[pLog-svn] r4043 - plugins/branches/lifetype-1.1/badbehavior/bad-behavior

pwestbro at devel.lifetype.net pwestbro at devel.lifetype.net
Mon Sep 25 03:39:36 GMT 2006


Author: pwestbro
Date: 2006-09-25 03:39:35 +0000 (Mon, 25 Sep 2006)
New Revision: 4043

Added:
   plugins/branches/lifetype-1.1/badbehavior/bad-behavior/blackhole.inc.php
Modified:
   plugins/branches/lifetype-1.1/badbehavior/bad-behavior/blacklist.inc.php
   plugins/branches/lifetype-1.1/badbehavior/bad-behavior/post.inc.php
   plugins/branches/lifetype-1.1/badbehavior/bad-behavior/responses.inc.php
   plugins/branches/lifetype-1.1/badbehavior/bad-behavior/version.inc.php
Log:
Integrated Bad Behavior 2.0.6 into the plugin


Added: plugins/branches/lifetype-1.1/badbehavior/bad-behavior/blackhole.inc.php
===================================================================
--- plugins/branches/lifetype-1.1/badbehavior/bad-behavior/blackhole.inc.php	2006-09-24 22:34:10 UTC (rev 4042)
+++ plugins/branches/lifetype-1.1/badbehavior/bad-behavior/blackhole.inc.php	2006-09-25 03:39:35 UTC (rev 4043)
@@ -0,0 +1,37 @@
+<?php if (!defined('BB2_CORE')) die('I said no cheating!');
+
+// Look up address on various blackhole lists.
+// These cannot be used for GET requests under any circumstances!
+function bb2_blackhole($package) {
+	// Only conservative lists
+	$bb2_blackhole_lists = array(
+		"sbl-xbl.spamhaus.org",
+		"dnsbl.sorbs.net",
+		"list.dsbl.org",
+		"opm.blitzed.org",
+	);
+	
+	// Things that shouldn't be blocked, from aggregate lists
+	$bb2_blackhole_exceptions = array(
+		"sbl-xbl.spamhaus.org" => array(),
+		"dnsbl.sorbs.net" => array("127.0.0.10",),	// Dynamic IPs only
+		"list.dsbl.org" => array(),
+		"opm.blitzed.org" => array(),
+	);
+
+	// Check the blackhole lists
+	$ip = $package['ip'];
+	$find = implode('.', array_reverse(explode('.', $ip)));
+	foreach ($bb2_blackhole_lists as $dnsbl) {
+		$result = gethostbynamel($find . "." . $dnsbl . ".");
+		if (!empty($result)) {
+			// Got a match and it isn't on the exception list
+			$result = @array_diff($result, $bb2_blackhole_exceptions[$dnsbl]);
+			if (!empty($result)) {
+				return '136673cd';
+			}
+		}
+	}
+	return false;
+}
+?>

Modified: plugins/branches/lifetype-1.1/badbehavior/bad-behavior/blacklist.inc.php
===================================================================
--- plugins/branches/lifetype-1.1/badbehavior/bad-behavior/blacklist.inc.php	2006-09-24 22:34:10 UTC (rev 4042)
+++ plugins/branches/lifetype-1.1/badbehavior/bad-behavior/blacklist.inc.php	2006-09-25 03:39:35 UTC (rev 4043)
@@ -5,6 +5,7 @@
 	// Blacklisted user agents
 	// These user agent strings occur at the beginning of the line.
 	$bb2_spambots_0 = array(
+		"<sc",			// XSS exploit attempts
 		"8484 Boston Project",	// video poker/porn spam
 		"adwords",		// referrer spam
 		"autoemailspider",	// spam harvester
@@ -32,9 +33,10 @@
 		"PussyCat ",		// misc comment spam
 		"psycheclone",		// spam harvester
 		"Shockwave Flash",	// spam harvester
+		"User Agent: ",		// spam harvester
 		"User-Agent: ",		// spam harvester
 		"Wordpress Hash Grabber",// malicious software
-		"\\\"",			// malicious software
+		"\"",			// malicious software
 	);
 
 	// These user agent strings occur anywhere within the line.

Modified: plugins/branches/lifetype-1.1/badbehavior/bad-behavior/post.inc.php
===================================================================
--- plugins/branches/lifetype-1.1/badbehavior/bad-behavior/post.inc.php	2006-09-24 22:34:10 UTC (rev 4042)
+++ plugins/branches/lifetype-1.1/badbehavior/bad-behavior/post.inc.php	2006-09-25 03:39:35 UTC (rev 4043)
@@ -3,6 +3,10 @@
 // All tests which apply specifically to POST requests
 function bb2_post($settings, $package)
 {
+	// Check blackhole lists for known spam/malicious activity
+	require_once(BB2_CORE . "/blackhole.inc.php");
+	bb2_test($settings, $package, bb2_blackhole($package));
+
 	// MovableType needs specialized screening
 	if (stripos($package['headers_mixed']['User-Agent'], "MovableType") !== FALSE) {
 		if (strcmp($package['headers_mixed']['Range'], "bytes=0-99999")) {
@@ -55,7 +59,6 @@
 		// Damnit, too many ways for this to fail :(
 		if ($q !== FALSE && $q != NULL && bb2_db_num_rows($q) > 0)
 			return "799165c2";
-
 	}
 
 	return false;

Modified: plugins/branches/lifetype-1.1/badbehavior/bad-behavior/responses.inc.php
===================================================================
--- plugins/branches/lifetype-1.1/badbehavior/bad-behavior/responses.inc.php	2006-09-24 22:34:10 UTC (rev 4042)
+++ plugins/branches/lifetype-1.1/badbehavior/bad-behavior/responses.inc.php	2006-09-25 03:39:35 UTC (rev 4043)
@@ -5,6 +5,7 @@
 function bb2_get_response($key) {
 	$bb2_responses = array(
 		'00000000' => array('response' => 200, 'explanation' => '', 'log' => ''),
+		'136673cd' => array('response' => 403, 'explanation' => 'Your Internet Protocol address is listed on a blacklist of addresses involved in malicious or illegal activity. See the listing below for more details on specific blacklists and removal procedures.', 'log' => 'IP address found on external blacklist'),
 		'17566707' => array('response' => 400, 'explanation' => 'An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.', 'log' => 'Required header \'Accept\' missing'),
 		'17f4e8c8' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'User-Agent was found on blacklist'),
 		'21f11d3f' => array('response' => 403, 'explanation' => 'An invalid request was received. You claimed to be a mobile Web device, but you do not actually appear to be a mobile Web device.', 'log' => 'User-Agent claimed to be AvantGo, claim appears false'),

Modified: plugins/branches/lifetype-1.1/badbehavior/bad-behavior/version.inc.php
===================================================================
--- plugins/branches/lifetype-1.1/badbehavior/bad-behavior/version.inc.php	2006-09-24 22:34:10 UTC (rev 4042)
+++ plugins/branches/lifetype-1.1/badbehavior/bad-behavior/version.inc.php	2006-09-25 03:39:35 UTC (rev 4043)
@@ -1,3 +1,3 @@
 <?php if (!defined('BB2_CWD')) die("I said no cheating!");
-define('BB2_VERSION', "2.0.5");
+define('BB2_VERSION', "2.0.6");
 ?>



More information about the pLog-svn mailing list