function bb2_post($settings, $package) { // Check blackhole lists for known spam/malicious activity require_once BB2_CORE . "/blackhole.inc.php"; bb2_test($settings, $package, bb2_blackhole($package)); // MovableType needs specialized screening if (stripos($package['headers_mixed']['User-Agent'], "MovableType") !== FALSE) { if (strcmp($package['headers_mixed']['Range'], "bytes=0-99999")) { return "7d12528e"; } } // Trackbacks need special screening $request_entity = $package['request_entity']; if (isset($request_entity['title']) && isset($request_entity['url']) && isset($request_entity['blog_name'])) { require_once BB2_CORE . "/trackback.inc.php"; return bb2_trackback($package); } // Catch a few completely broken spambots foreach ($request_entity as $key => $value) { $pos = strpos($key, "\tdocument.write"); if ($pos !== FAlSE) { return "dfd9b1ad"; } } // Screen by cookie/JavaScript form add if (isset($_COOKIE[BB2_COOKIE])) { $screener1 = explode(" ", $_COOKIE[BB2_COOKIE]); } if (isset($_POST[BB2_COOKIE])) { $screener2 = explode(" ", $_POST[BB2_COOKIE]); } $screener = max($screener1[0], $screener2[0]); if ($screener > 0) { // Posting too fast? 5 sec // FIXME: even 5 sec is too intrusive // if ($screener + 5 > time()) // return "408d7e72"; // Posting too slow? 48 hr if ($screener + 172800 < time()) { return "b40c8ddc"; } // Screen by IP address $ip = ip2long($package['ip']); $ip_screener = ip2long($screener[1]); // FIXME: This is b0rked, but why? // if ($ip && $ip_screener && abs($ip_screener - $ip) > 256) // return "c1fa729b"; // Screen for user agent changes // User connected previously with blank user agent $q = bb2_db_query("SELECT `ip` FROM " . $settings['log_table'] . " WHERE (`ip` = '" . $package['ip'] . "' OR `ip` = '" . $screener[1] . "') AND `user_agent` != '" . $package['user_agent'] . "' AND `date` > DATE_SUB('" . bb2_db_date() . "', INTERVAL 5 MINUTE)"); // Damnit, too many ways for this to fail :( if ($q !== FALSE && $q != NULL && bb2_db_num_rows($q) > 0) { return "799165c2"; } } return false; }
function bb2_blacklist($settings, $package) { // Blacklisted user agents // These user agent strings occur at the beginning of the line. $bb2_spambots_0 = array("8484 Boston Project", "adwords", "autoemailspider", "blogsearchbot-martin", "BrowserEmulator/", "CherryPicker", "core-project/", "Diamond", "Digger", "ecollector", "EmailCollector", "Email Siphon", "EmailSiphon", "Forum Poster", "grub crawler", "HttpProxy", "Internet Explorer", "ISC Systems iRc", "Jakarta Commons", "Java 1.", "Java/1.", "libwww-perl", "LWP", "lwp", "Microsoft Internet Explorer/", "Microsoft URL", "Missigua", "MJ12bot/v1.0.8", "Morfeus", "Movable Type", "Mozilla/0", "Mozilla/1", "Mozilla/2", "Mozilla/3", "Mozilla/4.0(", "Mozilla/4.0+(compatible;+", "Mozilla/4.0 (Hydra)", "MSIE", "MVAClient", "Nessus", "NutchCVS", "Nutscrape/", "OmniExplorer", "Opera/9.64(", "PMAFind", "psycheclone", "PussyCat ", "PycURL", "Python-urllib", "revolt", "sqlmap/", "Super Happy Fun ", "TrackBack/", "user", "User Agent: ", "User-Agent: ", "w3af", "WebSite-X Suite", "Winnie Poh", "Wordpress", "\""); // These user agent strings occur anywhere within the line. $bb2_spambots = array("\r", "<sc", "; Widows ", "a href=", "Bad Behavior Test", "compatible ; MSIE", "compatible-", "DTS Agent", "Email Extractor", "Firebird/", "Gecko/2525", "grub-client", "hanzoweb", "Havij", "Indy Library", "Ming Mong", "MSIE 7.0; Windows NT 5.2", "Murzillo compatible", ".NET CLR 1)", ".NET CLR1", "Netsparker", "Nikto/", "Perman Surfer", "POE-Component-Client", "Teh Forest Lobster", "Turing Machine", "Ubuntu/9.25", "unspecified.mail", "User-agent: ", "WebaltBot", "WISEbot", "WISEnutbot", "Win95", "Win98", "WinME", "Win 9x 4.90", "Windows 3", "Windows 95", "Windows 98", "Windows NT 4", "Windows NT;", "Windows NT 5.0;)", "Windows NT 5.1;)", "Windows XP 5", "WordPress/4.01", "Xedant Human Emulator", "ZmEu", "\\\\)", "Bot Banned"); // These are regular expression matches. $bb2_spambots_regex = array("/^[A-Z]{10}\$/", "/[bcdfghjklmnpqrstvwxz ]{8,}/", "/MSIE [2345]/"); // Blacklisted URL strings // These strings are considered case-insensitive. $bb2_spambots_url = array("0x31303235343830303536", "../", "..\\", "%60information_schema%60", "+%2F*%21", "+and+%", "+and+1%", "+and+if", "%27--", "%27--", "%27 --", "%27%23", "%27 %23", "benchmark%28", "insert+into+", "r3dm0v3", "select+1+from", "union+all+select", "union+select", "waitfor+delay+", "w00tw00t"); $bb2_spambot_refer = array("gamesthelife.tr.gg"); // Do not edit below this line. @($ua = $package['headers_mixed']['User-Agent']); @($uri = $package['request_uri']); @($refer = $package['Referer']); foreach ($bb2_spambots_0 as $spambot) { $pos = strpos($ua, $spambot); if ($pos !== FALSE && $pos == 0) { return "17f4e8c8"; } } // custom check for known refers foreach ($bb2_spambot_refer as $spambot) { if (strpos($refer, $spambot) != FALSE) { return "174e8c9"; } } foreach ($bb2_spambots as $spambot) { if (strpos($ua, $spambot) !== FALSE) { return "17f4e8c8"; } } foreach ($bb2_spambots_regex as $spambot) { if (preg_match($spambot, $ua)) { return "17f4e8c8"; } } foreach ($bb2_spambots_url as $spambot) { if (stripos($uri, $spambot) !== FALSE) { return "96c0bd29"; } } // do our DB check here $ip = $package['ip']; $sql = "SELECT * FROM " . $settings['ban_table'] . " WHERE ip = INET_ATON('" . bb2_db_escape($ip) . "')"; $result = bb2_db_query($sql); if (bb2_db_num_rows($result) > 0) { return "96c0bd30"; } return FALSE; }
/** * Run a query and return the results, if any. * Should return FALSE if an error occurred. * Bad Behavior will use the return value here in other callbacks. * * @param string $query * @return bool or int */ function bb2_db_query($query) { $db = database(); // First fix the horrors caused by bb's support of only mysql // ok they are right its my horror :P if (strpos($query, 'DATE_SUB') !== false) { $query = 'DELETE FROM {db_prefix}log_badbehavior WHERE date < ' . (bb2_db_date() - 7 * 86400); } elseif (strpos($query, 'OPTIMIZE TABLE') !== false) { return true; } elseif (strpos($query, '@@session.wait_timeout') !== false) { return true; } // Run the query, return success, failure or the actual results $result = $db->query('', $query, array()); if (!$result) { return false; } elseif ($result === true) { return bb2_db_affected_rows() !== 0; } elseif (bb2_db_num_rows($result) === 0) { return false; } return bb2_db_rows($result); }