Jump to content

Fake Admin Login Page

Daniel

By Daniel
in Third Party Add-ons

 Share

Recommended Posts

BenHarris Member

BenHarris

Posted
Posted

Dan,

 

As promised, here is my version. http://rapidshare.com/files/103915851/admin_page_spoof.zip

 

Same as the other one, it is a direct rapidshare download.

 

Features:

Looks Real

Logs attemts to file

Sends email to user

 

Instalation:

Upload all files, chomod data.txt 666.

 

If there is more interest in this. I will make it so that the failed login IP is blocked from the website using htaccess. (would require 666 writable .htaccess file which is not ideal)

 

Ben

 

ADMIN: Please can you merge this with my first post (2nd post on the first page) Cheers.

0
Link to comment
Share on other sites
  • Replies 107
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

indtg Junior Member

indtg

Posted
Posted

I agree with Dan. If you make the date and time dynamic, we have a winner. Code looks great too. :-)

 

Once the dynamic date/time works, we'll be ready for phase II....

 

  • When the login fails, add "?func=incorrect" to the end of the url.
  • Make the Forgotten your password link "work" - send a hack attempt email that lists the email address used.
  • When we try to access any page in the fake admin folder without logging in, automatically redirect us back to the login page. (To see what I mean, try going to [real] /admin/addonmodules.php and to [fake] /admin/addonmodules.php.) I'm thinking a mod_rewrite rule can handle this part.

0
Link to comment
Share on other sites
indtg Junior Member

indtg

Posted
Posted

Ben,

 

I did a quick diff on the html output and there is a single line in login.php that needs to be changed to make the fake login.php match the legitimate one. Can you remove the "?saving=1" from line 35:

 

<form method="post" action="dologin.php?saving=1" name="frmlogin">

0
Link to comment
Share on other sites
indtg Junior Member

indtg

Posted
Posted

In theory, a mobile version would follow the same principle. I can't speak to changing the folder of the mobile version since I haven't purchased that option (yet...) but I don't see why it wouldn't work. There might be a configuration option that needs to be added (see post #16 in this thread) but I don't know.

 

The whole concept of the fake/spoofed admin website follows the principle that as long as the output to the browser is bang on, an automated script or person wouldn't know the difference* between the real admin site and the spoofed one. In a way, this is all security by obscurity but hey, if it keeps the "bad guys" busy and prevents a headache for me, it's all worth it.

 

(*In theory at the moment)

0
Link to comment
Share on other sites
Zorro67 Senior Member

Zorro67

Posted
Posted

Thanks Indtg,

 

Have already implemented for main site.

perhaps i should rephrase my unclear question. Obviously the mobile uses much the same code as the full sized version, albiet on a 'mini-me' scale (1/8th actual size for non-fans of the movie).

 

given that, it would be a good idea to replicate the same process for the mobile version.

 

i can obviously rename the /mobile/ dir, but I can see no additional configuration.php.

 

therefore it would use the config file of the main site.

 

Which means I would have to set an additional custom location for the /realmobiledirectory/ and rename the fake directory to /mobile/

 

Question is,

- is reference also added to the configuration.php? (as per post #16)

- and what would the syntax be for the mobile dir?

0
Link to comment
Share on other sites
Nick Senior Member

Nick

Posted
Posted

I can vouch that moving the mobile directory works fine with no configuration changes - all the paths are stored relatively. It still must be at the same level, however - E.G. /your/whmcs/path/newmobilename - not /your/whmcs/path/admin/newmobilename

 

I don't really think a fake mobile page is needed, it doesn't ship with WHMCS so if someone tries to find it and gets a 404 they'll just assume you don't have it.

0
Link to comment
Share on other sites
indtg Junior Member

indtg

Posted
Posted

Nick makes a point since the mobile version is not included by default.

 

You may be able to limit access to the mobile site by checking User-Agent with .htaccess.

 

And before I get any more hate mail, if you change the name of your admin directory, you will have to reissue your WHMCS license file. Renaming the admin folder does not "completely hose" your WHMCS installation. Read the wiki or ask before you accuse. You are responsible for your WHMCS installation... I am not.

0
Link to comment
Share on other sites
BenHarris Member

BenHarris

Posted
Posted
Ben,

 

I did a quick diff on the html output and there is a single line in login.php that needs to be changed to make the fake login.php match the legitimate one. Can you remove the "?saving=1" from line 35:

 

<form method="post" action="dologin.php?saving=1" name="frmlogin">

 

Hi Sorry, I had acthually changed this, but forgot to modify it in the zip.

 

Personal preference is mod_rewrite but I'll compromise.

 

Add to .htaccess:

ErrorDocument 404 https://www.yourdomain.com/PathToFakeAdmin/login.php

 

:-D

 

Its what Im using. I cant remember if I added that to my zip.

 

READ THIS MESSAGE

People. In my version, you need to configure a few things in the dologin.php file. You need to set the following variables. The "$toemail" is where the failed login details will be send, and the "$fromemail" is where it will come from.

 

$toemail 	= 'benjaminjamesharris@gmail.com';	// The email address you want the notification to go to
$fromemail	= 'WHMCS.Dummy.Page.Email@yourdomain.com';  // The email address that the email will come from

 

If not, you are sending the failed login attemts to me. I've recieved about 5 from some of your logins, and I have to say some of them look like they might be your real WHMCS logins. I have deleted them, but make sure everyone who uses the system knows the /admin/ directory is a spoof directory if not it is more of a security risk. Also, i recomend renaming the .txt file, then changing the name in the dologin.php file. That way hackers can see all the failed login attemts.

 

Ben

0
Link to comment
Share on other sites
BenHarris Member

BenHarris

Posted
Posted

Theres no point in a screen shot. It looks 100% exactly like the default admin login. The HTML for the pages is identical, and it used an identical file structure.

 

If you want to see what it looks like, look at your current admin login :D

 

Ben

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept