', 'javascript\://','img src', 'img%20src','.jsp','ftp.exe', 'xp_enumdsn', 'xp_availablemedia', 'xp_filelist', 'xp_cmdshell', 'nc.exe', '.htpasswd', 'servlet', '/etc/passwd', 'wwwacl', '~root', '~ftp', '.js', '.jsp', 'admin_', '.history', 'bash_history', '.bash_history', '~nobody', 'server-info', 'server-status', 'reboot%20', 'halt%20', 'powerdown%20', '/home/ftp', '/home/www', 'secure_site, ok', 'chunked', 'org.apache', '/servlet/con', '', 'sql=', 'div style=', 'overflow: auto', 'height: 1px', 'cc%20', 'admin_action=', 'path=', 'action=http', 'page=http', 'module=http', 'op=http', 'id=http', 'action%3Dhttp', 'page%3Dhttp', 'module%3Dhttp', 'op%3Dhttp', 'starhack', '../../', 'directory=http', 'dir=http', 'busca', 'uol.com' ); // Block these words found in POST requests $postBlacklist = array( 'div style=', 'overflow: auto', 'height: 1px', 'display: hidden', // Against spam-hiding jackasses ); // Check against the whole list $checkworm = str_replace($wormprotector, '*', $cracktrack); // If it differs to original then blog the attempt if ($checkworm != $cracktrack) { $cremotead = $_SERVER['REMOTE_ADDR']; $cuseragent = $_SERVER['HTTP_USER_AGENT']; $mail = "Attack detected: Remote-IP: ".$cremotead." User-Agent: ".$cuseragent." Request-string: ".$cracktrack." Filtered string: ".$checkworm." Server: ".$_SERVER['SERVER_NAME']." Translated: ".$_SERVER['PATH_TRANSLATED']." Referrer: ".$_SERVER['HTTP_REFERRER']." "; mail ("your_email@dress.com", "CTracker: Attack detected!", $mail, "From: ctracker@your_domain.com"); die(); } // Check POST data here $checkworm = str_replace($wormprotector, '*', $postTrack); if ($checkworm != $postTrack) { $cremotead = $_SERVER['REMOTE_ADDR']; $cuseragent = $_SERVER['HTTP_USER_AGENT']; $mail = "POST-Attack detected: Remote-IP: ".$cremotead." User-Agent: ".$cuseragent." Request-string: ".$postTrack." Filtered string: ".$checkworm." Server: ".$_SERVER['SERVER_NAME']." Translated: ".$_SERVER['PATH_TRANSLATED']." "; mail ("your_email@dress.com", "CTracker: POST-Attack detected!", $mail, "From: ctracker@your_domain.com"); $checkPOST = str_replace($postBlacklist, '*', $postTrack); if ($checkPOST != $postTrack) { // Block attempt die(); } } // // End CrackerTracker StandAlone // ?>