script_file = $_SERVER['SCRIPT_FILENAME']; $this->logfile = __DIR__ . '/log/' . date('Y-m') . '.txt'; $this->log = ''; $this->checkAccess(); } private function checkAccess() { //Allow wordpress automatic cron if ($_SERVER['REMOTE_ADDR'] == $_SERVER['SERVER_ADDR'] && $this->script_file =='/home/supicard/public_html/wp-cron.php') { return; } if (!in_array($this->script_file, $this->allow)) { switch ($this->level) { case 'advance': $this->logAdvance(); break; case 'medium': $this->logMedium(); break; default : $this->logBasic(); break; } error_log($this->log, 3, $this->logfile); if ($this->email && is_file($this->script_file) && !in_array($this->script_file, $this->email_exclude)) { //$this->sendEmail(); } exit; } if ($this->scanForEval($_REQUEST)) { $this->logAdvance(); error_log($this->log, 3, $this->logfile); //$this->sendEmail(); exit; } } function scanForEval($data) { foreach ($data as $key => $val) { if (is_array($val)) { return $this->scanForEval($val); } $substrCount = substr_count($val, "eval(") + substr_count($val, "eval/*") + substr_count($key, "eval(") + substr_count($key, "eval/*"); if ($substrCount > 0) { return true; } } return false; } private function logBasic() { $this->log .= "\n\n============================ Attack Found ============================"; $this->log .= "\n============== " . date('l jS \of F Y h:i:s A') . " =============="; $this->log .= "\nScript File ================>> " . $this->script_file; if (is_file($this->script_file)) { $this->log .= "\nFile Exist =============>> " . $this->script_file . "\n"; } else { $this->log .= "\nFile Not Exist =========>> " . $this->script_file . "\n"; } if ($this->level == 'basic') { $env = []; $env['REQUEST_METHOD'] = $_SERVER['REQUEST_METHOD']; $env['REMOTE_ADDR'] = $_SERVER['REMOTE_ADDR']; $env['HTTP_REFERER'] = $_SERVER['HTTP_REFERER']; $env['HTTP_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT']; if (isset($env['argv'])) { $env['argv'] = $_SERVER['argv']; $env['argc'] = $_SERVER['argc']; } $this->log .= "\n=============================== SERVER ===============================\n"; $this->log .= print_r($env, true); } } private function logMedium() { $this->logBasic(); if (!empty($_POST)) { $this->log .= "\n================================ POST ================================\n"; $this->log .= print_r($_POST, true); } if (!empty($_REQUEST)) { $this->log .= "\n============================== REQUEST ===============================\n"; $this->log .= print_r($_REQUEST, true); } $this->log .= "\n=============================== SERVER ===============================\n"; $this->log .= print_r($_SERVER, true); if (!empty($_FILES)) { $this->log .= "\n=============================== FILES ================================\n"; $this->log .= print_r($_FILES, true); } } private function logAdvance() { $this->logMedium(); $this->log .= "\n=============================== SERVER ===============================\n"; $this->log .= print_r($_SERVER, true); $this->log .= "\n============================= BACKTRACE ==============================\n"; $this->log .= print_r(debug_backtrace(), true); } private function sendEmail() { $subject = "superidcards.com Attack found"; $message = "Attack location found \n\n"; $message .= $this->script_file . "\n\n"; $message .= $this->log; $headers = 'From: info@superidcards.com' . "\r\n" . 'Reply-To: noreply@superidcards.com' . "\r\n" . 'X-Mailer: PHP/' . phpversion(); try { mail($this->emailid, $subject, $message, $headers); } catch (Exception $e) { } } } new WtSecureHeader();