[pLog-svn] r6715 - in plog/branches/lifetype-1.2/plugins/badbehavior: . bad-behavior
pwestbro at devel.lifetype.net
pwestbro at devel.lifetype.net
Tue Aug 26 02:09:27 EDT 2008
Author: pwestbro
Date: 2008-08-26 02:09:26 -0400 (Tue, 26 Aug 2008)
New Revision: 6715
Modified:
plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/blackhole.inc.php
plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/blacklist.inc.php
plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/common_tests.inc.php
plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/core.inc.php
plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/functions.inc.php
plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/google.inc.php
plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/msie.inc.php
plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/post.inc.php
plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/responses.inc.php
plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/version.inc.php
plog/branches/lifetype-1.2/plugins/badbehavior/index.inc.php
plog/branches/lifetype-1.2/plugins/badbehavior/pluginbadbehavior.class.php
Log:
Integrate Bad Bad behavior 2.0.23 into the LifeType plugin
Change notes:
http://www.bad-behavior.ioerror.us/2008/08/24/bad-behavior-2023/
Modified: plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/blackhole.inc.php
===================================================================
--- plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/blackhole.inc.php 2008-08-20 21:48:02 UTC (rev 6714)
+++ plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/blackhole.inc.php 2008-08-26 06:09:26 UTC (rev 6715)
@@ -34,4 +34,18 @@
}
return false;
}
+
+function bb2_httpbl($settings, $package) {
+ if (!$settings['httpbl_key']) return false;
+
+ $find = implode('.', array_reverse(explode('.', $package['ip'])));
+ $result = gethostbynamel($settings['httpbl_key'].".${find}.dnsbl.httpbl.org.");
+ if (!empty($result)) {
+ $ip = explode('.', $result[0]);
+ if ($ip[0] == 127 && ($ip[3] & 7) && $ip[2] >= $settings['httpbl_threat'] && $ip[1] >= $settings['httpbl_maxage']) {
+ return '2b021b1f';
+ }
+ }
+ return false;
+}
?>
Modified: plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/blacklist.inc.php
===================================================================
--- plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/blacklist.inc.php 2008-08-20 21:48:02 UTC (rev 6714)
+++ plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/blacklist.inc.php 2008-08-26 06:09:26 UTC (rev 6715)
@@ -10,15 +10,18 @@
"adwords", // referrer spam
"autoemailspider", // spam harvester
"blogsearchbot-martin", // from honeypot
+ "CherryPicker", // spam harvester
+ "core-project/", // FrontPage extension exploits
+ "Diamond", // delivers spyware/adware
"Digger", // spam harvester
"ecollector", // spam harvester
"EmailCollector", // spam harvester
- "Email Extractor", // spam harvester
"Email Siphon", // spam harvester
"EmailSiphon", // spam harvester
"grub crawler", // misc comment/email spam
"HttpProxy", // misc comment/email spam
"Internet Explorer", // XMLRPC exploits seen
+ "ISC Systems iRc", // spam harvester
"Jakarta Commons", // custommised spambots
"Java 1.", // definitely a spammer
"Java/1.", // definitely a spammer
@@ -26,7 +29,7 @@
"LWP", // spambot scripts
"Microsoft URL", // spam harvester
"Missigua", // spam harvester
- "MJ12bot", // crawls MUCH too fast
+ "MJ12bot/v1.0.8", // malicious botnet
"Movable Type", // customised spambots
"Mozilla ", // malicious software
"Mozilla/4.0(", // from honeypot
@@ -40,6 +43,7 @@
"PycURL", // misc comment spam
// "Shockwave Flash", // spam harvester
// WP 2.5 now has Flash; FIXME
+ "Super Happy Fun ", // spam harvester
"TrackBack/", // trackback spam
"user", // suspicious harvester
"User Agent: ", // spam harvester
@@ -58,6 +62,7 @@
"compatible ; MSIE", // misc comment/email spam
"compatible-", // misc comment/email spam
"DTS Agent", // misc comment/email spam
+ "Email Extractor", // spam harvester
"Gecko/25", // revisit this in 500 years
"grub-client", // search engine ignores robots.txt
"hanzoweb", // very badly behaved crawler
@@ -74,6 +79,7 @@
"Windows NT 5.0;)", // wikispam bot
"Windows NT 5.1;)", // wikispam bot
"Windows XP 5", // spam harvester
+ "WordPress/4.01", // pingback spam
"\\\\)", // spam harvester
);
@@ -88,7 +94,7 @@
// Do not edit below this line.
- $ua = $package['headers_mixed']['User-Agent'];
+ @$ua = $package['headers_mixed']['User-Agent'];
foreach ($bb2_spambots_0 as $spambot) {
$pos = strpos($ua, $spambot);
Modified: plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/common_tests.inc.php
===================================================================
--- plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/common_tests.inc.php 2008-08-20 21:48:02 UTC (rev 6714)
+++ plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/common_tests.inc.php 2008-08-26 06:09:26 UTC (rev 6715)
@@ -20,9 +20,19 @@
return false;
}
+function bb2_cookies($settings, $package)
+{
+ // Enforce RFC 2965 sec 3.3.5 and 9.1
+ // Bots wanting new-style cookies should send Cookie2
+ if (strpos($package['headers_mixed']['Cookie'], '$Version=0') !== FALSE && !array_key_exists('Cookie2', $package['headers_mixed'])) {
+ return '6c502ff1';
+ }
+ return false;
+}
+
function bb2_misc_headers($settings, $package)
{
- $ua = $package['headers_mixed']['User-Agent'];
+ @$ua = $package['headers_mixed']['User-Agent'];
if (!strcmp($package['request_method'], "POST") && empty($ua)) {
return "f9f2b8b9";
@@ -41,7 +51,7 @@
// Exceptions: MT (not fixable); LJ (refuses to fix; may be
// blocked again in the future)
if (array_key_exists('Range', $package['headers_mixed']) && strpos($package['headers_mixed']['Range'], "=0-") !== FALSE) {
- if (strncmp($ua, "MovableType", 11) && strncmp($ua, "URI::Fetch", 10)) {
+ if (strncmp($ua, "MovableType", 11) && strncmp($ua, "URI::Fetch", 10) && strncmp($ua, "php-openid/", 11)) {
return "7ad04a8a";
}
}
@@ -116,9 +126,10 @@
}
// "uk" is not a language (ISO 639) nor a country (ISO 3166)
- if (preg_match('/\buk\b/', $package['headers_mixed']['Accept-Language'])) {
- return "35ea7ffa";
- }
+ // oops, yes it is :( Please shoot any Ukrainian spammers you see.
+# if (preg_match('/\buk\b/', $package['headers_mixed']['Accept-Language'])) {
+# return "35ea7ffa";
+# }
return false;
}
Modified: plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/core.inc.php
===================================================================
--- plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/core.inc.php 2008-08-20 21:48:02 UTC (rev 6714)
+++ plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/core.inc.php 2008-08-26 06:09:26 UTC (rev 6715)
@@ -115,7 +115,7 @@
$request_method = $_SERVER['REQUEST_METHOD'];
$request_uri = $_SERVER['REQUEST_URI'];
$server_protocol = $_SERVER['SERVER_PROTOCOL'];
- $user_agent = $_SERVER['HTTP_USER_AGENT'];
+ @$user_agent = $_SERVER['HTTP_USER_AGENT'];
// Reconstruct the HTTP entity, if present.
$request_entity = array();
@@ -137,13 +137,18 @@
require_once(BB2_CORE . "/blacklist.inc.php");
bb2_test($settings, $package, bb2_blacklist($package));
+ // Check the http:BL
+ require_once(BB2_CORE . "/blackhole.inc.php");
+ bb2_test($settings, $package, bb2_httpbl($settings, $package));
+
// Check for common stuff
require_once(BB2_CORE . "/common_tests.inc.php");
bb2_test($settings, $package, bb2_protocol($settings, $package));
+ bb2_test($settings, $package, bb2_cookies($settings, $package));
bb2_test($settings, $package, bb2_misc_headers($settings, $package));
// Specific checks
- $ua = $headers_mixed['User-Agent'];
+ @$ua = $headers_mixed['User-Agent'];
// MSIE checks
if (stripos($ua, "MSIE") !== FALSE) {
$package['is_browser'] = true;
Modified: plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/functions.inc.php
===================================================================
--- plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/functions.inc.php 2008-08-20 21:48:02 UTC (rev 6714)
+++ plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/functions.inc.php 2008-08-26 06:09:26 UTC (rev 6715)
@@ -44,7 +44,7 @@
}
}
} else {
- list($ip, $mask) = explode('/', $cidr);
+ @list($ip, $mask) = explode('/', $cidr);
if (!$mask) $mask = 32;
$mask = pow(2,32) - pow(2, (32 - $mask));
$output = ((ip2long($addr) & $mask) == (ip2long($ip) & $mask));
Modified: plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/google.inc.php
===================================================================
--- plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/google.inc.php 2008-08-20 21:48:02 UTC (rev 6714)
+++ plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/google.inc.php 2008-08-26 06:09:26 UTC (rev 6715)
@@ -4,7 +4,7 @@
function bb2_google($package)
{
- if (match_cidr($package['ip'], "66.249.64.0/19") === FALSE && match_cidr($package['ip'], "64.233.160.0/19") === FALSE) {
+ if (match_cidr($package['ip'], "66.249.64.0/19") === FALSE && match_cidr($package['ip'], "64.233.160.0/19") === FALSE && match_cidr($package['ip'], "72.14.192.0/18") === FALSE) {
return "f1182195";
}
return false;
Modified: plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/msie.inc.php
===================================================================
--- plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/msie.inc.php 2008-08-20 21:48:02 UTC (rev 6714)
+++ plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/msie.inc.php 2008-08-26 06:09:26 UTC (rev 6715)
@@ -15,7 +15,7 @@
// MSIE does NOT send Connection: TE but Akamai does
// Bypass this test when Akamai detected
- if (!array_key_exists('Akamai-Origin-Hop', $package['headers_mixed']) && preg_match('/\bTE\b/i', $package['headers_mixed']['Connection'])) {
+ if (!array_key_exists('Akamai-Origin-Hop', $package['headers_mixed']) && @preg_match('/\bTE\b/i', $package['headers_mixed']['Connection'])) {
return "2b90f772";
}
Modified: plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/post.inc.php
===================================================================
--- plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/post.inc.php 2008-08-20 21:48:02 UTC (rev 6714)
+++ plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/post.inc.php 2008-08-26 06:09:26 UTC (rev 6715)
@@ -26,11 +26,16 @@
// Catch a few completely broken spambots
foreach ($request_entity as $key => $value) {
$pos = strpos($key, " document.write");
- if ($pos !== FAlSE) {
+ if ($pos !== FALSE) {
return "dfd9b1ad";
}
}
+ // If Referer exists, it should refer to a page on our site
+ if (array_key_exists('Referer', $package['headers_mixed']) && stripos($package['headers_mixed']['Referer'], $package['headers_mixed']['Host']) === FALSE) {
+ return "cd361abb";
+ }
+
// Screen by cookie/JavaScript form add
if (isset($_COOKIE[BB2_COOKIE])) {
$screener1 = explode(" ", $_COOKIE[BB2_COOKIE]);
@@ -62,7 +67,7 @@
// if ($ip && $ip_screener && abs($ip_screener - $ip) > 256)
// return "c1fa729b";
- if ($package['headers_mixed']['X-Forwarded-For']) {
+ if (!empty($package['headers_mixed']['X-Forwarded-For'])) {
$ip = $package['headers_mixed']['X-Forwarded-For'];
}
// Screen for user agent changes
Modified: plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/responses.inc.php
===================================================================
--- plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/responses.inc.php 2008-08-20 21:48:02 UTC (rev 6714)
+++ plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/responses.inc.php 2008-08-26 06:09:26 UTC (rev 6715)
@@ -9,6 +9,7 @@
'17566707' => array('response' => 403, 'explanation' => 'An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.', 'log' => 'Required header \'Accept\' missing'),
'17f4e8c8' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'User-Agent was found on blacklist'),
'21f11d3f' => array('response' => 403, 'explanation' => 'An invalid request was received. You claimed to be a mobile Web device, but you do not actually appear to be a mobile Web device.', 'log' => 'User-Agent claimed to be AvantGo, claim appears false'),
+ '2b021b1f' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Before trying again, run anti-virus and anti-spyware software and remove any viruses and spyware from your computer.', 'log' => 'IP address found on http:BL blacklist'),
'2b90f772' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. If you are using the Opera browser, then Opera must appear in your user agent.', 'log' => 'Connection: TE present, not supported by MSIE'),
'35ea7ffa' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Check your browser\'s language and locale settings.', 'log' => 'Invalid language specified'),
'408d7e72' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Before trying again, run anti-virus and anti-spyware software and remove any viruses and spyware from your computer.', 'log' => 'POST comes too quickly after GET'),
@@ -17,6 +18,7 @@
'57796684' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Before trying again, run anti-virus and anti-spyware software and remove any viruses and spyware from your computer.', 'log' => 'Prohibited header \'X-Aaaaaaaaaa\' or \'X-Aaaaaaaaaaaa\' present'),
'582ec5e4' => array('response' => 400, 'explanation' => 'An invalid request was received. If you are using a proxy server, bypass the proxy server or contact your proxy server administrator. This may also be caused by a bug in the Opera web browser.', 'log' => '"Header \'TE\' present but TE not specified in \'Connection\' header'),
'69920ee5' => array('response' => 403, 'explanation' => 'An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.', 'log' => 'Header \'Referer\' present but blank'),
+ '6c502ff1' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'Bot not fully compliant with RFC 2965'),
'799165c2' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'Rotating user-agents detected'),
'7a06532b' => array('response' => 400, 'explanation' => 'An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.', 'log' => 'Required header \'Accept-Encoding\' missing'),
'7ad04a8a' => array('response' => 400, 'explanation' => 'The automated program you are using is not permitted to access this server. Please use a different program or a standard Web browser.', 'log' => 'Prohibited header \'Range\' present'),
@@ -30,6 +32,7 @@
'b7830251' => array('response' => 400, 'explanation' => 'Your proxy server sent an invalid request. Please contact the proxy server administrator to have this problem fixed.', 'log' => 'Prohibited header \'Proxy-Connection\' present'),
'b9cc1d86' => array('response' => 403, 'explanation' => 'The proxy server you are using is not permitted to access this server. Please bypass the proxy server, or contact your proxy server administrator.', 'log' => 'Prohibited header \'X-Aaaaaaaaaa\' or \'X-Aaaaaaaaaaaa\' present'),
'c1fa729b' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Before trying again, run anti-virus and anti-spyware software and remove any viruses and spyware from your computer.', 'log' => 'Use of rotating proxy servers detected'),
+ 'cd361abb' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Data may not be posted from offsite forms.', 'log' => 'Referer did not point to a form on this site'),
'd60b87c7' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Before trying again, please remove any viruses or spyware from your computer.', 'log' => 'Trackback received via proxy server'),
'dfd9b1ad' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'Request contained a malicious JavaScript or SQL injection attack'),
'e4de0453' => array('response' => 403, 'explanation' => 'An invalid request was received. You claimed to be a major search engine, but you do not appear to actually be a major search engine.', 'log' => 'User-Agent claimed to be msnbot, claim appears to be false'),
Modified: plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/version.inc.php
===================================================================
--- plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/version.inc.php 2008-08-20 21:48:02 UTC (rev 6714)
+++ plog/branches/lifetype-1.2/plugins/badbehavior/bad-behavior/version.inc.php 2008-08-26 06:09:26 UTC (rev 6715)
@@ -1,3 +1,3 @@
<?php if (!defined('BB2_CWD')) die("I said no cheating!");
-define('BB2_VERSION', "2.0.20");
+define('BB2_VERSION', "2.0.23");
?>
Modified: plog/branches/lifetype-1.2/plugins/badbehavior/index.inc.php
===================================================================
--- plog/branches/lifetype-1.2/plugins/badbehavior/index.inc.php 2008-08-20 21:48:02 UTC (rev 6714)
+++ plog/branches/lifetype-1.2/plugins/badbehavior/index.inc.php 2008-08-26 06:09:26 UTC (rev 6715)
@@ -102,12 +102,18 @@
$verbose = $config->getValue( 'bb2_verbose', false );
$isInstalled = $config->getValue( 'bb2_installed', false );
$logging = $config->getValue( 'bb2_logging', true );
+ $httpbl_key = $config->getValue( 'bb2_httpbl_key', '' );
+ $httpbl_threat = $config->getValue( 'bb2_httpbl_threat', '25' );
+ $httpbl_maxage = $config->getValue( 'bb2_httpbl_maxage', '30' );
return array('log_table' => $prefix . $logTable,
'display_stats' => $displayStats,
'strict' => $strict,
'verbose' => $verbose,
'logging' => $logging,
+ 'httpbl_key' => $httpbl_key,
+ 'httpbl_threat' => $httpbl_threat,
+ 'httpbl_maxage' => $httpbl_maxage,
'is_installed' => $isInstalled );
}
@@ -119,6 +125,9 @@
$config->setValue( 'bb2_display_stats', $settings['display_stats'] );
$config->setValue( 'bb2_strict', $settings['strict'] );
$config->setValue( 'bb2_verbose', $settings['verbose'] );
+ $config->setValue( 'bb2_httpbl_key', $settings['httpbl_key'] );
+ $config->setValue( 'bb2_httpbl_threat', $settings['httpbl_threat'] );
+ $config->setValue( 'bb2_httpbl_maxage', $settings['httpbl_maxage'] );
$config->setValue( 'bb2_installed', $settings['is_installed'] );
$config->save();
}
@@ -160,4 +169,4 @@
$bb2_mtime = explode(" ", microtime());
$bb2_timer_stop = $bb2_mtime[1] + $bb2_mtime[0];
$bb2_timer_total = $bb2_timer_stop - $bb2_timer_start;
-?>
\ No newline at end of file
+?>
Modified: plog/branches/lifetype-1.2/plugins/badbehavior/pluginbadbehavior.class.php
===================================================================
--- plog/branches/lifetype-1.2/plugins/badbehavior/pluginbadbehavior.class.php 2008-08-20 21:48:02 UTC (rev 6714)
+++ plog/branches/lifetype-1.2/plugins/badbehavior/pluginbadbehavior.class.php 2008-08-26 06:09:26 UTC (rev 6715)
@@ -20,7 +20,7 @@
$this->desc = "Bad Behavior for LifeType";
$this->author = "The Lifetype Project";
$this->db =& Db::getDb();
- $this->version = "20080618";
+ $this->version = "20080825";
$config =& Config::getConfig();
$prefix = Db::getPrefix();
More information about the pLog-svn
mailing list