Forum Moderators: coopster
I think I know a way out of the problem where programs like Access Diver can be stopped.
But I cannot develop it on my own, any help is appreciated. I know the KEY to the solution, but am not sure how to code it.
I already have a (index)php-script, which returns a status. Snippet:
=====
if (isset($PHP_AUTH_USER)) {$user=$PHP_AUTH_USER;}
if (isset($PHP_AUTH_PW)) {$password=$PHP_AUTH_PW;}
=====
and snippet:
=====
$formmodus = (isset($user) && isset($password));
if(!isset($PHP_AUTH_USER) &&!$formmodus ) {
Header('WWW-Authenticate: Basic realm=Please login');
Header("HTTP/1.0 401 Unauthorized");
msgNoLogin;
exit;
}
=====
So I can detect anyone wants to have access. I have seen in the logfiles that the Access Diver uses a HEAD (i.s.o. a GET or POST etc). If this program tries to access the index.php, it will get a response, since I placed the index.php in a not secure (.htaccess) directory. So after 1 attempt, the Access Diver is getting something back. But one thing is still missing, if you examine this closely.
The page is sending a 401, and Access Diver will think it did not work. So I would suggest some changes
- add a delay. A delay of at least 5 seconds. Not nice for your members, but they just login once or twice a day
- Since $formmodus (see snippet) will be set if a un/pwd is send, this script we can manually look in out .htpasswd (or how ever you called it in .htaccess, the script might even parse .htaccess to find the exact location as long as php has readrights on that location). If the username is not registered, give back a TEXT (so, valid HTML, not an 302 error) explaining that the usernamen and/or password was incorrect (no need to tell exactly what went wrong). END explain they sould close their browser, since the username/password combination is stored by IE, and even IE has now been fooled that login was succesfull!
I know I am only shooting a lot of parts. But all I need (and we all) is some glue, to glue my parts together. The solution IS IN THERE! I know that we must be sure that our member section is NOT known to the user of Access Diver. The trick is to let the user enter, as soon as we found out that the username is found in .htpasswd (we could even crypt(password) to compare them). If matched, we will do a redirect to a directory where one needs to login (the real member section). Since IE sends the Un/Pwd on every page, the member will get in without any problem!
I have been pounding over and over on this issue. At first I thought 'what the "hack", they cannot get in, we use good passwords and usernames'. But the logfiles can grow enormously, and so the bandwidth consumption!
Any other Techy around, to work this out with me? I think it can be coded in one hour!
[edited by: jatar_k at 2:27 am (utc) on Feb. 5, 2003]
[edit reason] edit [/edit]
You are just trying to get around having a failed login write to the log?
This might also be related to your problem with browsers remembering the login, you can turn off autocomplete for input boxes:
<input type="password" name="Password" AUTOCOMPLETE="off">
There are several reasons why I would like to do this.
First of all: bandwidth control. When the hacker starts trying to get access, he uses lot's of proxies and consumes 2 to 3 Mbit per second. This holds for say a quarter.
Second: yep, the error log grows. Substantially. But I do need a log, so I need to keep it 'on'
Third. It seems some username + password combinations are downloadable (I mean other people have these textfiles for download somewhere). I have seen someone found the name+pwd of a member of me . Next thing I had 1400 simultaneous logins. Even if they do not get acces (some of them surely will), also this creates a huge bandwidth bill.
So it all costs money. Now I also need to tell I manage multiple sites on one heavy server. And yes: the hackers even do multiple sites at once. The server can easily withstand the load. But the bandwith consumption is what I fear most of!
Only plus that I gained once, is that I grabbed all email adresses out of the error_log (it seems people use their email address as a login), and used them for my own mailing, gaining some possible extra members!
Fourth: I want to outsmart the hackers. If I can get this script working, and place it in the open, free to use, I think we can move on to another problem (the next thing that comes to mind, but I do not have any at this moment).
Fifth: If we (someone that helps me out) manage to create this script, we will gain enormous attention because of what we made. Who would NOT like that?
I think you will find the answer to your problem by scanning for the hidden and often overlooked portions of the browser header. Namely:
HTTP_ACCEPT
HTTP_ACCEPT_LANGUAGE
My guess is they'll be empty which isn't typical for a normal browser. I've also seen utilities like the one you are referring to contain *.* in the HTTP_ACCEPT variable. This is not typical either.
