| Author |
Message |
zaphod
Site Admin
Joined: 28 Jan 2008
Posts: 75
|
|
 Signature Update 18 |
 |
In this update...
More hostnames in the toilet.
It might be wise, in the future, for a domain purchaser to peruse my signatre file, as it really is the "hall of the damned".
Removal of one slowdown as it was frustrating valid users who wanted to reply to a post in here, but hadn't logged in. It would have let them through, but after 30-60 seconds of wait.
*** PLEASE NOTE: ABOVE EFFECT IS IN ALPHA STILL! WILL BECOME ACTIVE WITH FEB. SCRIPT RELEASE!
(Please note the signatures are still included so you can postulate upon your own uses.)
Would any lessor wait amount be better? For now, no wait though.
Zap 
|
|
| Wed Jan 21, 2009 12:11 pm |
  |
 |
diabolic.bg
Joined: 30 Nov 2008
Posts: 30
Location: Bulgaria |
|
| |
|
Excellent news but I have some questions:
1. Where is difference in (inmatch($lcuseragent and (lmatch($useragent ?
2. Abour syntax - if I want to add some key words from URL (ex. roundcube or msgimport, how I must add it - as "[msgimport]" or only "msgimport" ?
3. How can I add the string ?_SERVER[DOCUMENT_ROOT] ?
4. What do you have in your mind as you tell
 |
|
a match at the right side of the variable only |
or
|
|
a match at the left side of the variable only |
I want to understand right syntax to easy make new signatures. I have some strange facts with "Toata dragostea mea pentru diavola". If I test it here - http://www.botsvsbrowsers.com/SimulateUserAgent.asp?UserAgent=Toata+dragostea+mea+pentru+diavola - ZB block blocked it sure, but some times doesn't block real agents with this name. 
|
|
#: 487 @: Mon, 19 Jan 2009 17:52:27 +0200
Host: host25.199.81.74.static.maximumasp.com
IP: 74.81.199.25
Score: 1
Why blocked: undefined client, fake, maybe is a bot, my addon.
File: removed for security
Post:
Query:
Referer:
User Agent: Toata dragostea mea pentru diavola
Reconstructed URL: http://wasteland-bg.com/ |
|
|
213.232.93.41 - - [23/Jan/2009:02:46:23 +0200] "GET HTTP/1.1 HTTP/1.1" 400 1045 "-" "Toata dragostea mea pentru diavola"
213.232.93.41 - - [23/Jan/2009:02:46:26 +0200] "GET /roundcube//bin/msgimport HTTP/1.1" 301 393 "-" "Toata dragostea mea pentru diavola" |
Maybe I will send you some new signatures soon but I want to test it at the first. 
Testers I have many... 
EDIT
I want you to see this:
For me it is a new and I don't understand what is this... I understand only 404 but is this attack and why don't have a User_client?
_________________
Fallout Vault BG | Vault Tec RSS News |
|
| Thu Jan 22, 2009 12:28 pm |
 |
|
zaphod
Site Admin
Joined: 28 Jan 2008
Posts: 75
|
|
| |
|
Let's take on these questions one by one...
1. Where is difference in (inmatch($lcuseragent and (lmatch($useragent ?
$lcuseragent means "Lower Cased User-Agent" as in...
"ThE QuIcK BrOwN FoX"
is converted to
"the quick brown fox"
2. About syntax - if I want to add some key words from URL (ex. roundcube or msgimport, how I must add it - as "[msgimport]" or only "msgimport" ?
Try it like '[msgimport]' (Magic quotes ' ) if that doesnt work... '\[msgimport\]' (backslash escaping)
3. How can I add the string ?_SERVER[DOCUMENT_ROOT] ?
$ax = $ax + (inmatch($query,"?_SERVER[DOCUMENT_ROOT]","Something you wish to catch"));
4. What do you have in your mind as you tell
* "a match at the right side of the variable only"
RMATCH
Means look at the END only, and see if you can make a match there.
trigger pattern "web.ru" would rmatch "keyweb.ru"
trigger pattern "keyweb" would NOT rmatch "keyweb.ru"
*"a match at the left side of the variable only"
LMATCH
Means try to make a match at the beginning of a variable.
trigger pattern "192.168.1" would lmatch "192.168.1.254"
trigger pattern "server" would lmatch "server243.somehost.ru"
trigger pattern "168.1.254" would NOT rmatch "192.168.1.254"
trigger pattern "somehost" would NOT rmatch "server243.somehost.ru"
*"a match anywhere in the variable" (not asked, but may as well cover it)
INMATCH
trigger pattern "orange" would inmatch "apples, oranges, and kiwis"
trigger pattern "orange" would NOT inmatch "bananas, coconuts, and grapes"
5. "but some times doesn't block real agents with this name."
Will look into this... bet I need to use the lower-cased form of the user-agent... or they are doing some other stuff. Perhaps due to the examples I saw, they are not even pulling a PHP page. Remember, server logs will still show the access, but the request will be stopped. Also, remember if they are not dealing with a php page, they can grab whatever they want.
6. "For me it is a new and I don't understand what is this..."
Looks like you caught some POST code. Will sniff deeper to see if a signature needs to be added. Most of these idiot skiddies never clean their tracks.
EDIT:
Re: 6. Code is a snoop script, and the data in POST is bait to go look. Editing the url so it no longer works.
Zap
|
|
| Fri Jan 23, 2009 12:26 am |
|
|
diabolic.bg
Joined: 30 Nov 2008
Posts: 30
Location: Bulgaria |
|
| |
|
Thanks for the full answer! I will think about it.
You can add this row - already tested:
$ax = $ax + (inmatch($query,"[do=ext&page]","phpbb hack"));
Best wishes!
I find out some info for "Toata dragostea mea pentru diavola" in one Russian forum.
This is a new exploit vs. RoundCube Webmail 0.2-beta - http://roundcube.net/
http://www.securitylab.ru/vulnerability/364814.php
I doesn't use it and don't care but I want to stop it and will try again. You right said - this bot don't use php files and maybe this is a reason to not blocked from ZB Block.
_________________
Fallout Vault BG | Vault Tec RSS News
Last edited by diabolic.bg on Wed Jan 28, 2009 10:49 am; edited 1 time in total |
|
| Fri Jan 23, 2009 1:23 am |
|
|
diabolic.bg
Joined: 30 Nov 2008
Posts: 30
Location: Bulgaria |
|
| |
|
Hi, Zap!
I send you some new tested signatures:
 |
|
//User agents
$ax = $ax + (lmatch($useragent,"Sphere Scout&v4.0 - scout at sphere dot com","stupid bot, give only 404"));
$ax = $ax + (lmatch($useragent,"omgilibot/0.3","Israel Server-Farm, sometimes use Python-urllib/1.17, don't use robots.txt"));
$ax = $ax + (lmatch($useragent,"MJ12bot/","www.majestic12.co.uk, fake, mascked IP, don't use robots.txt, stealing your data"));
$ax = $ax + (lmatch($useragent,"Python-urllib/","undefined agent, use Python-urllib, don't use robots.txt")); |
Good luck!
_________________
Fallout Vault BG | Vault Tec RSS News |
|
| Sat Jan 31, 2009 9:57 am |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
