#!/usr/bin/perl

# by Void Main
# block sites with PHP worm

use Socket;

# These files have to exist and writable by apache user
$log    = "/public/php_worm.log";
$blklog = "/public/php_worm_blocked.log";
$mail   = "voidmain AT linuxmail.org";

$iaddr = inet_aton("$ENV{REMOTE_ADDR}");
$name  = gethostbyaddr($iaddr, AF_INET);
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
$year+=1900; $mon+=1;

open(OF,">>$log");
printf(OF "%04d/%02d/%02d %02d:%02d:%02d - $ENV{REMOTE_ADDR} - $name\n", $year, $mon, $mday, $hour, $min, $sec);
close(OF);

# Only really block if Query String is greater than 50 chars
# Put any conditions you like here
if ( length($ENV{QUERY_STRING}) > 50 || length($ENV{REQUEST_URI}) > 100 ) {
  $block = 1;
  $blkmsg = "If you feel you have been blocked in error please send your IP address to \"$mail\" and I will unblock you.";
} else {
  $blkmsg = "Actually, you weren\'t blocked this time but you are pushing your luck!";
}

print "Content-type: text/html\n\n";
print <<EndEND;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Your IP Address has been blocked!</title>
</head>
<body bgcolor=black text=white>
<h3><font color=red>Your IP Address has been blocked!</font></h3>
<font color=red>The following is a portion of the information that has been logged and sent to the FBI for further analysis:</font><br><br>
<font color=yellow>
 Your Address: $ENV{REMOTE_ADDR}<br>
Your Hostname: $name<br>
</font>
<br>
$blkmsg
</body>
</html>
EndEND

if ( $block ) {
  system("/usr/bin/sudo /sbin/block $ENV{REMOTE_ADDR} >> $blklog 2>&1");
} else {
  open(OF,">>$blklog");
  printf(OF "%04d/%02d/%02d %02d:%02d:%02d - $ENV{REMOTE_ADDR} - not infected\n",$year,$mon,$mday,$hour,$min,$sec);
  close(OF);
}