdarkness on Thu Dec 30, 2004 9:23 am, edited 7 times in total.

josian
Registered User
Posts: 142
Joined: Sat Mar 20, 2004 2:56 am

Post by josian » Mon Dec 27, 2004 8:24 am

Could this be used to log any "rush" exploit attempts too?

User avatar
defender-uk
Registered User
Posts: 380
Joined: Tue Jun 01, 2004 9:06 am
Location: London, UK
Contact:

Post by defender-uk » Mon Dec 27, 2004 3:53 pm

I have a small change you may want to add to this, it stops the highlight requests getting past your mod (which is a great mod as I have now found my 300 guests are not too friendly requests)

IN viewtopic.php

Code: Select all

// Log Highlight request MOD start
if ( isset($HTTP_GET_VARS['highlight']) )
{
	// Well, it seems someone requested a highlight
	// Lets log it!
	$ip = $_SERVER['REMOTE_ADDR'];
	$time = time();
	$highlight = $HTTP_GET_VARS['highlight'];
	$highlight = htmlspecialchars($highlight);
	$sql = "INSERT INTO " . HIGHLIGHT_TABLE . " (time, IP, highlight) VALUES ('" . $time . "', '" . $ip . "', '" . $highlight . "')";
	if ( !($result = $db->sql_query($sql)) )
	{
		message_die(GENERAL_ERROR, 'Could not insert highlight information', '', __LINE__, __FILE__, $sql);
	}
}
// Log Highlight request MOD end
If you use this

Code: Select all

// Log Highlight request MOD start
if ( isset($HTTP_GET_VARS['highlight']) )
{
	// Well, it seems someone requested a highlight
	// Lets log it!
	$ip = $_SERVER['REMOTE_ADDR'];
	$time = time();
	$highlight = $HTTP_GET_VARS['highlight'];
	$highlight = htmlspecialchars($highlight);
	$sql = "INSERT INTO " . HIGHLIGHT_TABLE . " (time, IP, highlight) VALUES ('" . $time . "', '" . $ip . "', '" . $highlight . "')";
	if ( !($result = $db->sql_query($sql)) )
	{
		message_die(GENERAL_ERROR, 'Could not insert highlight information', '', __LINE__, __FILE__, $sql);
	}
	if(strlen($highlight) > 30)
	{
		message_die(GENERAL_ERROR, 'Could not get highlight information - data string too long');
	}
}
// Log Highlight request MOD end
Words that are more than 30 chars simpy get a general error page.

U can change the 30 to 60 or 45, whatever you think is a large enough word/prase for people to be searching for. Remembering that the search function takes out common words like 'a', 'and', 'is'.

I added this little piece of script as 5 minutes after installing this mod I had over 100 attempts to break my board and it's better to do this than ban the IP's, you just don't know who your banning from your site, as it seems that Search4Free has a few issues with it's spider.

User avatar
lightdarkness
Registered User
Posts: 254
Joined: Fri Nov 21, 2003 1:13 am
Contact:

Post by lightdarkness » Mon Dec 27, 2004 5:05 pm

Thanks for the awesome idea!

When I return today, I will add in that portion (giving you credit!) as well as a setting to declare how many characters long to stop it from functioning!

Thanks!
josian wrote: Could this be used to log any "rush" exploit attempts too?


I'm pretty sure in that rush exploit attempt, it does try and use the highlight function aswell, so it would log.

User avatar
defender-uk
Registered User
Posts: 380
Joined: Tue Jun 01, 2004 9:06 am
Location: London, UK
Contact:

Post by defender-uk » Mon Dec 27, 2004 8:44 pm

You could also do this

Code: Select all

// Log Highlight request MOD start
if ( isset($HTTP_GET_VARS['highlight']) )
{
	// Well, it seems someone requested a highlight
	// Lets log it!
	$ip = $_SERVER['REMOTE_ADDR'];
	$time = time();
	$highlight = $HTTP_GET_VARS['highlight'];
	$highlight = htmlspecialchars($highlight);
	if ( strlen($highlight) > 30 || !(stristr($_SERVER['HTTP_REFERER'], 'search.')) )
	{
		message_die(GENERAL_ERROR, 'Could not get highlight information - highlighted data error');
	}
	$sql = "INSERT INTO " . HIGHLIGHT_TABLE . " (time, IP, highlight) VALUES ('" . $time . "', '" . $ip . "', '" . $highlight . "')";
	if ( !($result = $db->sql_query($sql)) )
	{
		message_die(GENERAL_ERROR, 'Could not insert highlight information', '', __LINE__, __FILE__, $sql);
	}
}
// Log Highlight request MOD end

This will block any requests that do not come through the search program.

And does not log blocked attempts (as the database gets a bit big and does not have a clear function as yet :)

This is not php3 compatable, but I think the mod's will allow this, due to the nature of the mod.

User avatar
lightdarkness
Registered User
Posts: 254
Joined: Fri Nov 21, 2003 1:13 am
Contact:

Post by lightdarkness » Mon Dec 27, 2004 10:22 pm

I still want to log everything, so you can see what the attacker tried to do. Perhaps if it finds a % it will send an email to the board owner about the attack.

I think i'll just make it so you can set which settings do what. Thanks for all the input, and expect a new release tonight.

also, why isn't it php 3 compatible? I checked on php.net, and all I could find is that stristr was introduced in 3.0.6, but I don't think that will be too much of a problem.

User avatar
defender-uk
Registered User
Posts: 380
Joined: Tue Jun 01, 2004 9:06 am
Location: London, UK
Contact:

Post by defender-uk » Mon Dec 27, 2004 10:55 pm

I'm not sure if

Code: Select all

$_SERVER
is supported in php3.

php{dot} net isn't very clear about those commands (as i've found in the past)

I changed the above the % was not seen as a % due to htmlspecialchars converting them to the char it should be :(.

Uchiha Nick
Registered User
Posts: 424
Joined: Wed Jul 14, 2004 12:13 pm
Contact:

Post by Uchiha Nick » Mon Dec 27, 2004 10:58 pm

can someone tell me what highlighting does? ( yea yea noobie i know )

User avatar
lightdarkness
Registered User
Posts: 254
Joined: Fri Nov 21, 2003 1:13 am
Contact:

Post by lightdarkness » Mon Dec 27, 2004 11:01 pm

Uchiha Nick wrote: can someone tell me what highlighting does? ( yea yea noobie i know )


The highlight function changes the text color of a word on the page so you can find it.

Recently, there have been exploits of this function.

This mod logs all activity used by that function, so you can check for malicious activity.

User avatar
lightdarkness
Registered User
Posts: 254
Joined: Fri Nov 21, 2003 1:13 am
Contact:

Post by lightdarkness » Mon Dec 27, 2004 11:40 pm

I tried adding in the checking for %, but it doens't work because it is interpreted as is. If I decode the URL, it might cause another exploit like there already was, so that is out!

I will just do the strlen part, I think that is the safest way to do so

josian
Registered User
Posts: 142
Joined: Sat Mar 20, 2004 2:56 am

Post by josian » Tue Dec 28, 2004 4:35 am

Installed and working great!

Thanks for this mod!! :D

User avatar
alsakrah
Registered User
Posts: 166
Joined: Wed Dec 04, 2002 7:54 pm
Contact:

Post by alsakrah » Tue Dec 28, 2004 6:19 am

It is very nice mod

I will install it and I hope there will be final release for this mod

Thank you

User avatar
lightdarkness
Registered User
Posts: 254
Joined: Fri Nov 21, 2003 1:13 am
Contact:

Post by lightdarkness » Tue Dec 28, 2004 7:38 am

alsakrah wrote: It is very nice mod

I will install it and I hope there will be final release for this mod

Thank you


There will most certainly be a final release, which you can expect in the next few days.

I've added a few new features, which I will try and release tonight.

I want to get the config page going before I finalize it :-)

User avatar
defender-uk
Registered User
Posts: 380
Joined: Tue Jun 01, 2004 9:06 am
Location: London, UK
Contact:

Post by defender-uk » Tue Dec 28, 2004 11:43 am

lightdarkness wrote: I tried adding in the checking for %, but it doens't work because it is interpreted as is. If I decode the URL, it might cause another exploit like there already was, so that is out!

I will just do the strlen part, I think that is the safest way to do so


I found that after posting, and change it to check for the reffer (see above)

This stops all none search. refers, and can be changed to

Code: Select all

$board_config['server_name']
which should block all external highlight requests .


It's great that your working on this situation :)

User avatar
alsakrah
Registered User
Posts: 166
Joined: Wed Dec 04, 2002 7:54 pm
Contact:

Post by alsakrah » Tue Dec 28, 2004 12:12 pm

Great so I'm wating

thank you to reply 8)

Post Reply

Return to “[2.0.x] MODs in Development”