Preventing unauthorized access to site via malicious upload
;
; This is a fix for the infamous “.x” problem that occurs when a user
; uploads a file via xmodem, and in effect, can get into your system,
; assuming the data1 file is on drive specifier “B”, and is named data1
;
; original code to detect the “.x” upload written by the Whistler….
; nasty part of the code that allows you to find out who tried to do
; the system in, suggested and modified by the Warlock Trebor…
;
; many thanks to the Whistler for his help and advice
;
;[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
; original code from your Msg.Seg.S segment is below:
up.xmdm
print \”Please select your Xmodem type:”
input @2 \”[P]roDos – [D]os 3.3 – [S]tandard? ” i$
z=instr(i$,”PDS”):if not z pop:return
z=z*(z<>3):print \”*** Ready to receive…..”
f$=”b:u”:use “b:x.up”,z,f$
open #1,f$:if mark(1) z=1:goto up.2 <—ADD THIS LINE TO THE CODE
; ADD the following NEW labels and code:
up.1
input #1,i$
if left$(i$,2)=”.x” z=1:goto up.2
if left$(i$,2)=”.X” z=1:goto up.2
up.2
; use this line ONLY if you just want to abort the upload
if z=1 close #1:print \”Xmodem upload aborted!”:kill f$
; BUT use this line instead, if you want to know who did it!
if z=1 close #1:print \”Xmodem upload aborted!”:kill f$:goto caught
if not eof(1) goto up.1
close #1
edit(0):copy f$,#8
print \edit(2)” bytes were received”
kill f$:edit(1):return
; end of added code and labels for just killing the file….
; add this code and label to see who tried to do it!
caught
open #1,”b:x.attempt”
if mark(1) close #1:create “b:x.attempt”:goto caught
append #1:print #1,un,” : “,a1$,” “,a2$,” : “,a3$,time$:close #1
copy “b:x.gotcha”:print
flag(0)=0 <—Set appropiate flags here to keep user off
for p=1 to 6000:next
goto link.term
; end of added code
; explanation: after the “.x” file is detected, it is killed, and things
; just resume normally….in the “who done it version” a file called
; “x.attempt” will be created, and it will show you the user # etc. of
; the uploader.
; you will have to write the appropiate file “x.gotcha” to be displayed
; to the user…I am including mine at the end of this, to give you an
; idea of what I’m using…
;
; ENJOY…and catch the little buggers!
;
;
; below is my “x.gotcha” file…just remember that you’ll have to create
; your own if you don’t like this one…
;
;
<— I embedded these control-G’s in the file to alert the user
that something was up….
==============================================================================
You have been caught attempting to breach this system’s security!
——————————————————————————
Your user number, name, time and date of this offense have been written to a
special file, and the sysop will automatically be notified of your despicable
action.
Further, your system access has been immediately revoked, and you may expect
all rights and priveleges you enjoyed here to be recinded immediately.
The sysop will also be in contact with all other sysops of systems of which
you were a known member.
Was it worth it?