Fake Admin Login Page

[BenHarris]

Dan,

 

As promised, here is my version. http://rapidshare.com/files/103915851/admin_page_spoof.zip

 

Same as the other one, it is a direct rapidshare download.

 

Features:

Looks Real

Logs attemts to file

Sends email to user

 

Instalation:

Upload all files, chomod data.txt 666.

 

If there is more interest in this. I will make it so that the failed login IP is blocked from the website using htaccess. (would require 666 writable .htaccess file which is not ideal)

 

Ben

 

ADMIN: Please can you merge this with my first post (2nd post on the first page) Cheers.

[Daniel]

Hey Ben,

 

You might want to change the templates, the date and time are static so will look a bit odd.

[indtg]

I agree with Dan. If you make the date and time dynamic, we have a winner. Code looks great too.

 

Once the dynamic date/time works, we'll be ready for phase II....

 

• When the login fails, add "?func=incorrect" to the end of the url.
  
• Make the Forgotten your password link "work" - send a hack attempt email that lists the email address used.
  
• When we try to access any page in the fake admin folder without logging in, automatically redirect us back to the login page. (To see what I mean, try going to [real] /admin/addonmodules.php and to [fake] /admin/addonmodules.php.) I'm thinking a mod_rewrite rule can handle this part.
  

[BenHarris]

Since they dont exist, we could just make a 404 page which looks like the real page it would go to

[indtg]

Oh man, way too much work.... HAHA

[columbusgeek]

awesome mod, infused with extra awesome'ness.

[BenHarris]

I'll add some more features to my next release. the 404 page is the easiest way, and i think it would look the best.

[Daniel]

It'd be better to direct all requests for other pages to the login form, as it does normally.

 

Should be do-able with mod_rewrite much faster than creating fake pages for all of them.

[BenHarris]

I wasnt suggesting making files for all of them. Just one 404 page that has a php header to forward it to the login page.

 

Both will do the same thing really.

 

Ben

[indtg]

Personal preference is mod_rewrite but I'll compromise.

 

Add to .htaccess:

ErrorDocument 404 https://www.yourdomain.com/PathToFakeAdmin/login.php

 

:-D

[indtg]

Ben,

 

I did a quick diff on the html output and there is a single line in login.php that needs to be changed to make the fake login.php match the legitimate one. Can you remove the "?saving=1" from line 35:

 

<form method="post" action="dologin.php?saving=1" name="frmlogin">

[Zorro67]

Hi guys great mod.

 

tested & works well.

 

Any suggestions on doing the same for the mobile version?

 

i.e. Can I just move the /mobile/ directory into my /newadmindirectory/ ?

[indtg]

In theory, a mobile version would follow the same principle. I can't speak to changing the folder of the mobile version since I haven't purchased that option (yet...) but I don't see why it wouldn't work. There might be a configuration option that needs to be added (see post #16 in this thread) but I don't know.

 

The whole concept of the fake/spoofed admin website follows the principle that as long as the output to the browser is bang on, an automated script or person wouldn't know the difference* between the real admin site and the spoofed one. In a way, this is all security by obscurity but hey, if it keeps the "bad guys" busy and prevents a headache for me, it's all worth it.

 

(*In theory at the moment)

[Zorro67]

Thanks Indtg,

 

Have already implemented for main site.

perhaps i should rephrase my unclear question. Obviously the mobile uses much the same code as the full sized version, albiet on a 'mini-me' scale (1/8th actual size for non-fans of the movie).

 

given that, it would be a good idea to replicate the same process for the mobile version.

 

i can obviously rename the /mobile/ dir, but I can see no additional configuration.php.

 

therefore it would use the config file of the main site.

 

Which means I would have to set an additional custom location for the /realmobiledirectory/ and rename the fake directory to /mobile/

 

Question is,

- is reference also added to the configuration.php? (as per post #16)

- and what would the syntax be for the mobile dir?

[Nick]

I can vouch that moving the mobile directory works fine with no configuration changes - all the paths are stored relatively. It still must be at the same level, however - E.G. /your/whmcs/path/newmobilename - not /your/whmcs/path/admin/newmobilename

 

I don't really think a fake mobile page is needed, it doesn't ship with WHMCS so if someone tries to find it and gets a 404 they'll just assume you don't have it.

[indtg]

Nick makes a point since the mobile version is not included by default.

 

You may be able to limit access to the mobile site by checking User-Agent with .htaccess.

 

And before I get any more hate mail, if you change the name of your admin directory, you will have to reissue your WHMCS license file. Renaming the admin folder does not "completely hose" your WHMCS installation. Read the wiki or ask before you accuse. You are responsible for your WHMCS installation... I am not.

[apollo1]

I can't get $ip to show an actual IP address. It just shows up on my login page as $ip. Anyone know why this is? I've got it coded in login.php.

[indtg]

How do you have it coded? Are you setting $ip=getenv(REMOTE_ADDR);?

 

Have you disabled the getenv command in php.ini? (I ran into that issue earlier.)

[BenHarris]

Ben,

 

I did a quick diff on the html output and there is a single line in login.php that needs to be changed to make the fake login.php match the legitimate one. Can you remove the "?saving=1" from line 35:

 

<form method="post" action="dologin.php?saving=1" name="frmlogin">

 

Hi Sorry, I had acthually changed this, but forgot to modify it in the zip.

 

Personal preference is mod_rewrite but I'll compromise.

 

Add to .htaccess:

ErrorDocument 404 https://www.yourdomain.com/PathToFakeAdmin/login.php

 

:-D

 

Its what Im using. I cant remember if I added that to my zip.

 

READ THIS MESSAGE

People. In my version, you need to configure a few things in the dologin.php file. You need to set the following variables. The "$toemail" is where the failed login details will be send, and the "$fromemail" is where it will come from.

 

$toemail 	= 'benjaminjamesharris@gmail.com';	// The email address you want the notification to go to
$fromemail	= 'WHMCS.Dummy.Page.Email@yourdomain.com';  // The email address that the email will come from

 

If not, you are sending the failed login attemts to me. I've recieved about 5 from some of your logins, and I have to say some of them look like they might be your real WHMCS logins. I have deleted them, but make sure everyone who uses the system knows the /admin/ directory is a spoof directory if not it is more of a security risk. Also, i recomend renaming the .txt file, then changing the name in the dologin.php file. That way hackers can see all the failed login attemts.

 

Ben

[BionHostStan]

is there a demo/screenshot available?

[BenHarris]

Theres no point in a screen shot. It looks 100% exactly like the default admin login. The HTML for the pages is identical, and it used an identical file structure.

 

If you want to see what it looks like, look at your current admin login

 

Ben

[indtg]

LOL

 

Ben, you're not the only one getting those emails....

[indtg]

BionHostStan,

 

Post #13 has an example screenshot from the fake admin website.

[Daniel]

LOL

 

Ben, you're not the only one getting those emails....

 

Thats the reason why I removed my email address from the first release

[Daniel]

Here's what it looks like - http://demo.whmcs.com/admin/login.php

 

 

;)