| Author |
Message |
zaphod
Site Admin
Joined: 28 Jan 2008
Posts: 75
|
|
 ZB Block 0.1.6 Beta Released. |
 |
0.1.6 is out, 0.1.5 lasted a week, wow. Amazing what new coding ideas come to you in dreams.
My latest problem was banning all attempts at queries containing URLs. This just simply was un-workable IMHO.
Solution, all remote include attacks also trigger a PATH_INFO variable in PHP. So I decided to make a flag on existance of it. If that, plus a query containing a =http:// exist, flag it as an attack.
But wait, nothing on my site uses $_SERVER['PATH_INFO'] ! Chances are, neither does your site. So I added a pure detection in signatures for it.
Of course any detection you don't like can be commented out in signatures.inc (using a //), and chances are you could add your own since the syntax is rather simple. Also please post any additions you think are needed in the Blocklist Data area. 
Zap.
|
|
| Fri Nov 28, 2008 2:25 pm |
  |
 |
diabolic.bg
Joined: 30 Nov 2008
Posts: 30
Location: Bulgaria |
|
|
| Sun Nov 30, 2008 6:27 am |
 |
|
zaphod
Site Admin
Joined: 28 Jan 2008
Posts: 75
|
|
| |
|
Thanks for your vote of confidence. Spread the word! 
|
|
| Sun Nov 30, 2008 7:33 am |
|
|
diabolic.bg
Joined: 30 Nov 2008
Posts: 30
Location: Bulgaria |
|
| |
|
 |
|
Thanks for your vote of confidence. Spread the word! |
I have placed same post with data from killed_log.txt in http://www.stopforumspam.com
If you can, please to help me about problem with empty "Why blocked" line. This isn't fatal problem but I want to know why if it possible. Also in new killed_log.txt the line "File" is empty. Maybe this is importantly for you as info.
 |
|
@: Sat, 29 Nov 2008 01:33:45 +0200
Host: ukdsl348
IP: 78.110.175.12
Why blocked:
File:
Query:
Referer:
Reconstructed URL: http://wasteland-bg.com/phpbb2/
@: Sat, 29 Nov 2008 18:57:58 +0200
Host: v3server-d9js8x
IP: 194.165.42.21
Why blocked:
File:
Query: t=54&start=15
Referer:
Reconstructed URL: http://wasteland-bg.com/phpbb2/topic54-15.html
@: Sat, 29 Nov 2008 21:19:23 +0200
Host: ns.km30734.keymachine.de
IP: 87.118.112.5
Why blocked:
File:
Query: t=266
Referer:
Reconstructed URL: http://wasteland-bg.com/phpbb2/topic266.html
@: Sat, 29 Nov 2008 23:10:04 +0200
Host: 208.64.29.162.svservers.com
IP: 208.64.29.162
Why blocked:
File:
Query: t=54&start=15
Referer:
Reconstructed URL: http://wasteland-bg.com/phpbb2/topic54-15.html
@: Sun, 30 Nov 2008 02:30:39 +0200
Host: ukdsl349
IP: 78.110.175.13
Why blocked:
File:
Query:
Referer:
Reconstructed URL: http://wasteland-bg.com/phpbb2/
@: Sun, 30 Nov 2008 12:51:33 +0200
Host: 194.165.42.73
IP: 194.165.42.73
Why blocked:
File:
Query: t=1171
Referer:
Reconstructed URL: http://wasteland-bg.com/phpbb2/topic1171.html
@: Sun, 30 Nov 2008 14:49:25 +0200
Host: ukdsl349
IP: 78.110.175.13
Why blocked:
File:
Query: mode=activate&u=898&act_key=3152d0029e6a
Referer:
Reconstructed URL: http://wasteland-bg.com/phpbb2/profile.php?mode=activate&u=898&act_key=3152d0029e6a |
_________________
Fallout Vault BG | Vault Tec RSS News |
|
| Sun Nov 30, 2008 9:21 am |
|
|
zaphod
Site Admin
Joined: 28 Jan 2008
Posts: 75
|
|
| Problems with "why blocked". |
|
Well, I wrote this script under php 4... you are running php 5. I may do some investigations into why php 5 is not passing the global scoped $whyblockedout back to the main script.
Hopefully I'll find something out.
Are you sure that your install of php5 is good (as in was it a buggy release?) ? Seems you've been having a little trouble with other scripts also. Perhaps an upgrade would help? (Don't forget to back up everything first though)
Anyway, I will keep looking for an answer to this problem.
Zap
|
|
| Sun Nov 30, 2008 6:26 pm |
|
|
zaphod
Site Admin
Joined: 28 Jan 2008
Posts: 75
|
|
| Possible Solution? |
|
Download a fresh SIGNATURE... I think I may have fixed the problem.
Zap
|
|
| Sun Nov 30, 2008 7:54 pm |
|
|
diabolic.bg
Joined: 30 Nov 2008
Posts: 30
Location: Bulgaria |
|
| Re: Possible Solution? |
|
|
|
Are you sure that your install of php5 is good (as in was it a buggy release?) ? Seems you've been having a little trouble with other scripts also. Perhaps an upgrade would help? (Don't forget to back up everything first though)
|
No, I don't have problems with PHP 5.0.4. It is included in xampp install file and works already 3 years.
|
|
Download a fresh SIGNATURE... I think I may have fixed the problem.
Zap |
Yes, Zap, you done it! You fixed the problem. This is my test:
|
|
@: Mon, 01 Dec 2008 08:56:34 +0200
Host: 192.168.0.1
IP: 192.168.0.1
Why blocked: MySQL attack
File:
Query: testingzbblock=badmysql;
Referer:
Reconstructed URL: http://wasteland-bg.com/phpbb2/linkus.php?testingzbblock=badmysql; |
Thank you again!
_________________
Fallout Vault BG | Vault Tec RSS News |
|
| Mon Dec 01, 2008 12:06 am |
|
|
zaphod
Site Admin
Joined: 28 Jan 2008
Posts: 75
|
|
| |
|
Ah heck, it should be me thanking you.
Without your patience and telling me exactly what you were experiencing regarding errors, I never would have fixed the problem!
So...
THANK YOU!
The problem may stem from PHP 4 sharing variables between .incs and the main script, and php 5 requiring a globalization inside the .inc to pass the info outside. php 5 is more secure IMHO for this behavior.
Zap
|
|
| Mon Dec 01, 2008 4:59 am |
|
|
diabolic.bg
Joined: 30 Nov 2008
Posts: 30
Location: Bulgaria |
|
| |
|
You are welcome!
I like such occupation. Before years I studied to be programmer C++ but nobody don't take me to work because I'm very old (49). Now I make it like hobby but I have limited PHP knowledge. Can say already I don't remember nothing... 
But to make this, is a pleasure for me.
I hope you understand my bad English...
In the last two days I have a "big catch". You can see here. 
(I don't want to post here this "bed sheet".)
_________________
Fallout Vault BG | Vault Tec RSS News |
|
| Mon Dec 01, 2008 7:17 am |
|
|
diabolic.bg
Joined: 30 Nov 2008
Posts: 30
Location: Bulgaria |
|
| |
|
Hi, Zap!
I already updated my signatures and send you my test result:
|
|
@: Wed, 03 Dec 2008 19:03:54 +0200
Host: 192.168.0.1
IP: 192.168.0.1
Why blocked: MySQL attack
File:
Query: testingzbblock=badmysql;
Referer:
Reconstructed URL: http://wasteland-bg.com/phpbb2/linkus.php?testingzbblock=badmysql; |
|
|
http://wasteland-bg.com/zbblock/515502_banned_129058.php?page22=p404724
Either the address you are accessing this site from has been banned for previous malicious behavior...
OR...
The action you attempted is considered to be hostile to the proper functioning of this system.
Your IP, and Domain Name (if resolvable) has been logged, along with the referring page (if any), query string, time of access, and date.
Additionally, your client was sent into a forwarding loop to protect this system from hostile automatic entities (robots/bots) at very little detriment to itself.
Please either 1. Stop the bad behavior, or 2. Cease accessing this system.
ERROR RECORD: 99362132252886188293
EOF |
If you have ideas for another tests give it to me. I will test it all.
EDIT
...and real test...
|
|
@: Wed, 03 Dec 2008 19:06:52 +0200
Host: 79-100-2-10.btc-net.bg
IP: 79.100.2.10
Why blocked: Netherlands Site Host (doesn't need access to other sites)
File:
Query:
Referer:
Reconstructed URL: http://wasteland-bg.com/phpbb2/portale.php |
 ERROR
Host: 79-100-2-10.btc-net.bg
IP: 79.100.2.10
Why blocked: Netherlands Site Host (doesn't need access to other sites)
This is IP from Bulgarian Telecomunicatoin Company \I check it\ - maybe 50% from my users are with similar IPs. 
I don't see similar IPs in your new signatures. Where is the problem?
_________________
Fallout Vault BG | Vault Tec RSS News |
|
| Wed Dec 03, 2008 10:11 am |
|
|
zaphod
Site Admin
Joined: 28 Jan 2008
Posts: 75
|
|
| |
|
79.100.?.? should not have triggered that block. It's not in the range.
Investigating now.
FIXED!
I had a 1 character typo in that detection.
Download the update again!
Thank you!
|
|
| Wed Dec 03, 2008 10:56 am |
|
|
diabolic.bg
Joined: 30 Nov 2008
Posts: 30
Location: Bulgaria |
|
| |
|
|
|
79.100.?.? should not have triggered that block. It's not in the range.
Investigating now.
FIXED!
I had a 1 character typo in that detection.
Download the update again!
Thank you! |
Thank God!
I was very embarrassed - sent you email...
I hope now all will be OK.
_________________
Fallout Vault BG | Vault Tec RSS News |
|
| Wed Dec 03, 2008 11:27 am |
|
|
zaphod
Site Admin
Joined: 28 Jan 2008
Posts: 75
|
|
| A little more explanation on the error. |
|
When blocking an IP range, the script uses a Low first, High second range input.
Here's the error...
$ax = $ax + (iprange($address,"79.143.177.0","78.143.177.255","Netherlands Site Host (doesn't need access to other sites)"));
See the 78? OOPS!
Here's the correct version of the line...
$ax = $ax + (iprange($address,"79.143.177.0","79.143.177.255","Netherlands Site Host (doesn't need access to other sites)"));
Now it goes from low to high as it should.
I meant to only block 256 known addresses (in the middle of a hosting block, not an ISP block), and instead blocked, well, gosh knows what!
Thanks for your patience, and sorry for the inconvience!
|
|
| Wed Dec 03, 2008 11:34 am |
|
|
diabolic.bg
Joined: 30 Nov 2008
Posts: 30
Location: Bulgaria |
|
| |
|
All is good when the end is good!
I thank you too for the quick reaction!
EDIT
Ha-ha. This IP is address on my moderator. 
_________________
Fallout Vault BG | Vault Tec RSS News |
|
| Wed Dec 03, 2008 11:41 am |
|
|
zaphod
Site Admin
Joined: 28 Jan 2008
Posts: 75
|
|
| Moderator? |
|
|
|
Ha-ha. This IP is address on my moderator. |
What do you mean by that?
BTW, I want you to know, that all range blocks so far, have been installed due to bonafide (means: real, known, for sure) 'bot attacks on my site from said IPs.
They look like this when they fail to get past my CAPTCHA (they all fail so far)...
|
|
Time of connexion per pages (Beta) :
00-00-04 - /forum/
00-00-04 - /forum/index.php
00-00-21 - /forum/profile.php?mode=register
00-00-00 - /forum/profile.php?mode=register&sid=d67bf8fc1ff84b6fb91de22ef4aaac8f
00-00-03 - /forum/profile.php?mode=register&agreed=true
00-00-28 - /forum/profile.php?mode=register&agreed=true
00-00-06 - /forum/login.php
00-00-02 - /forum/login.php
00-00-04 - /forum/login.php?redirect=
00-00-12 - /forum/
00-00-17 - /forum/viewforum.php?f=8
00-00-16 - /forum/login.php
00-00-03 - /forum/login.php
00-00-09 - /forum/login.php?redirect=
00-00-30 - /forum/
00-00-01 - /forum/login.php?redirect=posting.php&mode=newtopic&f=8
00-00-08 - /forum/viewforum.php?f=10
00-00-04 - /forum/login.php
00-00-03 - /forum/login.php
00-00-15 - /forum/login.php?redirect=
00-00-13 - /forum/
00-00-14 - /forum/viewforum.php?f=10&sid=d67bf8fc1ff84b6fb91de22ef4aaac8f
00-12-59 - /forum/login.php
|
Please note the failure of their OCR to get a proper read on my CAPTCHA, but the pig-headedness of the script believing that it had done well. (part of the evil of my CAPTCHA is that the contrast makes the OCR system assume an easy read.)
Anyway, when I see a FAIL like that I check the IP address against http://www.senderbase.org , http://trustedsource.org and http://www.botsvsbrowsers.com . If the block is 1. Known bad or 2. Not registered to an ISP (as in users for your site) or is 3. Not a known spider it goes on the list.
Zap
|
|
| Wed Dec 03, 2008 5:43 pm |
|
|
|
