This is an automated email from the git hooks/post-receive script. s k u n n y k p u s h e d a c o m m i t t o b r a n c h o l d f o r u m in repository www/forum.xfce.org.
commit 7b516abdbe10cfe29fdd63113b9c686dfed31700 Author: Nick Schermer <n...@xfce.org> Date: Sun Sep 16 20:31:11 2012 +0200 Update bad behaviour to 2.2.10. --- include/bad-behavior/banned.inc.php | 2 ++ include/bad-behavior/blacklist.inc.php | 58 +++++++++++++++++++++++++++++-- include/bad-behavior/core.inc.php | 2 +- include/bad-behavior/responses.inc.php | 1 + include/bad-behavior/searchengine.inc.php | 2 +- 5 files changed, 61 insertions(+), 4 deletions(-) diff --git a/include/bad-behavior/banned.inc.php b/include/bad-behavior/banned.inc.php index 476a366..29ce774 100644 --- a/include/bad-behavior/banned.inc.php +++ b/include/bad-behavior/banned.inc.php @@ -7,6 +7,8 @@ require_once(BB2_CORE . "/responses.inc.php"); function bb2_housekeeping($settings, $package) { + if (!$settings['logging']) return; + // FIXME Yes, the interval's hard coded (again) for now. $query = "DELETE FROM `" . $settings['log_table'] . "` WHERE `date` < DATE_SUB('" . bb2_db_date() . "', INTERVAL 7 DAY)"; bb2_db_query($query); diff --git a/include/bad-behavior/blacklist.inc.php b/include/bad-behavior/blacklist.inc.php index 36bc4c5..ba4554e 100644 --- a/include/bad-behavior/blacklist.inc.php +++ b/include/bad-behavior/blacklist.inc.php @@ -5,11 +5,11 @@ function bb2_blacklist($package) { // Blacklisted user agents // These user agent strings occur at the beginning of the line. $bb2_spambots_0 = array( - "<sc", // XSS exploit attempts "8484 Boston Project", // video poker/porn spam "adwords", // referrer spam "autoemailspider", // spam harvester "blogsearchbot-martin", // from honeypot + "BrowserEmulator/", // open proxy software "CherryPicker", // spam harvester "core-project/", // FrontPage extension exploits "Diamond", // delivers spyware/adware @@ -28,15 +28,21 @@ function bb2_blacklist($package) { "Java/1.", // unidentified robots "libwww-perl", // unidentified robots "LWP", // unidentified robots + "lwp", // unidentified robots + "Microsoft Internet Explorer/", // too old; assumed robot "Microsoft URL", // unidentified robots "Missigua", // spam harvester "MJ12bot/v1.0.8", // malicious botnet "Movable Type", // customised spambots "Mozilla ", // malicious software + "Mozilla/0", // malicious software + "Mozilla/1", // malicious software "Mozilla/2", // malicious software + "Mozilla/3", // malicious software "Mozilla/4.0(", // from honeypot "Mozilla/4.0+(compatible;+", // suspicious harvester "MSIE", // malicious software + "MVAClient", // automated hacking attempts "NutchCVS", // unidentified robots "Nutscrape/", // misc comment spam "OmniExplorer", // spam harvester @@ -61,6 +67,7 @@ function bb2_blacklist($package) { // These user agent strings occur anywhere within the line. $bb2_spambots = array( "\r", // A really dumb bot + "<sc", // XSS exploit attempts "; Widows ", // misc comment/email spam "a href=", // referrer spam "Bad Behavior Test", // Add this to your user-agent to test BB @@ -68,13 +75,17 @@ function bb2_blacklist($package) { "compatible-", // misc comment/email spam "DTS Agent", // misc comment/email spam "Email Extractor", // spam harvester + "Firebird/", // too old; assumed robot "Gecko/25", // revisit this in 500 years "grub-client", // search engine ignores robots.txt "hanzoweb", // very badly behaved crawler + "Havij", // SQL injection tool "Indy Library", // misc comment/email spam "MSIE 7.0; Windows NT 5.2", // Cyveillance "Murzillo compatible", // comment spam bot ".NET CLR 1)", // free poker, etc. + ".NET CLR1", // spam harvester + "Perman Surfer", // old and very broken harvester "POE-Component-Client", // free poker, etc. "Turing Machine", // www.anonymizer.com abuse "Ubuntu/9.25", // comment spam bot @@ -83,12 +94,22 @@ function bb2_blacklist($package) { "WebaltBot", // spam harvester "WISEbot", // spam harvester "WISEnutbot", // spam harvester - "Windows NT 4.0;)", // wikispam bot + "Win95", // too old; assumed robot + "Win98", // too old; assumed robot + "WinME", // too old; assumed robot + "Win 9x 4.90", // too old; assumed robot + "Windows 3", // too old; assumed robot + "Windows 95", // too old; assumed robot + "Windows 98", // too old; assumed robot + "Windows NT 4", // too old; assumed robot + "Windows NT;", // too old; assumed robot + #"Windows NT 4.0;)", // wikispam bot "Windows NT 5.0;)", // wikispam bot "Windows NT 5.1;)", // wikispam bot "Windows XP 5", // spam harvester "WordPress/4.01", // pingback spam "Xedant Human Emulator",// spammer script engine + "ZmEu", // exploit scanner "\\\\)", // spam harvester ); @@ -100,11 +121,38 @@ function bb2_blacklist($package) { "/[bcdfghjklmnpqrstvwxz ]{8,}/", // "/(;\){1,2}$/", // misc spammers/harvesters // "/MSIE.*Windows XP/", // misc comment spam + "/MSIE [2345]/", // too old; assumed robot + ); + + // Blacklisted URL strings + // These strings are considered case-insensitive. + $bb2_spambots_url = array( + "0x31303235343830303536", // Havij + "../", // path traversal + "..\\", // path traversal + "%60information_schema%60", // SQL injection probe + "+%2F*%21", // SQL injection probe + "+and+%", // SQL injection probe + "+and+1%", // SQL injection probe + "+and+if", // SQL injection probe + "%27--", // SQL injection + "%27 --", // SQL injection + "%27%23", // SQL injection + "%27 %23", // SQL injection + "benchmark%28", // SQL injection probe + "insert+into+", // SQL injection + "r3dm0v3", // SQL injection probe + "select+1+from", // SQL injection probe + "union+all+select", // SQL injection probe + "union+select", // SQL injection probe + "waitfor+delay+", // SQL injection probe + "w00tw00t", // vulnerability scanner ); // Do not edit below this line. @$ua = $package['headers_mixed']['User-Agent']; + @$uri = $package['request_uri']; foreach ($bb2_spambots_0 as $spambot) { $pos = strpos($ua, $spambot); @@ -125,5 +173,11 @@ function bb2_blacklist($package) { } } + foreach ($bb2_spambots_url as $spambot) { + if (stripos($uri, $spambot) !== FALSE) { + return "96c0bd29"; + } + } + return FALSE; } diff --git a/include/bad-behavior/core.inc.php b/include/bad-behavior/core.inc.php index f9f1de1..7210d3a 100644 --- a/include/bad-behavior/core.inc.php +++ b/include/bad-behavior/core.inc.php @@ -1,5 +1,5 @@ <?php if (!defined('BB2_CWD')) die("I said no cheating!"); -define('BB2_VERSION', "2.2.7"); +define('BB2_VERSION', "2.2.10"); // Bad Behavior entry point is bb2_start() // If you're reading this, you are probably lost. diff --git a/include/bad-behavior/responses.inc.php b/include/bad-behavior/responses.inc.php index e1f094a..29ed90d 100644 --- a/include/bad-behavior/responses.inc.php +++ b/include/bad-behavior/responses.inc.php @@ -26,6 +26,7 @@ function bb2_get_response($key) { '7ad04a8a' => array('response' => 400, 'explanation' => 'The automated program you are using is not permitted to access this server. Please use a different program or a standard Web browser.', 'log' => 'Prohibited header \'Range\' present'), '7d12528e' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'Prohibited header \'Range\' or \'Content-Range\' in POST request'), '939a6fbb' => array('response' => 403, 'explanation' => 'The proxy server you are using is not permitted to access this server. Please bypass the proxy server, or contact your proxy server administrator.', 'log' => 'Banned proxy server in use'), + '96c0bd29' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'URL pattern found on blacklist'), '9c9e4979' => array('response' => 403, 'explanation' => 'The proxy server you are using is not permitted to access this server. Please bypass the proxy server, or contact your proxy server administrator.', 'log' => 'Prohibited header \'via\' present'), 'a0105122' => array('response' => 417, 'explanation' => 'Expectation failed. Please retry your request.', 'log' => 'Header \'Expect\' prohibited; resend without Expect'), 'a1084bad' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'User-Agent claimed to be MSIE, with invalid Windows version'), diff --git a/include/bad-behavior/searchengine.inc.php b/include/bad-behavior/searchengine.inc.php index cf8a5e8..27858b7 100644 --- a/include/bad-behavior/searchengine.inc.php +++ b/include/bad-behavior/searchengine.inc.php @@ -20,7 +20,7 @@ function bb2_google($package) function bb2_msnbot($package) { - if (match_cidr($package['ip'], array("207.46.0.0/16", "65.52.0.0/14", "207.68.128.0/18", "207.68.192.0/20", "64.4.0.0/18", "157.54.0.0/15", "157.60.0.0/16", "157.56.0.0/14")) === FALSE) { + if (match_cidr($package['ip'], array("207.46.0.0/16", "65.52.0.0/14", "207.68.128.0/18", "207.68.192.0/20", "64.4.0.0/18", "157.54.0.0/15", "157.60.0.0/16", "157.56.0.0/14", "131.253.21.0/24", "131.253.22.0/23", "131.253.24.0/21", "131.253.32.0/20")) === FALSE) { return "e4de0453"; } # Disabled due to http://bugs.php.net/bug.php?id=53092 -- To stop receiving notification emails like this one, please contact the administrator of this repository. _______________________________________________ Xfce4-commits mailing list Xfce4-commits@xfce.org https://mail.xfce.org/mailman/listinfo/xfce4-commits