Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Upgraded Bad Behavior lib to 2.0.22

darcs-hash:20080806200105-7ad00-280415511366956a9381f953922389c8d54d8277.gz
  • Loading branch information...
commit e3dbac69189ef2c7af3f75bb510ad419bafef1c0 1 parent b3a6484
@splitbrain authored
View
1  bad-behavior/banned.inc.php
@@ -42,6 +42,7 @@ function bb2_display_denial($settings, $key, $previous_key = false)
function bb2_log_denial($settings, $package, $key, $previous_key=false)
{
+ if (!$settings['logging']) return;
bb2_db_query(bb2_insert($settings, $package, $key));
}
View
14 bad-behavior/blackhole.inc.php
@@ -34,4 +34,18 @@ function bb2_blackhole($package) {
}
return false;
}
+
+function bb2_httpbl($settings, $package) {
+ if (!$settings['httpbl_key']) return false;
+
+ $find = implode('.', array_reverse(explode('.', $package['ip'])));
+ $result = gethostbynamel($settings['httpbl_key'].".${find}.dnsbl.httpbl.org.");
+ if (!empty($result)) {
+ $ip = explode('.', $result[0]);
+ if ($ip[0] == 127 && ($ip[3] & 7) && $ip[2] >= $settings['httpbl_threat'] && $ip[1] >= $settings['httpbl_maxage']) {
+ return '2b021b1f';
+ }
+ }
+ return false;
+}
?>
View
14 bad-behavior/blacklist.inc.php
@@ -10,15 +10,18 @@ function bb2_blacklist($package) {
"adwords", // referrer spam
"autoemailspider", // spam harvester
"blogsearchbot-martin", // from honeypot
+ "CherryPicker", // spam harvester
+ "core-project/", // FrontPage extension exploits
+ "Diamond", // delivers spyware/adware
"Digger", // spam harvester
"ecollector", // spam harvester
"EmailCollector", // spam harvester
- "Email Extractor", // spam harvester
"Email Siphon", // spam harvester
"EmailSiphon", // spam harvester
"grub crawler", // misc comment/email spam
"HttpProxy", // misc comment/email spam
"Internet Explorer", // XMLRPC exploits seen
+ "ISC Systems iRc", // spam harvester
"Jakarta Commons", // custommised spambots
"Java 1.", // definitely a spammer
"Java/1.", // definitely a spammer
@@ -26,7 +29,7 @@ function bb2_blacklist($package) {
"LWP", // spambot scripts
"Microsoft URL", // spam harvester
"Missigua", // spam harvester
- "MJ12bot", // crawls MUCH too fast
+ "MJ12bot/v1.0.8", // malicious botnet
"Movable Type", // customised spambots
"Mozilla ", // malicious software
"Mozilla/4.0(", // from honeypot
@@ -38,11 +41,14 @@ function bb2_blacklist($package) {
"psycheclone", // spam harvester
"PussyCat ", // misc comment spam
"PycURL", // misc comment spam
- "Shockwave Flash", // spam harvester
+// "Shockwave Flash", // spam harvester
+// WP 2.5 now has Flash; FIXME
+ "Super Happy Fun ", // spam harvester
"TrackBack/", // trackback spam
"user", // suspicious harvester
"User Agent: ", // spam harvester
"User-Agent: ", // spam harvester
+ "Winnie Poh", // Automated Coppermine hacks
"Wordpress", // malicious software
"\"", // malicious software
);
@@ -56,6 +62,7 @@ function bb2_blacklist($package) {
"compatible ; MSIE", // misc comment/email spam
"compatible-", // misc comment/email spam
"DTS Agent", // misc comment/email spam
+ "Email Extractor", // spam harvester
"Gecko/25", // revisit this in 500 years
"grub-client", // search engine ignores robots.txt
"hanzoweb", // very badly behaved crawler
@@ -72,6 +79,7 @@ function bb2_blacklist($package) {
"Windows NT 5.0;)", // wikispam bot
"Windows NT 5.1;)", // wikispam bot
"Windows XP 5", // spam harvester
+ "WordPress/4.01", // pingback spam
"\\\\)", // spam harvester
);
View
19 bad-behavior/common_tests.inc.php
@@ -20,6 +20,16 @@ function bb2_protocol($settings, $package)
return false;
}
+function bb2_cookies($settings, $package)
+{
+ // Enforce RFC 2965 sec 3.3.5 and 9.1
+ // Bots wanting new-style cookies should send Cookie2
+ if (strpos($package['headers_mixed']['Cookie'], '$Version=0') !== FALSE && !array_key_exists('Cookie2', $package['headers_mixed'])) {
+ return '6c502ff1';
+ }
+ return false;
+}
+
function bb2_misc_headers($settings, $package)
{
$ua = $package['headers_mixed']['User-Agent'];
@@ -55,7 +65,7 @@ function bb2_misc_headers($settings, $package)
// Exceptions: Clearswift uses lowercase via (refuses to fix;
// may be blocked again in the future)
if (array_key_exists('via', $package['headers']) &&
- !strstr($package['headers']['via'],'Clearswift Web Policy Engine')) {
+ strpos($package['headers']['via'],'Clearswift') === FALSE) {
return "9c9e4979";
}
@@ -96,6 +106,7 @@ function bb2_misc_headers($settings, $package)
if (array_key_exists('X-Aaaaaaaaaaaa', $package['headers_mixed']) || array_key_exists('X-Aaaaaaaaaa', $package['headers_mixed'])) {
return "b9cc1d86";
}
+ // Proxy-Connection does not exist and should never be seen in the wild
if (array_key_exists('Proxy-Connection', $package['headers_mixed'])) {
return "b7830251";
}
@@ -114,6 +125,12 @@ function bb2_misc_headers($settings, $package)
}
}
+ // "uk" is not a language (ISO 639) nor a country (ISO 3166)
+ // oops, yes it is :( Please shoot any Ukrainian spammers you see.
+# if (preg_match('/\buk\b/', $package['headers_mixed']['Accept-Language'])) {
+# return "35ea7ffa";
+# }
+
return false;
}
View
7 bad-behavior/core.inc.php
@@ -80,7 +80,7 @@ function bb2_approved($settings, $package)
}
// Decide what to log on approved requests.
- if ($settings['verbose'] || empty($package['user_agent'])) {
+ if (($settings['verbose'] && $settings['logging']) || empty($package['user_agent'])) {
bb2_db_query(bb2_insert($settings, $package, "00000000"));
}
}
@@ -137,9 +137,14 @@ function bb2_start($settings)
require_once(BB2_CORE . "/blacklist.inc.php");
bb2_test($settings, $package, bb2_blacklist($package));
+ // Check the http:BL
+ require_once(BB2_CORE . "/blackhole.inc.php");
+ bb2_test($settings, $package, bb2_httpbl($settings, $package));
+
// Check for common stuff
require_once(BB2_CORE . "/common_tests.inc.php");
bb2_test($settings, $package, bb2_protocol($settings, $package));
+ bb2_test($settings, $package, bb2_cookies($settings, $package));
bb2_test($settings, $package, bb2_misc_headers($settings, $package));
// Specific checks
View
2  bad-behavior/mozilla.inc.php
@@ -8,7 +8,7 @@ function bb2_mozilla($package)
// Google Desktop fixed it, but apparently some old versions are
// still out there. :(
// Always check accept header for Mozilla user agents
- if (strpos($package['headers_mixed']['User-Agent'], "Google Desktop") === FALSE) {
+ if (strpos($package['headers_mixed']['User-Agent'], "Google Desktop") === FALSE && strpos($package['headers_mixed']['User-Agent'], "PLAYSTATION 3") === FALSE) {
if (!array_key_exists('Accept', $package['headers_mixed'])) {
return "17566707";
}
View
11 bad-behavior/post.inc.php
@@ -27,17 +27,26 @@ function bb2_post($settings, $package)
// Catch a few completely broken spambots
foreach ($request_entity as $key => $value) {
$pos = strpos($key, " document.write");
- if ($pos !== FAlSE) {
+ if ($pos !== FALSE) {
return "dfd9b1ad";
}
}
+ // If Referer exists, it should refer to a page on our site
+ if (array_key_exists('Referer', $package['headers_mixed']) && stripos($package['headers_mixed']['Referer'], $package['headers_mixed']['Host']) === FALSE) {
+ return "cd361abb";
+ }
+
// Screen by cookie/JavaScript form add
if (isset($_COOKIE[BB2_COOKIE])) {
$screener1 = explode(" ", $_COOKIE[BB2_COOKIE]);
+ } else {
+ $screener1 = array(0);
}
if (isset($_POST[BB2_COOKIE])) {
$screener2 = explode(" ", $_POST[BB2_COOKIE]);
+ } else {
+ $screener2 = array(0);
}
$screener = max($screener1[0], $screener2[0]);
View
6 bad-behavior/responses.inc.php
@@ -4,18 +4,21 @@
function bb2_get_response($key) {
$bb2_responses = array(
- '00000000' => array('response' => 200, 'explanation' => '', 'log' => ''),
+ '00000000' => array('response' => 200, 'explanation' => '', 'log' => 'Permitted'),
'136673cd' => array('response' => 403, 'explanation' => 'Your Internet Protocol address is listed on a blacklist of addresses involved in malicious or illegal activity. See the listing below for more details on specific blacklists and removal procedures.', 'log' => 'IP address found on external blacklist'),
'17566707' => array('response' => 403, 'explanation' => 'An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.', 'log' => 'Required header \'Accept\' missing'),
'17f4e8c8' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'User-Agent was found on blacklist'),
'21f11d3f' => array('response' => 403, 'explanation' => 'An invalid request was received. You claimed to be a mobile Web device, but you do not actually appear to be a mobile Web device.', 'log' => 'User-Agent claimed to be AvantGo, claim appears false'),
+ '2b021b1f' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Before trying again, run anti-virus and anti-spyware software and remove any viruses and spyware from your computer.', 'log' => 'IP address found on http:BL blacklist'),
'2b90f772' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. If you are using the Opera browser, then Opera must appear in your user agent.', 'log' => 'Connection: TE present, not supported by MSIE'),
+ '35ea7ffa' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Check your browser\'s language and locale settings.', 'log' => 'Invalid language specified'),
'408d7e72' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Before trying again, run anti-virus and anti-spyware software and remove any viruses and spyware from your computer.', 'log' => 'POST comes too quickly after GET'),
'41feed15' => array('response' => 400, 'explanation' => 'An invalid request was received. This may be caused by a malfunctioning proxy server. Bypass the proxy server and connect directly, or contact your proxy server administrator.', 'log' => 'Header \'Pragma\' without \'Cache-Control\' prohibited for HTTP/1.1 requests'),
'45b35e30' => array('response' => 403, 'explanation' => 'An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.', 'log' => 'Header \'Referer\' is corrupt'),
'57796684' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Before trying again, run anti-virus and anti-spyware software and remove any viruses and spyware from your computer.', 'log' => 'Prohibited header \'X-Aaaaaaaaaa\' or \'X-Aaaaaaaaaaaa\' present'),
'582ec5e4' => array('response' => 400, 'explanation' => 'An invalid request was received. If you are using a proxy server, bypass the proxy server or contact your proxy server administrator. This may also be caused by a bug in the Opera web browser.', 'log' => '"Header \'TE\' present but TE not specified in \'Connection\' header'),
'69920ee5' => array('response' => 403, 'explanation' => 'An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.', 'log' => 'Header \'Referer\' present but blank'),
+ '6c502ff1' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'Bot not fully compliant with RFC 2965'),
'799165c2' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'Rotating user-agents detected'),
'7a06532b' => array('response' => 400, 'explanation' => 'An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.', 'log' => 'Required header \'Accept-Encoding\' missing'),
'7ad04a8a' => array('response' => 400, 'explanation' => 'The automated program you are using is not permitted to access this server. Please use a different program or a standard Web browser.', 'log' => 'Prohibited header \'Range\' present'),
@@ -29,6 +32,7 @@ function bb2_get_response($key) {
'b7830251' => array('response' => 400, 'explanation' => 'Your proxy server sent an invalid request. Please contact the proxy server administrator to have this problem fixed.', 'log' => 'Prohibited header \'Proxy-Connection\' present'),
'b9cc1d86' => array('response' => 403, 'explanation' => 'The proxy server you are using is not permitted to access this server. Please bypass the proxy server, or contact your proxy server administrator.', 'log' => 'Prohibited header \'X-Aaaaaaaaaa\' or \'X-Aaaaaaaaaaaa\' present'),
'c1fa729b' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Before trying again, run anti-virus and anti-spyware software and remove any viruses and spyware from your computer.', 'log' => 'Use of rotating proxy servers detected'),
+ 'cd361abb' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Data may not be posted from offsite forms.', 'log' => 'Referer did not point to a form on this site'),
'd60b87c7' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Before trying again, please remove any viruses or spyware from your computer.', 'log' => 'Trackback received via proxy server'),
'dfd9b1ad' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'Request contained a malicious JavaScript or SQL injection attack'),
'e4de0453' => array('response' => 403, 'explanation' => 'An invalid request was received. You claimed to be a major search engine, but you do not appear to actually be a major search engine.', 'log' => 'User-Agent claimed to be msnbot, claim appears to be false'),
View
2  bad-behavior/version.inc.php
@@ -1,3 +1,3 @@
<?php if (!defined('BB2_CWD')) die("I said no cheating!");
-define('BB2_VERSION', "2.0.13");
+define('BB2_VERSION', "2.0.22");
?>
View
4 info.txt
@@ -1,6 +1,6 @@
author = Andreas Gohr
email = andi@splitbrain.org
-date = 2008-04-06
-name = Bad Behaviour Plugin (based on version 2.0.13)
+date = 2008-08-06
+name = Bad Behaviour Plugin (based on version 2.0.22)
desc = Protects the wiki against malicious users and spiders
url = http://wiki:splitbrain.org/plugin:badbehaviour
Please sign in to comment.
Something went wrong with that request. Please try again.