[Xfce4-commits] <forum:master> Update bad behaviour to 2.2.10.

Nick Schermer noreply at xfce.org
Sun Sep 16 20:32:01 CEST 2012 

Updating branch refs/heads/master
         to 7b516abdbe10cfe29fdd63113b9c686dfed31700 (commit)
       from cef9d8c7f70dbe6c65f2c02133ed5b88c4844569 (commit)

commit 7b516abdbe10cfe29fdd63113b9c686dfed31700
Author: Nick Schermer <nick at xfce.org>
Date:   Sun Sep 16 20:31:11 2012 +0200

    Update bad behaviour to 2.2.10.

 include/bad-behavior/banned.inc.php       |    2 +
 include/bad-behavior/blacklist.inc.php    |   58 ++++++++++++++++++++++++++++-
 include/bad-behavior/core.inc.php         |    2 +-
 include/bad-behavior/responses.inc.php    |    1 +
 include/bad-behavior/searchengine.inc.php |    2 +-
 5 files changed, 61 insertions(+), 4 deletions(-)

diff --git a/include/bad-behavior/banned.inc.php b/include/bad-behavior/banned.inc.php
index 476a366..29ce774 100644
--- a/include/bad-behavior/banned.inc.php
+++ b/include/bad-behavior/banned.inc.php
@@ -7,6 +7,8 @@ require_once(BB2_CORE . "/responses.inc.php");
 
 function bb2_housekeeping($settings, $package)
 {
+	if (!$settings['logging']) return;
+
 	// FIXME Yes, the interval's hard coded (again) for now.
 	$query = "DELETE FROM `" . $settings['log_table'] . "` WHERE `date` < DATE_SUB('" . bb2_db_date() . "', INTERVAL 7 DAY)";
 	bb2_db_query($query);
diff --git a/include/bad-behavior/blacklist.inc.php b/include/bad-behavior/blacklist.inc.php
index 36bc4c5..ba4554e 100644
--- a/include/bad-behavior/blacklist.inc.php
+++ b/include/bad-behavior/blacklist.inc.php
@@ -5,11 +5,11 @@ function bb2_blacklist($package) {
 	// Blacklisted user agents
 	// These user agent strings occur at the beginning of the line.
 	$bb2_spambots_0 = array(
-		"<sc",			// XSS exploit attempts
 		"8484 Boston Project",	// video poker/porn spam
 		"adwords",		// referrer spam
 		"autoemailspider",	// spam harvester
 		"blogsearchbot-martin",	// from honeypot
+		"BrowserEmulator/",	// open proxy software
 		"CherryPicker",		// spam harvester
 		"core-project/",	// FrontPage extension exploits
 		"Diamond",		// delivers spyware/adware
@@ -28,15 +28,21 @@ function bb2_blacklist($package) {
 		"Java/1.",		// unidentified robots
 		"libwww-perl",		// unidentified robots
 		"LWP",			// unidentified robots
+		"lwp",			// unidentified robots
+		"Microsoft Internet Explorer/",	// too old; assumed robot
 		"Microsoft URL",	// unidentified robots
 		"Missigua",		// spam harvester
 		"MJ12bot/v1.0.8",	// malicious botnet
 		"Movable Type",		// customised spambots
 		"Mozilla ",		// malicious software
+		"Mozilla/0",		// malicious software
+		"Mozilla/1",		// malicious software
 		"Mozilla/2",		// malicious software
+		"Mozilla/3",		// malicious software
 		"Mozilla/4.0(",		// from honeypot
 		"Mozilla/4.0+(compatible;+",	// suspicious harvester
 		"MSIE",			// malicious software
+		"MVAClient",		// automated hacking attempts
 		"NutchCVS",		// unidentified robots
 		"Nutscrape/",		// misc comment spam
 		"OmniExplorer",		// spam harvester
@@ -61,6 +67,7 @@ function bb2_blacklist($package) {
 	// These user agent strings occur anywhere within the line.
 	$bb2_spambots = array(
 		"\r",			// A really dumb bot
+		"<sc",			// XSS exploit attempts
 		"; Widows ",		// misc comment/email spam
 		"a href=",		// referrer spam
 		"Bad Behavior Test",	// Add this to your user-agent to test BB
@@ -68,13 +75,17 @@ function bb2_blacklist($package) {
 		"compatible-",		// misc comment/email spam
 		"DTS Agent",		// misc comment/email spam
 		"Email Extractor",	// spam harvester
+		"Firebird/",		// too old; assumed robot
 		"Gecko/25",		// revisit this in 500 years
 		"grub-client",		// search engine ignores robots.txt
 		"hanzoweb",		// very badly behaved crawler
+		"Havij",		// SQL injection tool
 		"Indy Library",		// misc comment/email spam
 		"MSIE 7.0;  Windows NT 5.2",	// Cyveillance
 		"Murzillo compatible",	// comment spam bot
 		".NET CLR 1)",		// free poker, etc.
+		".NET CLR1",		// spam harvester
+		"Perman Surfer",	// old and very broken harvester
 		"POE-Component-Client",	// free poker, etc.
 		"Turing Machine",	// www.anonymizer.com abuse
 		"Ubuntu/9.25",		// comment spam bot
@@ -83,12 +94,22 @@ function bb2_blacklist($package) {
 		"WebaltBot",		// spam harvester
 		"WISEbot",		// spam harvester
 		"WISEnutbot",		// spam harvester
-		"Windows NT 4.0;)",	// wikispam bot
+		"Win95",		// too old; assumed robot
+		"Win98",		// too old; assumed robot
+		"WinME",		// too old; assumed robot
+		"Win 9x 4.90",		// too old; assumed robot
+		"Windows 3",		// too old; assumed robot
+		"Windows 95",		// too old; assumed robot
+		"Windows 98",		// too old; assumed robot
+		"Windows NT 4",		// too old; assumed robot
+		"Windows NT;",		// too old; assumed robot
+		#"Windows NT 4.0;)",	// wikispam bot
 		"Windows NT 5.0;)",	// wikispam bot
 		"Windows NT 5.1;)",	// wikispam bot
 		"Windows XP 5",		// spam harvester
 		"WordPress/4.01",	// pingback spam
 		"Xedant Human Emulator",// spammer script engine
+		"ZmEu",			// exploit scanner
 		"\\\\)",		// spam harvester
 	);
 
@@ -100,11 +121,38 @@ function bb2_blacklist($package) {
 		"/[bcdfghjklmnpqrstvwxz ]{8,}/",
 //		"/(;\){1,2}$/",		// misc spammers/harvesters
 //		"/MSIE.*Windows XP/",	// misc comment spam
+		"/MSIE [2345]/",	// too old; assumed robot
+	);
+
+	// Blacklisted URL strings
+	// These strings are considered case-insensitive.
+	$bb2_spambots_url = array(
+		"0x31303235343830303536",	// Havij
+		"../",				// path traversal
+		"..\\",				// path traversal
+		"%60information_schema%60",	// SQL injection probe
+		"+%2F*%21",			// SQL injection probe
+		"+and+%",			// SQL injection probe
+		"+and+1%",			// SQL injection probe
+		"+and+if",			// SQL injection probe
+		"%27--",			// SQL injection
+		"%27 --",			// SQL injection
+		"%27%23",			// SQL injection
+		"%27 %23",			// SQL injection
+		"benchmark%28",			// SQL injection probe
+		"insert+into+",			// SQL injection
+		"r3dm0v3",			// SQL injection probe
+		"select+1+from",		// SQL injection probe
+		"union+all+select",		// SQL injection probe
+		"union+select",			// SQL injection probe
+		"waitfor+delay+",		// SQL injection probe
+		"w00tw00t",			// vulnerability scanner
 	);
 
 	// Do not edit below this line.
 
 	@$ua = $package['headers_mixed']['User-Agent'];
+	@$uri = $package['request_uri'];
 
 	foreach ($bb2_spambots_0 as $spambot) {
 		$pos = strpos($ua, $spambot);
@@ -125,5 +173,11 @@ function bb2_blacklist($package) {
 		}
 	}
 
+	foreach ($bb2_spambots_url as $spambot) {
+		if (stripos($uri, $spambot) !== FALSE) {
+			return "96c0bd29";
+		}
+	}
+
 	return FALSE;
 }
diff --git a/include/bad-behavior/core.inc.php b/include/bad-behavior/core.inc.php
index f9f1de1..7210d3a 100644
--- a/include/bad-behavior/core.inc.php
+++ b/include/bad-behavior/core.inc.php
@@ -1,5 +1,5 @@
 <?php if (!defined('BB2_CWD')) die("I said no cheating!");
-define('BB2_VERSION', "2.2.7");
+define('BB2_VERSION', "2.2.10");
 
 // Bad Behavior entry point is bb2_start()
 // If you're reading this, you are probably lost.
diff --git a/include/bad-behavior/responses.inc.php b/include/bad-behavior/responses.inc.php
index e1f094a..29ed90d 100644
--- a/include/bad-behavior/responses.inc.php
+++ b/include/bad-behavior/responses.inc.php
@@ -26,6 +26,7 @@ function bb2_get_response($key) {
 		'7ad04a8a' => array('response' => 400, 'explanation' => 'The automated program you are using is not permitted to access this server. Please use a different program or a standard Web browser.', 'log' => 'Prohibited header \'Range\' present'),
 		'7d12528e' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'Prohibited header \'Range\' or \'Content-Range\' in POST request'),
 		'939a6fbb' => array('response' => 403, 'explanation' => 'The proxy server you are using is not permitted to access this server. Please bypass the proxy server, or contact your proxy server administrator.', 'log' => 'Banned proxy server in use'),
+		'96c0bd29' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'URL pattern found on blacklist'),
 		'9c9e4979' => array('response' => 403, 'explanation' => 'The proxy server you are using is not permitted to access this server. Please bypass the proxy server, or contact your proxy server administrator.', 'log' => 'Prohibited header \'via\' present'),
 		'a0105122' => array('response' => 417, 'explanation' => 'Expectation failed. Please retry your request.', 'log' => 'Header \'Expect\' prohibited; resend without Expect'),
 		'a1084bad' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'User-Agent claimed to be MSIE, with invalid Windows version'),
diff --git a/include/bad-behavior/searchengine.inc.php b/include/bad-behavior/searchengine.inc.php
index cf8a5e8..27858b7 100644
--- a/include/bad-behavior/searchengine.inc.php
+++ b/include/bad-behavior/searchengine.inc.php
@@ -20,7 +20,7 @@ function bb2_google($package)
 
 function bb2_msnbot($package)
 {
-	if (match_cidr($package['ip'], array("207.46.0.0/16", "65.52.0.0/14", "207.68.128.0/18", "207.68.192.0/20", "64.4.0.0/18", "157.54.0.0/15", "157.60.0.0/16", "157.56.0.0/14")) === FALSE) {
+	if (match_cidr($package['ip'], array("207.46.0.0/16", "65.52.0.0/14", "207.68.128.0/18", "207.68.192.0/20", "64.4.0.0/18", "157.54.0.0/15", "157.60.0.0/16", "157.56.0.0/14", "131.253.21.0/24", "131.253.22.0/23", "131.253.24.0/21", "131.253.32.0/20")) === FALSE) {
 		return "e4de0453";
 	}
 #	Disabled due to http://bugs.php.net/bug.php?id=53092

More information about the Xfce4-commits mailing list