Author: R.Woolley2 (11 Mar 12 4:29pm)
Her's how to impliment an example base writtin for PHP.
You have to change it to suit needs for production of course but these will display and save enough to get the idea.
Below this is a sample written for PERL.
Note the initial response should either be....
1) OK, invalid request, NOT listed...
A copy of the sent call code is returned (BLANK response for PERL).
2) Listed in honeypot.org's database...
response returned in IP# octet format with "127" as first octet.
3) anything else is an internal error so the ip really should be passed as OK (or if not using a "capture" input too then at least add one to the form this time).
=====================================
# The second octet (0-255) represents the number of days since last activity.
# The third octet (0-255) represents a threat score for the IP.
# 25 = 100 spam messages
# 50 = 10,000 spam messages
# 75 = 1,000,000 spam messages
# NOTE: ONLY IF 4TH OCTET = 0 (known serach engine)
$engines['0'] = 'Undocumented';
$engines['1'] = 'AltaVista';
$engines['2'] = 'Ask';
$engines['3'] = 'Baidu';
$engines['4'] = 'Excite';
$engines['5'] = 'Google';
$engines['6'] = 'Looksmart';
$engines['7'] = 'Lycos';
$engines['8'] = 'MSN';
$engines['9'] = 'Yahoo';
$engines['10'] = 'Cuil';
$engines['11'] = 'InfoSeek';
$engines['12'] = 'Miscellaneous';
# The fourth octet represents the type of visitor (0 = s/engine + 3rd octet ID, else just this).
$types['0'] = 'Search Engine'; # (0)
$types['1'] = 'Suspicious'; # (1)
$types['2'] = 'Harvester'; # (2)
$types['3'] = 'Suspicious & Harvester'; # (1+2)
$types['4'] = 'Comment Spammer'; # (4)
$types['5'] = 'Suspicious & Comment Spammer'; # (1+4)
$types['6'] = 'Harvester & Comment Spammer'; # (2+4)
$types['7'] = 'Suspicious & Harvester & Comment Spammer'; # (1+2+4)
$result=$logged=$addrs=$valid=$lastactive=$threat=$type='';
$passasok=false;
$addrs = $_SERVER["REMOTE_ADDR"];
#$addrs = '127.9.1.2'; // un-rem to hard code a test ip
echo "remote address: $addrs<br>\n";
$revrsip = implode ( ".", array_reverse( explode( ".",$addrs) ) );
echo "reversed ip#: $revrsip<br>\n";
if(preg_match("/^(\d+)\.(\d+)\.(\d+)\.(\d+)$/",$revrsip) ){
$qtarget = "mysecretidhash.$revrsip.dnsbl.httpbl.org"; // HERE 'TIS
$result = gethostbyname($qtarget); // HERES HOW
echo "result: $result<br>\n";
if( preg_match("/^(127)\.(\d+)\.(\d+)\.(\d+)$/",$result) ) {
// block if 1st octet equals "127"... signifies ip is listed
list($valid, $lastactive, $threat, $type) = explode(".",$result,4);
$type == "0" ? $type = "$types[$type] $engines[$threat]" : $type = "$types[$type]";
$logged = "last seen: $lastactive days, threat level: $threat, type: $type";
}
else{
# pass as invalid test (none or useless data) and ip is OK
$logged = "passed as invalid test (OK)";
$passasok = true;
}
}
else{
// pass as invalid test (useless reversed ip)
$logged = "passed as invalid ip reversal ($revrsip)";
// don't block just because of internal error
$passasok = true;
}
$logged .= ", $addrs, $passasok, " . date("d/m/Y H:i:s", time());
print "[$passasok]: $logged<br>";
if ($handle = fopen('php_dnsbl.httpbl.log', 'a')) {
// if opening or writing fails check dir permissions
@fwrite($handle, $logged."\n");
fclose($handle);
}
exit(0);
========================================
It should be easy to convert fundamentals to any other high level language.
For PERL....
========================================
use Net::hostent;
use Socket;
# The second octet (0-255) represents the number of days since last activity.
# The third octet (0-255) represents a threat score for the IP.
# 25 = 100 spam messages
# 50 = 10,000 spam messages
# 75 = 1,000,000 spam messages
# NOTE: ONLY IF 4TH OCTET = 0 (known serach engine)
$engines{'0'} = 'Undocumented';
$engines{'1'} = 'AltaVista';
$engines{'2'} = 'Ask';
$engines{'3'} = 'Baidu';
$engines{'4'} = 'Excite';
$engines{'5'} = 'Google';
$engines{'6'} = 'Looksmart';
$engines{'7'} = 'Lycos';
$engines{'8'} = 'MSN';
$engines{'9'} = 'Yahoo';
$engines{'10'} = 'Cuil';
$engines{'11'} = 'InfoSeek';
$engines{'12'} = 'Miscellaneous';
# The fourth octet represents the type of visitor (0 = s/engine 3rd octet ID else ignore IDs).
$types{'0'} = 'Search Engine'; # (0)
$types{'1'} = 'Suspicious'; # (1)
$types{'2'} = 'Harvester'; # (2)
$types{'3'} = 'Suspicious & Harvester'; # (1+2)
$types{'4'} = 'Comment Spammer'; # (4)
$types{'5'} = 'Suspicious & Comment Spammer'; # (1+4)
$types{'6'} = 'Harvester & Comment Spammer'; # (2+4)
$types{'7'} = 'Suspicious & Harvester & Comment Spammer'; # (1+2+4)
print"Content-type: text/html\n\n";
$result=$logged=$addrs='';
$passasok=false;
$addrs = $ENV{'REMOTE_ADDR'};
#$addrs = '127.9.1.2'; # un-rem to use a test ip
print "remote address: $addrs<br>";
$revrsip = join '.', reverse( split(/\./,$addrs,4) );
print "reversed ip#: $revrsip<br>";
if( $revrsip =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/ ) {
$qtarget = "mysecretidhash.$revrsip.dnsbl.httpbl.org"; # HERE 'TIS
$h = gethostbyname($qtarget); # HERES HOW
if (defined($h)) {$result = inet_ntoa(@{$h->addr_list}[0]);}
print "result: $result<br>";
if( !$result || $result !~ /^(127)\.(\d+)\.(\d+)\.(\d+)$/ ) {
# pass as invalid (useless) response
$logged = "passed as invalid test";
if($result){$logged.= " ($result)";}
$result = '';
$passasok = true;
}
else{
($valid, $lastactive, $threat, $type) = split(/\./,$result,4);
if($type eq "0") {$type .= " {$engines{$threat}}";}
$type eq "0" ? $type = "$types{$type} $engines{$threat}" : $type = "$types{$type}";
$logged = "last seen: $lastactive days, threat level: $threat, type: $type";
}
}
else{$logged = "passed as invalid ip reversal";} # pass as invalid (useless) test
$logged .= ", $addrs, $passasok, " . &dnsblDatetime();
print "[$passasok]: $logged<br>";
if(open (DLOG, ">>cgi_dnsbl.httpbl.log")){
if(defined &lock){&lock('DLOG',"cgi_dnsbl.httpbl.log");}
print DLOG $logged."\n";
if(defined &lock){&unlock('DLOG',"cgi_dnsbl.httpbl.log");}
}
exit(0);
sub dnsblDatetime{
local$sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$intime;
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday)=(gmtime(time+$gmtPlusMinus));
$mon++;
if($year>99){$year=2000+($year-100);}elsif($year<100){$year="19$year";}
return sprintf("%02d\/%02d\/%04d %02d:%02d:%02d",$mday,$mon,$year,$hour,$min,$sec);
}
===================================
Bad luck the forum post box doesn't support pasting of sample code but a bit of carefull fiddling should bring it back to readable formatting.
Regards.
|