update to 2.0.10 and added support key lookup

darcs-hash:20070307205933-7ad00-290273c9c729a1c28a4538108ebbeb5597c75310.gz

admin.php

@@ -46,7 +46,17 @@ function handle() {
      * output appropriate html
      */
     function html() {
-        print $this->plugin_locale_xhtml('intro');
+        if($_REQUEST['lookup']){
+            $this->_lookup($_REQUEST['lookup']);
+        }else{
+            $this->_stats();
+        }
+
+        echo $this->_lookupform();
+    }
+
+    function _stats(){
+        print $this->plugin_locale_xhtml('stats');
 
         $days = 7;
         $list = $this->_readlines($days);
@@ -61,7 +71,7 @@ function html() {
         }
         arsort($stats);
 
-        echo "<p><b>$all accesses were blocked in the last $days days.</b></p>";
+        printf('<p><b>'.$this->getLang('blocked').'</b></p>',$all,$days);
 
         echo '<table class="inline">';
         echo '<tr>';
@@ -86,6 +96,61 @@ function html() {
         echo '</table>';
     }
 
+    function _lookup($key){
+        global $ID;
+        global $conf;
+        global $lang;
+
+        print $this->plugin_locale_xhtml('lookup');
+
+        $code = str_replace('-','',$key);
+        $ip   = hexdec(substr($code,0,2)).'.'.
+                hexdec(substr($code,2,2)).'.'.
+                hexdec(substr($code,4,2)).'.'.
+                hexdec(substr($code,6,2));
+        $code = substr($code,8);
+
+        $resp = bb2_get_response($code);
+        printf('<p>'.$this->getLang('lkpresult').'</p>',
+               $ip,$resp['log'],$resp['explanation'],hsc($key));
+
+        printf('<p>'.$this->getLang('lkplist').'</p>',7);
+
+        $lines = preg_grep('/'.preg_quote($ip).'/',$this->_readlines());
+        if(count($lines)){
+            echo '<table class="inline">';
+            foreach($lines as $line){
+                $fields = explode("\t",$line);
+                $resp = bb2_get_response($fields[6]);
+                echo '<tr>';
+                echo '<td>'.date($conf['dformat'],$fields[0]).'</td>';
+                echo '<td>'.hsc($fields[1]).'</td>';
+                echo '<td>'.hsc($fields[2]).'</td>';
+                echo '<td>'.hsc($fields[3]).'</td>';
+                echo '<td>'.hsc($fields[4]).'</td>';
+                echo '<td>'.hsc($fields[5]).'</td>';
+                echo '<td>'.$resp['log'].'</td>';
+                echo '</tr>';
+            }
+            echo '</table>';
+        }else{
+            echo '<p><i>'.$lang['nothingfound'].'</i></p>';
+        }
+    }
+
+    function _lookupform(){
+        global $lang;
+        echo '<div>';
+        echo '<form action="" method="get">';
+        echo '<input type="hidden" name="do" value="admin" />';
+        echo '<input type="hidden" name="page" value="badbehaviour" />';
+        echo '<label for="key__lookup">'.$this->getLang('lookup').':</label> ';
+        echo '<input type="text" id="key__lookup" name="lookup" value="'.hsc($_REQUEST['lookup']).'" />';
+        echo '<input type="submit" value="'.$lang['btn_search'].'" class="button" />';
+        echo '</form>';
+        echo '</div>';
+    }
+
     /**
      * Read loglines backward
      */

bad-behavior/admin.inc.php

@@ -48,7 +48,7 @@ function bb2_options()
 	<div class="wrap">
 	<h2><?php _e("Bad Behavior"); ?></h2>
 	<form method="post" action="<?php echo $_SERVER['REQUEST_URI']; ?>">
-	<p>For more information please visit the <a href="http://www.homelandstupidity.us/software/bad-behavior/">Bad Behavior</a> homepage.</p>
+	<p>For more information please visit the <a href="http://www.bad-behavior.ioerror.us/">Bad Behavior</a> homepage.</p>
 	<p>If you find Bad Behavior valuable, please consider making a <a href="https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=error%40ioerror%2eus&item_name=Bad%20Behavior%20<?php echo BB2_VERSION; ?>%20%28From%20Admin%29&no_shipping=1&cn=Comments%20about%20Bad%20Behavior&tax=0&currency_code=USD&bn=PP%2dDonationsBF&charset=UTF%2d8">financial contribution</a> to further development of Bad Behavior.</p>
 
 	<fieldset class="options">

bad-behavior/blackhole.inc.php

@@ -5,18 +5,18 @@
 function bb2_blackhole($package) {
 	// Only conservative lists
 	$bb2_blackhole_lists = array(
-		"sbl-xbl.spamhaus.org",
+		"sbl-xbl.spamhaus.org",	// All around nasties
 //		"dnsbl.sorbs.net",	// Old useless data.
 //		"list.dsbl.org",	// Old useless data.
-		"opm.blitzed.org",
+		"dnsbl.ioerror.us",	// Bad Behavior Blackhole
 	);
 
 	// Things that shouldn't be blocked, from aggregate lists
 	$bb2_blackhole_exceptions = array(
-		"sbl-xbl.spamhaus.org" => array(),
+		"sbl-xbl.spamhaus.org" => array("127.0.0.4"),	// CBL is problematic
 		"dnsbl.sorbs.net" => array("127.0.0.10",),	// Dynamic IPs only
 		"list.dsbl.org" => array(),
-		"opm.blitzed.org" => array(),
+		"dnsbl.ioerror.us" => array(),
 	);
 
 	// Check the blackhole lists

bad-behavior/blacklist.inc.php

@@ -31,9 +31,11 @@ function bb2_blacklist($package) {
 		"Mozilla/4.0(",		// from honeypot
 		"Mozilla/4.0+(",	// suspicious harvester
 		"MSIE",			// malicious software
+		"NutchCVS",		// unidentified robots
 		"OmniExplorer",		// spam harvester
-		"PussyCat ",		// misc comment spam
 		"psycheclone",		// spam harvester
+		"PussyCat ",		// misc comment spam
+		"PycURL",		// misc comment spam
 		"Shockwave Flash",	// spam harvester
 		"User Agent: ",		// spam harvester
 		"User-Agent: ",		// spam harvester
@@ -43,6 +45,7 @@ function bb2_blacklist($package) {
 
 	// These user agent strings occur anywhere within the line.
 	$bb2_spambots = array(
+		"\r",			// A really dumb bot
 		"; Widows ",		// misc comment/email spam
 		"a href=",		// referrer spam
 		"Bad Behavior Test",	// Add this to your user-agent to test BB
@@ -58,6 +61,7 @@ function bb2_blacklist($package) {
 		".NET CLR 1)",		// free poker, etc.
 		"POE-Component-Client",	// free poker, etc.
 		"Turing Machine",	// www.anonymizer.com abuse
+		"WebaltBot",		// spam harvester
 		"WISEbot",		// spam harvester
 		"WISEnutbot",		// spam harvester
 		"Windows NT 4.0;)",	// wikispam bot

bad-behavior/common_tests.inc.php

@@ -28,11 +28,20 @@ function bb2_misc_headers($settings, $package)
 		return "f9f2b8b9";
 	}
 
+	// Broken spambots send URLs with various invalid characters
+	// Some broken browsers send the #vector in the referer field :(
+	// if (strpos($package['request_uri'], "#") !== FALSE || strpos($package['headers_mixed']['Referer'], "#") !== FALSE) {
+	if (strpos($package['request_uri'], "#") !== FALSE) {
+		return "dfd9b1ad";
+	}
+
 	// Range: field exists and begins with 0
 	// Real user-agents do not start ranges at 0
 	// NOTE: this blocks the whois.sc bot. No big loss.
+	// Exceptions: MT (not fixable); LJ (refuses to fix; may be
+	// blocked again in the future)
 	if (array_key_exists('Range', $package['headers_mixed']) && strpos($package['headers_mixed']['Range'], "=0-") !== FALSE) {
-		if (strncmp($ua, "MovableType", 11)) {
+		if (strncmp($ua, "MovableType", 11) && strncmp($ua, "URI::Fetch", 10)) {
 			return "7ad04a8a";
 		}
 	}
@@ -43,7 +52,10 @@ function bb2_misc_headers($settings, $package)
 	}
 
 	// Lowercase via is used by open proxies/referrer spammers
-	if (array_key_exists('via', $package['headers'])) {
+	// Exceptions: Clearswift uses lowercase via (refuses to fix;
+	// may be blocked again in the future)
+	if (array_key_exists('via', $package['headers']) &&
+		!strstr($package['headers']['via'],'Clearswift Web Policy Engine')) {
 		return "9c9e4979";
 	}
 

bad-behavior/core.inc.php

@@ -57,6 +57,9 @@ function bb2_insert($settings, $package, $key)
 // Kill 'em all!
 function bb2_banned($settings, $package, $key, $previous_key=false)
 {
+	// Some spambots hit too hard. Slow them down a bit.
+	sleep(2);
+
 	require_once(BB2_CORE . "/banned.inc.php");
 	bb2_display_denial($settings, $key, $previous_key);
 	bb2_log_denial($settings, $package, $key, $previous_key);

bad-behavior/functions.inc.php

@@ -45,7 +45,8 @@ function match_cidr($addr, $cidr) {
 		}
 	} else {
 		list($ip, $mask) = explode('/', $cidr);
-		$mask = 0xffffffff << (32 - $mask);
+		if (!$mask) $mask = 32;
+		$mask = pow(2,32) - pow(2, (32 - $mask));
 		$output = ((ip2long($addr) & $mask) == (ip2long($ip) & $mask));
 	}
 	return $output;

bad-behavior/mozilla.inc.php

@@ -5,6 +5,8 @@
 function bb2_mozilla($package)
 {
 	// First off, workaround for Google Desktop, until they fix it FIXME
+	// Google Desktop fixed it, but apparently some old versions are
+	// still out there. :(
 	// Always check accept header for Mozilla user agents
 	if (strpos($package['headers_mixed']['User-Agent'], "Google Desktop") === FALSE) {
 		if (!array_key_exists('Accept', $package['headers_mixed'])) {

bad-behavior/post.inc.php

@@ -59,10 +59,10 @@ function bb2_post($settings, $package)
 
 		// Screen for user agent changes
 		// User connected previously with blank user agent
-		$q = bb2_db_query("SELECT `ip` FROM " . $settings['log_table'] . " WHERE (`ip` = '" . $package['ip'] . "' OR `ip` = '" . $screener[1] . "') AND `user_agent` = '' AND `date` > DATE_SUB('" . bb2_db_date() . "', INTERVAL 1 MINUTE)");
+//		$q = bb2_db_query("SELECT `ip` FROM " . $settings['log_table'] . " WHERE (`ip` = '" . $package['ip'] . "' OR `ip` = '" . $screener[1] . "') AND `user_agent` != '" . $package['user_agent'] . "' AND `date` > DATE_SUB('" . bb2_db_date() . "', INTERVAL 5 MINUTE)");
 		// Damnit, too many ways for this to fail :(
-		if ($q !== FALSE && $q != NULL && bb2_db_num_rows($q) > 0)
-			return "799165c2";
+//		if ($q !== FALSE && $q != NULL && bb2_db_num_rows($q) > 0)
+//			return "799165c2";
 	}
 
 	return false;

bad-behavior/responses.inc.php

@@ -6,7 +6,7 @@ function bb2_get_response($key) {
 	$bb2_responses = array(
 		'00000000' => array('response' => 200, 'explanation' => '', 'log' => ''),
 		'136673cd' => array('response' => 403, 'explanation' => 'Your Internet Protocol address is listed on a blacklist of addresses involved in malicious or illegal activity. See the listing below for more details on specific blacklists and removal procedures.', 'log' => 'IP address found on external blacklist'),
-		'17566707' => array('response' => 400, 'explanation' => 'An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.', 'log' => 'Required header \'Accept\' missing'),
+		'17566707' => array('response' => 403, 'explanation' => 'An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.', 'log' => 'Required header \'Accept\' missing'),
 		'17f4e8c8' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'User-Agent was found on blacklist'),
 		'21f11d3f' => array('response' => 403, 'explanation' => 'An invalid request was received. You claimed to be a mobile Web device, but you do not actually appear to be a mobile Web device.', 'log' => 'User-Agent claimed to be AvantGo, claim appears false'),
 		'2b90f772' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. If you are using the Opera browser, then Opera must appear in your user agent.', 'log' => 'Connection: TE present, not supported by MSIE'),

bad-behavior/version.inc.php

@@ -1,3 +1,3 @@
 <?php if (!defined('BB2_CWD')) die("I said no cheating!");
-define('BB2_VERSION', "2.0.7");
+define('BB2_VERSION', "2.0.10");
 ?>

info.php

@@ -3,8 +3,8 @@
 $info = array(
             'author' => 'Andreas Gohr',
             'email'  => 'andi@splitbrain.org',
-            'date'   => '2006-11-30',
-            'name'   => 'Bad Behaviour Plugin (based on version 2.0.7)',
+            'date'   => '2007-03-07',
+            'name'   => 'Bad Behaviour Plugin (based on version 2.0.10)',
             'desc'   => 'Protects the wiki against malicious users and spiders',
             'url'    => 'http://wiki:splitbrain.org/plugin:badbehaviour',
         );

lang/en/lang.php

@@ -17,4 +17,10 @@
 $lang['count']   = 'Count';
 $lang['reason']  = 'Reason';
 
+$lang['blocked'] = '%d accesses were blocked in the last %d days.';
+
+$lang['lkpresult'] = 'The request came from IP <b>%s</b> and was blocked because <b>%s</b>. The explanation shown to the user was <b>%s</b> More details may be available <a href="http://www.ioerror.us/bb2-support-key?key=%s">here</a>.';
+$lang['lkplist']   = 'Below is a list of log lines matching this IP in the last %d days.';
+$lang['lookup']    = 'Lookup support key';
+
 //Setup VIM: ex: et ts=4 enc=utf-8 :

lang/en/lookup.txt

@@ -0,0 +1,3 @@
+====== Bad Behaviour Support Key Lookup ======
+
+