I have upgraded the server to PHP 5.3 recently and I just noticed that one of the sites that uses wordpress has this message appeared at the top of every pages.
. // // Alexey A.Znayev, znaeff#mail.ru, http://xbsoft.org,
http://xbsoft.ru //
///////////////////////////////////////////////////////////////////////////
// This file contains public class DNSBL // This class performs IP
address check in spam blocking lists as described // on
http://ru.wikipedia.org/wiki/RBL class DNSBL { private $_aCheckers =
array( // list of checkers available for individual checking
'spamhaus' => array('.zen.spamhaus.org', true), //available for group
checking with 'all' key 'spamcop' => array('.bl.spamcop.net',
true), //available for group checking with 'all' key 'dsbl' =>
array('.list.dsbl.org', false), //not available for group checking
with 'all' key 'ordb' => array('.relays.ordb.org', false), //not
available for group checking with 'all' key 'sorbs' =>
array('.dnsbl.sorbs.net', false), //not available for group checking
with 'all' key 'njabl' => array('.dnsbl.njabl.org', false) //not
available for group checking with 'all' key ); // AZ - 1. Key 'all' is
illegal // AZ - 2. Most of spammer IP addresses is ...........
The other sites that use Drupal, Magento, & Symfony don't have a problem.
Any idea?
Thanks.
hc.
First, make sure that your server is still executing PHP. For that, just create a simple php page with this : <?php phpinfo(); ?> and call it from your browser. If you see all your server's information, it's fine. If you see nothing, there's a problem with your server. (don't forget to remove the file as it gives a lot of information on your server)
If the phpinfo thing works, I would make a search on all files on this site to find one of the sentence. For example, use a tool to search for "array('.bl.spamcop.net', true)" in all the files. If you find it, please post the content here.
Do you use Linux for your site? Do you have a copy of your Website on your computer? Can you connect remotely to your computer through a shell or something similar? (sorry, can't use the comment feature because of my low rep)
Edit : Like "nevermind" said, check the file with the name DNSBL.php. It looks like something to prevent spam. Maybe you have a security plugin of some sort?
If you have Linux on your server and have a shell access, you can issue this command to find the file:
find / -name 'DNSBL.php'
Edit #2 : The file you found should look like this (the first lines) :
<?
///////////////////////////////////////////////////////////////////////////
//
// DNSBL - Spam IP address checker.
// Copyright (C) 2011 Alexey A.Znayev
From what you copied in your question, it looks like everything is missing until "Alexey A.Znavev".
If the file is fine, check the source code of one of the the page that displays the text on your site (ctrl+u on most browsers). What do you see in it? Is there more "weird" stuff at the beginning of the page?
Related
I would like to make a PHP website, where employees can log in/out themselves and these logs will count as a time when they started and ended their working day. I would like to allow them to do that only on their work computer and not for example on their phone while they are still on the way, but they want to avoid "being late".
So I'm struggling with a few ideas, but any of them seems to be the right solution.
Allow using the website only for specific IP addresses. But then I realized that in our place IP address is dynamic and changing it for static costs too much in our area.
Check user location. But then I saw that when I'm checking my public IP address, the location is completely wrong! Our building isn't even close to the loaded area.
Using a COOKIE/token on a work computer. But it's very easy to set the same cookie on your own device and I'm not the only IT employee here.
Checking MAC address. As I read here it's possible only in specific cases.
Block access for mobiles. But detecting a mobile is based on browser and if the user click "Request Desktop Site" scripts will say that's a computer.
Is there another method, which I can use to achieve my goal? Am I missing something?
May I bind my app for example with some other technologies that will allow me to do that? Or maybe I should try a combination of all of them?
I couldn't find any script, which would take care of that. In the worst case it doesn't have to be "perfectly secure", but I would like to be it at least hard, annoying, or time-consuming to try to "cheat" in this system.
I would run your app in the office LAN. Nobody will be able to access it from outside except if they can do remote desktop to the office computer or if they have VPN. But if you are in the IT team you may could fix IP ranges for the office computers so that you could exclude the VPN.
In terms of security, in any case it may be better having it running in your LAN. I'm sure you've got a server somewhere and if it's not the case then you could use a NAS (Synology offers NGINX, Apache, PHP and much more) or a little Rasperry Pie or something similar.
If you haven't got a fixed IP, you could also use DynDNS and have it mapped to a sub-domain such as company-name.dyndns.org and then on your PHP app you could have a cron job that gets the IP address from the domain name and updates it every minutes (I'm sure it's quickly run). It could then store it inside a config file, this way:
<?php
define('ALLOWED_IP_FILE', 'allowed-ips.inc.php');
$ALLOWED_DOMAINS = [
'your-company.dyndns.org',
'you-at-home.dyndns.org',
];
$allowed_ips = [];
foreach ($ALLOWED_DOMAINS as $allowed_domain) {
$ip = gethostbyname($allowed_domain);
if ($ip !== $allowed_domain) {
// Store with the IP in the key and value for ease when checking the IP validity.
$allowed_ips[$ip] = $ip;
} else {
fprintf(STDERR, "ERROR: Could not find the IP of $allowed_domain!\n");
}
}
$allowed_ips_export = var_export($allowed_ips, true);
$config_file_content = <<<END_OF_CONFIG
<?php
// Don't edit! This config file is generated by cron-ip-address.php.
\$ALLOWED_IPS = $allowed_ips_export;
END_OF_CONFIG;
if (file_put_contents(ALLOWED_IP_FILE, $config_file_content) === false) {
fprintf(STDERR, 'ERROR: Could not write config file ' . ALLOWED_IP_FILE . "\n");
}
This generates a config file to include in your app. Example of content generated if you run the script I wrote above:
<?php
// Don't edit! This config file is generated by cron-ip-address.php.
$ALLOWED_IPS = array (
'142.250.203.99' => '142.250.203.99',
'23.201.250.169' => '23.201.250.169',
);
Now, in your app, just include it and test the presence of the IP in the $ALLOWED_IPS array:
<?php
include ALLOWED_IP_FILE; // If this is declared in a common config file.
// include 'allowed-ips.inc.php'; // If you haven't got a common config file.
if (!isset($ALLOWED_IPS[$_SERVER['REMOTE_ADDR']])) {
http_response_code(403);
die('Sorry, you cannot access it from here.');
}
Ideally, if what you actually want to track is when employees are in the workplace and logged on / for how long, it would be probably better to just track local machine-logins via a domain controller - a method reachable from the internet is suboptimal exactly for the reasons you mentioned.
If you have an intranet which users cannot tunnel into but can access from their work machines, I'd say hosting your login-page only inside that intranet is the easiest way to achieve what you want with the methods you suggest.
Alternatively, if employee work-machines use windows under a domain controller - you can restrict access to Windows certificate-storage, then install/push a certificate and require that to be present via your server-configuration. In that case, it doesn't matter if the website is accessible from the internet. I'm sure there are similar solutions if work-machines are not on Windows.
This admittely old question gives some pointers in the right direction on how to require client certificates from a Webserver (IIS in that case).
Using PHP 5.5.12
Using CakePHP 2.6.7
Running
debug($url); // output = "http://google.co.uk"
debug(parse_url($url));
/* output = array(
'host' => '*****',
'scheme' => 'http'
)
*/
I had been using this without trouble but now copy/pasting a section of my code to have it as method (to save repeating myself) has started giving me this output. But testing it back in the same place I had it originally gives me this output too.
Can anyone explain why the hostname is stars and why the rest of the array doesn't appear (I realise all other elements should be expected to be NULL)?
Edit
Just tried it again with a url that had a path to a page after the host. The path shows up fine but the host is still starred out.
Partial Answer
Just thought to try debug(parse_url($url)['host']) and it prints the host correctly. I realised that the other elements would only be set if they exist in the url.
However, can anyone explain why printing out the array prints several stars instead of the hostname even though it is definitely stored there?
The reason this happens is because of how debug() works. Many moons ago people were not pleased that they could accidentally have their database credentials dumped out in error pages (which use the same underlying code as debug()). Because of this, debug() and Debugger::export() blacklist a set of array keys that could have database credentials. The following keys are replaced with ***'s:
password
login
host
database
port
prefix
schema
I'm working on a php installer for a web application / software.
The installer need a valid license ID to finish the installation (for example: "aDs34Nsi9sa").
To check if the license ID is valid i have a php script on my main domain that check my db and return 1 if the licenseID exist and is active or 0 otherwise. This file should be called like this:
https://www.domain.com/check.php?id=aDs34Nsi9sa
So i'm wondering if is correct to use file_get_contents() to check the license ID via PHP..
$check = file_get_contents("https://www.domain.com/check.php?id=$license_field");
if( $check == 1 ) {} // finish installation
else {} // print error msg
Is this way correct and secure?
Of course, you need to properly URL-encode data before injecting it into a URL. And it's up to your remote server to detect brute force attacks. Other than that:
Your check assumes that allow_url_fopen is enabled and PHP has SSL support. Make sure you explain that in the requisites and get ready for support enquiries and workaround coding.
Data sent through SSL should remain private enough.
And, well, it isn't particularly difficult to crack. Malicious users just need to impersonate the remote site.
This is an another topic about domain name verify. I read answers in other topics. I tried several scripts. I don't want to use an API. Unless there is a free API but I not yet found one.
I tried to check the DNS following code:
if($_POST['submit']){
if(!empty($_POST['check_site'])){
$url = $_POST['check_site'];
//add .nl
if(!strpos($url,'.nl')){
$url.= '.nl';
}
//check dns record
$result = dns_get_record($url);
if(count($result) > 0)
{
echo $url. ' is used';
}else{
echo $url. ' is free';
}
}
}
The problem is when I try to check "example.nl" (A registred but inactive domain) it don't give DNS data back so I validate is as free domain.
My questions are:
Does anyone a fix?
Does anyone have a suggestion (link to other script/article)
Is there a way to check if a site have a registrar.
I'm still a student but this is not a school project.
Live code on : link
I am checking the answers, thanks in advance
Edit:
When I try to
shell_exec (whois -h whois.domain-registry.nl 'is example.nl');
I get a unexpected T_String error. What is the correct way to use this?
If your PHP installation has rights to execute the whois command line utility commonly found on UNIX-based server, you could get your information from the following command:
whois -h whois.domain-registry.nl 'is example.nl'
This command is taken from this SIDN page, under 'Is'. You must check whether you can do this more than 15 times a day from one IP address, because you also can't do that for the more complete whois (without 'is'). You also seem to be restricted to one request per second.
I think PHP functions checks if site is assigned to an IP address or not. That is why inactive domains are identified as free!
Anyway you can check your code again with checkdnsrr() of PHP.
If it does not works, there is an extension for this purpose. I think it is free.
I have a web site with many virtual hosts and each registered with several domain names (ending in .org, .de), site1.mysite.de, site2.mysite.org
Then I have different templating systems based on several programming languages (perl and php) in use on the web server.
The Google Maps Api requires a unique Google Maps api key for each vhost.
I want to have something like a web-server wide variable $goomapkey that I can call from inside my code.
In PHP code, Now I have a kludgy case-analysis solution like
$domain = substr($_SERVER['SERVER_NAME'], -3);
if (".de" == $domain){
//if ("xxxxxx" eq substr($ENV{SERVER_NAME}, 0, 5)){
// $gookey = "ABQIAAA...";
//} else {
//site1.de
$gookey = "ABQIAAAA1Js...";
//}
} elseif ("dev" == substr($_SERVER['SERVER_NAME'], 0, 3)){
//dev.mysite.org
$gookey = "ABQIAAAA1JsSb...";
} else {
//www.mysite.org
$gookey = "ABQIAAAA1JsS...";
//TODO: Add more keys for each virtual host, for my.machinename.de, IP-address based URL, ...
}
... inside my php-based CMS. A non-ideal solution, because it is, php-only, and I still have to set it at several html templates inside the CMS, and there are too many cases.
I want the google maps api key to be set by the apache web server who examines the request *early in the request loop before any php page template code is constructed and evaluated.
is an environment variable a good solution?
which technology should be used to set the $goomapkey variable?
I'd prefer mod_perl2 Apache request handler, but the documentation is confusing (many API changes in the past ). Which Apache module could I use?
Is there a built-in Apache module that does the same thing?
Surely this is a little overkill for only a few domains? I mean, you've obviously had to go through the process of applying for a key for each domain, why not just use each key in each project independently?
The most elegant solution would be to make the switch to Google Maps API v3, which no longer requires an API key.
Is an environment variable a good solution?
I'd hesitate to use environment variables to store a "key", except API keys aren't secret (anyone can see it with "view source"), so it seems vaguely sensible.
Whether you think it's a "good" idea is different matter — it's a layering violation, but so's everything else. If your web framework (or whatever you're using) has some sort of site config, that's the obvious place to put it. You can have the config code load it from the environment variable, but if you keep it in the config then it's much easier to change later
I'd prefer something like
$apikeys = array(
"site1.de" => "...",
"dev.mysite.org" => "...",
"www.mysite.org" => "...",
"" => "...", // default
);
Then the code loops over the array, finds the longest suffix match, and uses the corresponding key. It has the advantage that it's easier to port between different languages (you can even write genapikeys.pl which writes gmapapikeys.php). I also don't think there's any point having a default key — IIRC Google Maps rejects your request if the key doesn't match the "Referer".
A more general solution would be to reverse the hostnames (i.e. de.site1, org.mysite.www); you can then have "com.hostingcompany.www/mysite/".
Of course, IP addresses are in reverse order, and IPv6 is a load of fun. I'm not sure if API keys support either, though, so it might be irrelevant.
If you try to populate the variable via mod_perl2, then it won't be available to PHP - similarly, your PHP include files are not available to PERL.
An environment variable looks like a good compromise - unless you are already loading comon data from data files / a database.
Is there a built-in Apache module that does the same thing?
Yes - mod_env and the SetEnv directive
C.