~ Essays ~
         to essays    essays
(Courtesy of fravia's advanced searching lores)

(¯`·.¸ a php network security scanner ¸.·´¯)
by Devergranne
published at fravia's searchlores in May 2000

Included at the bottom: [DQ open comments to Devergranne]

This essay has been TAKEN DOWN
on Devergranne's request
in September 2002

You'll anyway be able to find it elsewhere trough the usual public '[time machines]'.

DQ's comments to Devergranne's essay

Devergranne, I had a look at your essay "a php network security scanner" and like to make some comments. You can hit me afterwards ;-)

Let's first start with cgi-scan.php3. That's a nice CGI scanner, but I would strongly advise anyone against using it!

Is that code copyrighted by yourself? Are you the author or did you just do a rewrite, taking sources out of the web and translating them into PHP? There's something called CGIcheck99, which is coded in REBOL and written by deepquest.

Anyway, before running that CGI scanner, please have a look at the excellent specifications for Whisker , done by rain forest puppy.

As a general advice to those who just want to start with this stuff: Please be aware of the inner workings of the servers you want to attack. Study them, learn the configuration options, know about booby-traps, and please stop scanning for the phf vulnerability!

Now regarding scan.php3. Please resolve the host name to an IP before starting your loop through your XXXX ports, that way you contribute to reduce internet pollution. Relevant functions are:
string gethostbyname(string hostname);
array gethostbynamel(string hostname);

Second point: Do you really want to scan all those ports? What are you going to do once you found an open port? Why don't you just create an array with those ports you really care about?
For example, if you want to scan for available services, include 21, 23, 25, 80, 110, etc.
If you want to check for proxy access, include 80, 81, 3128, 8080, 8081, etc.
If you want to check for SubSeven and other backdoors, include only those relevant ports.

Just scanning from zero to who knows what glorious 5 digit number just wastes your patience, increases your phone bill and does nothing useful.

A quick patch would be to reduce the default timeout of ten seconds to 3 in the fsockopen() line as follows:
$fp = fsockopen("$host", $port, &$errno, &$errstr, 3);

Nevertheless, you have a point when demonstrating this new security problem. Perhaps this activates the awareness of people regarding PHP.
DQ, May 2000

Petit image

(c) 2000: [fravia+], all rights reserved