Page 1 of 1

PHPs information grabbing ability??

Posted: Tue Nov 26, 2002 8:26 am
by penguinboy
I need some help.
Our company has a non public website that is strictly for internal use.
It doesn't show up on any search engines.
While going over some logs I noticed that someone tried to break into the site a few days ago.
I was wondering what sort of information I could obtain on this individual.
I already log the ip, but i'm looking for more.
I'd like to konw how he stumbled across our site, if he just type in the site name, or if he typed in the ip.
Basically I'd like to get every bit of information I could from every computer that connects to our site.

-pb

Posted: Tue Nov 26, 2002 9:26 am
by volka
there are some informations available but it's far more reasonable to secure your site, e.g. with .htacess, https and virtual private network

In between you might be interested in http://www.php.net/manual/en/reserved.variables.php and http://www.php.net/manual/en/function.getallheaders.php

Posted: Tue Nov 26, 2002 10:32 am
by penguinboy
the site is secure, so its not really an issue of security, its more along the lines of I want to be an <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span> and let these 15yr old hackers know that i caught them.

Posted: Tue Nov 26, 2002 12:06 pm
by volka
then you might be interested in http://www.ripe.net/ esp. the online-search
Paranoid's playground...I love it ;)

Code: Select all

function getRipeEntry($ip)
	{
		$sd = @socket_create (AF_INET, SOCK_STREAM, getprotobyname("TCP"));
		if( @socket_connect( $sd, 'www.ripe.net', 80) )
		{
			$body = 'form_type=simple&amp;full_query_string=&amp;searchtext='.$ip.'&amp;do_search=Search';
			$headers = "POST /perl/whois?%253F HTTP/1.0\n";
			$headers .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\n";
			$headers .= "Accept: */*\n";
			$headers .= "Content-length: ".strlen($body)."\n";
			$headers .= "\n";
			$headers .= $body;
			socket_write($sd,$headers, strlen($headers));
			
			$results = '';
			while($headers = @socket_read($sd, 1024))
				$results .= $headers;
			
			$beg = strpos($results, '&lt;pre&gt;');
			$end = strpos($results, '&lt;/pre&gt;&lt;table');
			if (!$beg || !$end)
				die(getWarn()); 
			$results = substr($results, $beg, $end - $beg);
			if (strpos($results, 'ERROR:101: no entries found') ===FALSE)
			{
				$ip = sprintf("%u", ip2long($ip));
				$query = 'REPLACE ripe SET ip='.$ip.",entry='".mysql_escape_string($results)."'";
				@mysql_query($query, $GLOBALS&#1111;'conn']) or die(mysql_error()) or die(getWarn());
			}
			else
				$results = '';
			return array($results);
		}
		else
			return '';
	}

Posted: Tue Nov 26, 2002 1:37 pm
by penguinboy
well...

i'm looking to be more evil than that, I want the hackers email address, so i can send them an automated email.

Posted: Tue Nov 26, 2002 3:38 pm
by volka
email address from ip? forget it
And you wouldn't want all the sites you visit to be able to find your email-address, would you? ;)
So the best I can offer is the abuse-contact-address from the RIPE entry.
But a single visit is no crime!

Posted: Wed Nov 27, 2002 7:57 am
by penguinboy
well i know its possible using java. just thought i'd see if anyone had a way to do it in php.

Posted: Wed Nov 27, 2002 8:04 am
by twigletmac
How do you resolve an e-mail address from an IP, especially when a lot of people don't have static IP addresses but one assigned randomly by their ISP. AFAIK, this isn't a limitation of PHP but of the web in general - how does Java accomplish it?

Mac

Posted: Wed Nov 27, 2002 4:31 pm
by penguinboy
gettting the email address has nothing to do with the ip.

instead when anyone connects to your site, and trys to login you run some java to start up outlook express/netscape's email app, and force it to send you an email.

it only works if they use either of those apps.

but its better than nothing.

Posted: Wed Nov 27, 2002 5:52 pm
by volka
OMG 8O
I would call this a virus or worm wether the intention is good or not!
What's next? Forcing a isdn-dialup so you can speak to him/her personally? :evil:
Chances are good that you will receive mails only from accidentally visitors because the real hacker you're worried about is probably too 133t ( ;) ) to use M$-products or at least has disabled all IE-settings.
The only help I will provide for this attempt is: php does not peform anything client-side. It only produces a document sent to the client. This document may contain data that is interpreted e.g. as javascript within the client. And this code then may even trigger bugs/leaks.
I hope you reconsider your idea. Forcing a dial-up is illegal for sure, but even the sneaking, unattended mail might be.

Posted: Wed Nov 27, 2002 6:47 pm
by m3mn0n
LOL! That's evil. Hardcore. :roll:

If he is breaking into a private server that is secure, it is not a crime, but it is not allowed. You can get his IP, which will give you his host, ask them to contact the person who had it at that particular logged time to stop breaking into your private server.

I think that is a better method of scaring the person knowing that his ISP knows he is a little a-hole. 8)