php – Ryan Schulze

Updated OSSEC Web UI 0.3 files for OSSEC 2.6

June 24, 2012May 13, 2013RyanOSSEC, OSWUI, php, security

OSSEC is an open source HIDS (Host-based Intrusion Detection System), and a pretty darn good one too. It also has a simple web front-end to view what’s going on, search through alerts and stuff like that (called OSSEC Web UI, I’ll just call it “WUI” here). Unfortunately the code is a bit outdated (the last official update was from 2008 as far as I can tell) and it doesn’t support newer features of OSSEC like polling data from a database. Something I’d like to tackle if I find the time 😉

The latest version of OSSEC is 2.6, and due to some small changes to the format of the logs WUI no longer works out-of-the-box. I had a look at the code this weekend and am providing patches and downloads of the files needed to change to get everything running again with OSSEC 2.6.

List of changes:

Works with the OSSEC 2.6 alert log file format
Changed Rule ID Link to better work with the new documentation wiki
Added “user” field to alert output
Widened the layout by a few pixels (to 1000px) and changed the CSS / alert layout to make the individual alerts better readable
Moved some of the hardcoded formatting to CSS

Download changed files
Patch download

captcha cracking

March 18, 2011May 13, 2013Ryan1 Commentcaptcha, gocr, linux, php

This is a pretty old posting from 2009 I just recently discovered in my “drafts” directory. Nowadays there are probably easier and more elegant ways of defeating a captcha, but for old times sake, here is my simple approach.
———————–

Eclectic and Marko were so kind as to “provide” me a captcha to play around with. Took me a few days of poking around and googling but in the end it was easier than I had thought. As long as there aren’t and logic errors in the code (e.g. bad or no session handling) you probably won’t get around some kind of OCR. As OCR software I decided to use gocr because it is free, runs under linux, and it is fairly easy to train to specific needs. Because I knew which libraries were being used to create the captcha images, it was possible for me to build a testing area. This just speeds things up a bit, the process would have worked just as well off the original website. First off: the spambot in action -> http://captcha.dopefish.de/spambot.php, and the website it accesses: http://captcha.dopefish.de/

Now I’ll describe the steps I took to defeat the captcha. Look at what happens on failed and successful inputs, first write a script that works if you enter the solution manually. I used the following 2 php functions for getting and posting stuff (and keeping the session intact)

$ch = curl_init();

function get_url( $ch, $url, $timeout = 5 )
{
    $url = str_replace( "&amp;", "&amp;", urldecode(trim($url)) );

    $cookie = tempnam ("/tmp", "CURLCOOKIE");
    curl_setopt( $ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1" );
    curl_setopt( $ch, CURLOPT_URL, $url );
    curl_setopt( $ch, CURLOPT_COOKIEFILE, $cookie );
    curl_setopt( $ch, CURLOPT_COOKIEJAR, $cookie );
    curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true );
    curl_setopt( $ch, CURLOPT_ENCODING, "" );
    curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
    curl_setopt( $ch, CURLOPT_AUTOREFERER, true );
    curl_setopt( $ch, CURLOPT_SSL_VERIFYPEER, false );    # required for https urls
    curl_setopt( $ch, CURLOPT_CONNECTTIMEOUT, $timeout );
    curl_setopt( $ch, CURLOPT_TIMEOUT, $timeout );
    curl_setopt( $ch, CURLOPT_MAXREDIRS, 10 );
    $content = curl_exec( $ch );
    $response = curl_getinfo( $ch );

    return array( $content, $response );
}

function post_url( $ch, $url,  $postvars, $timeout = 5 )
{
    $url = str_replace( "&amp;", "&amp;", urldecode(trim($url)) );

    $cookie = tempnam ("/tmp", "CURLCOOKIE");
    curl_setopt( $ch, CURLOPT_POST ,1);
    curl_setopt( $ch, CURLOPT_POSTFIELDS , $postvars);
    curl_setopt( $ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1" );
    curl_setopt( $ch, CURLOPT_URL, $url );
    curl_setopt( $ch, CURLOPT_COOKIEFILE, $cookie );
    curl_setopt( $ch, CURLOPT_COOKIEJAR, $cookie );
    curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true );
    curl_setopt( $ch, CURLOPT_ENCODING, "" );
    curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
    curl_setopt( $ch, CURLOPT_AUTOREFERER, true );
    curl_setopt( $ch, CURLOPT_SSL_VERIFYPEER, false );    # required for https urls
    curl_setopt( $ch, CURLOPT_CONNECTTIMEOUT, $timeout );
    curl_setopt( $ch, CURLOPT_TIMEOUT, $timeout );
    curl_setopt( $ch, CURLOPT_MAXREDIRS, 10 );
    $content = curl_exec( $ch );
    $response = curl_getinfo( $ch );

    return array( $content, $response );
}

$ch = curl_init();

function get_url( $ch, $url, $timeout = 5 )

{

$url = str_replace( "&", "&", urldecode(trim($url)) );

$cookie = tempnam ("/tmp", "CURLCOOKIE");

curl_setopt( $ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1" );

curl_setopt( $ch, CURLOPT_URL, $url );

curl_setopt( $ch, CURLOPT_COOKIEFILE, $cookie );

curl_setopt( $ch, CURLOPT_COOKIEJAR, $cookie );

curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true );

curl_setopt( $ch, CURLOPT_ENCODING, "" );

curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );

curl_setopt( $ch, CURLOPT_AUTOREFERER, true );

curl_setopt( $ch, CURLOPT_SSL_VERIFYPEER, false ); # required for https urls

curl_setopt( $ch, CURLOPT_CONNECTTIMEOUT, $timeout );

curl_setopt( $ch, CURLOPT_TIMEOUT, $timeout );

curl_setopt( $ch, CURLOPT_MAXREDIRS, 10 );

$content = curl_exec( $ch );

$response = curl_getinfo( $ch );

return array( $content, $response );

}

function post_url( $ch, $url, $postvars, $timeout = 5 )

{

$url = str_replace( "&", "&", urldecode(trim($url)) );

$cookie = tempnam ("/tmp", "CURLCOOKIE");

curl_setopt( $ch, CURLOPT_POST ,1);

curl_setopt( $ch, CURLOPT_POSTFIELDS , $postvars);

curl_setopt( $ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1" );

curl_setopt( $ch, CURLOPT_URL, $url );

curl_setopt( $ch, CURLOPT_COOKIEFILE, $cookie );

curl_setopt( $ch, CURLOPT_COOKIEJAR, $cookie );

curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true );

curl_setopt( $ch, CURLOPT_ENCODING, "" );

curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );

curl_setopt( $ch, CURLOPT_AUTOREFERER, true );

curl_setopt( $ch, CURLOPT_SSL_VERIFYPEER, false ); # required for https urls

curl_setopt( $ch, CURLOPT_CONNECTTIMEOUT, $timeout );

curl_setopt( $ch, CURLOPT_TIMEOUT, $timeout );

curl_setopt( $ch, CURLOPT_MAXREDIRS, 10 );

$content = curl_exec( $ch );

$response = curl_getinfo( $ch );

return array( $content, $response );

}

Now train a gocr database for the images. Obviously it get’s better the more you train it.
Since curl is taking care of session handling, we can use the get_url() function for downloading the captcha image. I pipe it through this shell command to make it easier for gocr to read:

convert \
-quality 100 \
-blur 0.7 \
-level 9%,60%,100.0 \
-monochrome \
-negate \
-blur 0.1 \
-gamma 1 \
-depth 8 \
-compress none \

convert \

-quality 100 \

-blur 0.7 \

-level 9%,60%,100.0 \

-monochrome \

-negate \

-blur 0.1 \

-gamma 1 \

-depth 8 \

-compress none \

It turnes this:

into this:

Since the valid captcha result is always the same length, we can check if gocr matched all the chars. If it looks good we can use post_url() to continue our session and throw all the fields at the form and submit it. See, wasn’t that hard. Most of the time is spent training gocr and converting the image into something easier to read. It doesn’t solve 100% of the images, more like 80-90%, but still better than nothing ;-).

Programming follow up

August 2, 2008Ryandev.dopefish.de, php, warxract, wow

I just noticed I never wrote a follow up about my script that periodically parses the official World of Warcraft statistics. Unsurprisingly I wrote a basic Web interface to access the stored data. Since I stopped actively playing Warcraft the project kinda faded off my “todo radar”. So it has been stuck on my development site for months -> http://dev.dopefish.de (not the only project stuck in development, my “Voice-Over-IP Audio Shoutbox” also grinded to a stop after I ran into a flash problem)

I’d say it is about 90% done, currently it monitors 450 guilds and more than 15.000 players each day. It works pretty good, better than I had hoped considering how unreliable the source of the data is. There are a few quirks left in the code that I will iron out the next week, then I will release it so that anyone interested in the code can use it. In retrospect it isn’t much more than a big Proof-of-Concept that can be useful for others planing on doing similar projects.

programming

April 5, 2008Ryan1 Commentphp, wow

Haven’t posted in a while, not much going on. Currently the only thing half way interesting is a small web application I’m writing. Every few hours it checks the database of World of Warcraft, and saves in a database who is in which guild. When it is done you can see which players switched guilds when. I’ve got all kinds of funny statistics going on in my head that I can generate out of that data. Since there is no list of all characters oder guilds on a realm, I wrote it to automatically expand the checks when it discovers new characters or guilds. Currently it is watching about 2000 horde players in the EU realm Kil’jaeden. Given the high fluctuation of people joining or leaving guilds, I’d say that after about 2 weeks I should have about 80% of the larger guilds on the realm.

Not much I can show right now since I’ve only written the back end (database, and script to scan and save data). No front end yet, I still have about a week or two till enough data has been saved to actually write and test a front end.