开发者

Setting up a fake admin login

开发者 https://www.devze.com 2023-04-02 16:50 出处:网络
After having my Paypal account compromised I got a bit paranoid and wanted to secure everything in my sites. One of them includes renaming the admin/ page to something else, then I will put something

After having my Paypal account compromised I got a bit paranoid and wanted to secure everything in my sites. One of them includes renaming the admin/ page to something else, then I will put something like a honeypot to see which IP's they are coming from:

    <?
// honeypot 

if($_POST['username']) { 
sleep(10);

$filename = "intruders.txt"; 
$date = date('l jS \of F Y h:i:s A');
$handle = fopen($filename,"a+");
$content = "Username: $_POST[username] , Password: $_POST[password]  $date ... from $_SERVER[REMOTE_ADDR] \n";
fwrite($handle,$content);
fclose($handle);

echo "<br/><b>Wrong username or password. Please try again</b><br/><br/>"; 

} 

?>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>WHMCS - Admin alt</title>
</head>
<body>
<form id='login' action='index.php' method='post' accept-charset='UTF-8'>
<fieldset>
<legend>WHMCS Secure alt Login</legend> 
<label for='username' >Username*:</label>
<input type='text' name='username' id='username'  maxlength="50" />
<label for='password' >Password*:</label>
<input type='password' name='password' id='password' maxlength="50" />
<input type='submit' name='Submit' value='Submit' />
</fieldset>
</form>
<div id="footer">Copyright &copy; <a href="http://www.whmcs.com/" target="_blank">WHMCompleteSolution</a>.  All Rights Reserved.</div>
</body>
</html>

My开发者_开发问答 only concern right now is, can this form be attacked to gain access to the site? I don't think sql injection can work here since we never used sql, nor injecting js to the output since it only outputs some fake text. After that I can't think of anything else an attacker might get wise on...

What do you think? could there be a better way to track them down?


Now that you've posted the code here, you've spoiled the surprise. If you are going to use this code in production, change the code so it won't be that easy to google.

Notes:

  • sleep(10) - this makes your server vulnerable to a denial of service attack
  • writing to a file in the current directory - if you're going to log to a file, do not log it just in a public area. You should not expose details like IP addresses to the public unless your visitors don't care about it.
  • denial of service (2) due to unlimited logging - there is not flood protection nor is the input restricted
  • logging of passwords - not really effective in my opinion unless you want to know where an attacker comes from (cracked email accounts, compromised database, ...)

I would avoid using a honey pot like this. Besides that not all form submissions are cracking attempts (I've seen bots submitting my forms which were "protected" with a simple text question), it may be challenging visitors with bad intentions. Do proper logging of requests and actions and let someone review your code.

0

精彩评论

暂无评论...
验证码 换一张
取 消