function bb2_log_denial($settings, $package, $key, $previous_key = false) { if (!$settings['logging']) { return; } bb2_db_query(bb2_insert($settings, $package, $key)); }
function bb2_httpbl($settings, $package) { // Can't use IPv6 addresses yet if (@is_ipv6($package['ip'])) { return false; } if (@(!$settings['httpbl_key'])) { return false; } // Workaround for "MySQL server has gone away" bb2_db_query("SET @@session.wait_timeout = 90"); $find = implode('.', array_reverse(explode('.', $package['ip']))); $result = gethostbynamel($settings['httpbl_key'] . ".{$find}.dnsbl.httpbl.org."); if (!empty($result)) { $ip = explode('.', $result[0]); // Check if threat if ($ip[0] == 127 && $ip[3] & 7 && $ip[2] >= $settings['httpbl_threat'] && $ip[1] <= $settings['httpbl_maxage']) { return '2b021b1f'; } // Check if search engine if ($ip[3] == 0) { return 1; } } return false; }
function bb2_post($settings, $package) { // Check blackhole lists for known spam/malicious activity require_once BB2_CORE . "/blackhole.inc.php"; bb2_test($settings, $package, bb2_blackhole($package)); // MovableType needs specialized screening if (stripos($package['headers_mixed']['User-Agent'], "MovableType") !== FALSE) { if (strcmp($package['headers_mixed']['Range'], "bytes=0-99999")) { return "7d12528e"; } } // Trackbacks need special screening $request_entity = $package['request_entity']; if (isset($request_entity['title']) && isset($request_entity['url']) && isset($request_entity['blog_name'])) { require_once BB2_CORE . "/trackback.inc.php"; return bb2_trackback($package); } // Catch a few completely broken spambots foreach ($request_entity as $key => $value) { $pos = strpos($key, "\tdocument.write"); if ($pos !== FAlSE) { return "dfd9b1ad"; } } // Screen by cookie/JavaScript form add if (isset($_COOKIE[BB2_COOKIE])) { $screener1 = explode(" ", $_COOKIE[BB2_COOKIE]); } if (isset($_POST[BB2_COOKIE])) { $screener2 = explode(" ", $_POST[BB2_COOKIE]); } $screener = max($screener1[0], $screener2[0]); if ($screener > 0) { // Posting too fast? 5 sec // FIXME: even 5 sec is too intrusive // if ($screener + 5 > time()) // return "408d7e72"; // Posting too slow? 48 hr if ($screener + 172800 < time()) { return "b40c8ddc"; } // Screen by IP address $ip = ip2long($package['ip']); $ip_screener = ip2long($screener[1]); // FIXME: This is b0rked, but why? // if ($ip && $ip_screener && abs($ip_screener - $ip) > 256) // return "c1fa729b"; // Screen for user agent changes // User connected previously with blank user agent $q = bb2_db_query("SELECT `ip` FROM " . $settings['log_table'] . " WHERE (`ip` = '" . $package['ip'] . "' OR `ip` = '" . $screener[1] . "') AND `user_agent` != '" . $package['user_agent'] . "' AND `date` > DATE_SUB('" . bb2_db_date() . "', INTERVAL 5 MINUTE)"); // Damnit, too many ways for this to fail :( if ($q !== FALSE && $q != NULL && bb2_db_num_rows($q) > 0) { return "799165c2"; } } return false; }
function bb2_housekeeping($settings, $package) { // FIXME Yes, the interval's hard coded (again) for now. $query = "DELETE FROM `" . $settings['log_table'] . "` WHERE `date` < " . (bb2_db_date() - 60 * 60 * 24 * 7); bb2_db_query($query); // Waste a bunch more of the spammer's time, sometimes. if (rand(1, 1000) == 1) { sleep(10); } }
function bb2_housekeeping($settings, $package) { // FIXME Yes, the interval's hard coded (again) for now. $query = "DELETE FROM `" . $settings['log_table'] . "` WHERE `date` < DATE_SUB('" . bb2_db_date() . "', INTERVAL 7 DAY)"; bb2_db_query($query); // Waste a bunch more of the spammer's time, sometimes. if (rand(1, 25) == 1) { $query = "OPTIMIZE TABLE `" . $settings['log_table'] . "`"; bb2_db_query($query); } }
function bb2_approved($settings, $package) { // Dirk wanted this if (is_callable('bb2_approved_callback')) { bb2_approved_callback($settings, $package); } // Decide what to log on approved requests. if ($settings['verbose'] && $settings['logging'] || empty($package['user_agent'])) { bb2_db_query(bb2_insert($settings, $package, "00000000")); } }
function bb2_blacklist($settings, $package) { // Blacklisted user agents // These user agent strings occur at the beginning of the line. $bb2_spambots_0 = array("8484 Boston Project", "adwords", "autoemailspider", "blogsearchbot-martin", "BrowserEmulator/", "CherryPicker", "core-project/", "Diamond", "Digger", "ecollector", "EmailCollector", "Email Siphon", "EmailSiphon", "Forum Poster", "grub crawler", "HttpProxy", "Internet Explorer", "ISC Systems iRc", "Jakarta Commons", "Java 1.", "Java/1.", "libwww-perl", "LWP", "lwp", "Microsoft Internet Explorer/", "Microsoft URL", "Missigua", "MJ12bot/v1.0.8", "Morfeus", "Movable Type", "Mozilla/0", "Mozilla/1", "Mozilla/2", "Mozilla/3", "Mozilla/4.0(", "Mozilla/4.0+(compatible;+", "Mozilla/4.0 (Hydra)", "MSIE", "MVAClient", "Nessus", "NutchCVS", "Nutscrape/", "OmniExplorer", "Opera/9.64(", "PMAFind", "psycheclone", "PussyCat ", "PycURL", "Python-urllib", "revolt", "sqlmap/", "Super Happy Fun ", "TrackBack/", "user", "User Agent: ", "User-Agent: ", "w3af", "WebSite-X Suite", "Winnie Poh", "Wordpress", "\""); // These user agent strings occur anywhere within the line. $bb2_spambots = array("\r", "<sc", "; Widows ", "a href=", "Bad Behavior Test", "compatible ; MSIE", "compatible-", "DTS Agent", "Email Extractor", "Firebird/", "Gecko/2525", "grub-client", "hanzoweb", "Havij", "Indy Library", "Ming Mong", "MSIE 7.0; Windows NT 5.2", "Murzillo compatible", ".NET CLR 1)", ".NET CLR1", "Netsparker", "Nikto/", "Perman Surfer", "POE-Component-Client", "Teh Forest Lobster", "Turing Machine", "Ubuntu/9.25", "unspecified.mail", "User-agent: ", "WebaltBot", "WISEbot", "WISEnutbot", "Win95", "Win98", "WinME", "Win 9x 4.90", "Windows 3", "Windows 95", "Windows 98", "Windows NT 4", "Windows NT;", "Windows NT 5.0;)", "Windows NT 5.1;)", "Windows XP 5", "WordPress/4.01", "Xedant Human Emulator", "ZmEu", "\\\\)", "Bot Banned"); // These are regular expression matches. $bb2_spambots_regex = array("/^[A-Z]{10}\$/", "/[bcdfghjklmnpqrstvwxz ]{8,}/", "/MSIE [2345]/"); // Blacklisted URL strings // These strings are considered case-insensitive. $bb2_spambots_url = array("0x31303235343830303536", "../", "..\\", "%60information_schema%60", "+%2F*%21", "+and+%", "+and+1%", "+and+if", "%27--", "%27--", "%27 --", "%27%23", "%27 %23", "benchmark%28", "insert+into+", "r3dm0v3", "select+1+from", "union+all+select", "union+select", "waitfor+delay+", "w00tw00t"); $bb2_spambot_refer = array("gamesthelife.tr.gg"); // Do not edit below this line. @($ua = $package['headers_mixed']['User-Agent']); @($uri = $package['request_uri']); @($refer = $package['Referer']); foreach ($bb2_spambots_0 as $spambot) { $pos = strpos($ua, $spambot); if ($pos !== FALSE && $pos == 0) { return "17f4e8c8"; } } // custom check for known refers foreach ($bb2_spambot_refer as $spambot) { if (strpos($refer, $spambot) != FALSE) { return "174e8c9"; } } foreach ($bb2_spambots as $spambot) { if (strpos($ua, $spambot) !== FALSE) { return "17f4e8c8"; } } foreach ($bb2_spambots_regex as $spambot) { if (preg_match($spambot, $ua)) { return "17f4e8c8"; } } foreach ($bb2_spambots_url as $spambot) { if (stripos($uri, $spambot) !== FALSE) { return "96c0bd29"; } } // do our DB check here $ip = $package['ip']; $sql = "SELECT * FROM " . $settings['ban_table'] . " WHERE ip = INET_ATON('" . bb2_db_escape($ip) . "')"; $result = bb2_db_query($sql); if (bb2_db_num_rows($result) > 0) { return "96c0bd30"; } return FALSE; }
function bb2_post($package) { // MovableType needs specialized screening if (stripos($package['headers_mixed']['User-Agent'], "MovableType") !== FALSE) { if (strcmp($package['headers_mixed']['Range'], "bytes=0-99999")) { return "7d12528e"; } } // Trackbacks need special screening $request_entity = $package['request_entity']; if (isset($request_entity['title']) && isset($request_entity['url']) && isset($request_entity['blog_name'])) { require_once BB2_CORE . "/trackback.inc.php"; return bb2_trackback($package); } // Catch a few broken spambots if (isset($request_entity[' document.write(Math.round ('])) { return "dfd9b1ad"; } // Screen by cookie/JavaScript form add if (isset($_COOKIE[BB2_COOKIE])) { $screener1 = explode(" ", $_COOKIE[BB2_COOKIE]); } if (isset($_POST[BB2_COOKIE])) { $screener2 = explode(" ", $_POST[BB2_COOKIE]); } $screener = max($screener[0], $screener2[0]); if ($screener > 0) { // Posting too fast? 5 sec // FIXME: even 5 sec is too intrusive // if ($screener + 5 > time()) // return "408d7e72"; // Posting too slow? 48 hr if ($screener + 172800 < time()) { return "b40c8ddc"; } } // Screen by IP address $ip = ip2long($package['ip']); $ip_screener = ip2long($screener[1]); // FIXME: This is b0rked, but why? // if ($ip && $ip_screener && abs($ip_screener - $ip) > 256) // return "c1fa729b"; return false; // Screen for user agent changes $q = bb2_db_query("SELECT COUNT(*) FROM " . $settings['log_table'] . " WHERE (`ip` = '" . $package['ip'] . "' OR `ip` = '" . $screener[1] . "') AND `http_headers` NOT LIKE '%User-Agent: %'"); if ($q !== FALSE) { return "799165c2"; } return false; }
function bb2_install() { $settings = bb2_read_settings(); if (defined('BB2_NO_CREATE')) { return; } bb2_db_query(bb2_table_structure($settings['log_table'])); }
function bb2_install() { $settings = bb2_read_settings(); if ($settings['is_installed'] == false) { bb2_db_query(bb2_table_structure($settings['log_table'])); $settings['is_installed'] = true; bb2_write_settings($settings); } }
/** * Display Statistics (default off) * Enabling this option will return a string to add a blurb to your site footer * advertising Bad Behavior’s presence and the number of recently blocked requests. * * This option is not available or has no effect when logging is not in use. * * @param bool $force */ function bb2_insert_stats($force = false) { global $txt; $settings = bb2_read_settings(); if ($force || $settings['display_stats']) { // Get the blocked count for the last 7 days ... cache this as well if (($bb2_blocked = cache_get_data('bb2_blocked', 900)) === null) { $bb2_blocked = bb2_db_query('SELECT COUNT(*) FROM {db_prefix}log_badbehavior WHERE `valid` NOT LIKE \'00000000\''); cache_put_data('bb2_blocked', $bb2_blocked, 900); } if ($bb2_blocked !== false) { return sprintf($txt['badbehavior_blocked'], $bb2_blocked[0]['COUNT(*)']); } } }
function bb2_insert_stats($force = false) { global $bb2_result; $settings = bb2_read_settings(); if ($force || $settings['display_stats']) { $blocked = bb2_db_query("SELECT COUNT(*) FROM " . $settings['log_table'] . " WHERE `key` NOT LIKE '00000000'"); if ($blocked !== FALSE) { echo sprintf('<p><a href="http://bad-behavior.ioerror.us/">%1$s</a> %2$s <strong>%3$s</strong> %4$s</p>', __('Bad Behavior'), __('has blocked'), $blocked[0]["COUNT(*)"], __('access attempts in the last 7 days.')); } } if (@(!empty($bb2_result))) { echo sprintf("\n<!-- Bad Behavior result was %s! This request would have been blocked. -->\n", $bb2_result); unset($bb2_result); } }
function bb2_log_denial($settings, $package, $key, $previous_key = false) { bb2_db_query(bb2_insert($settings, $package, $key)); }
function bb2_install() { $settings = bb2_read_settings(); bb2_db_query(bb2_table_structure($settings['log_table'])); }
function bb2_insert_stats($force = false) { global $bb_settings, $f3; if ($force || $bb_settings['display_stats']) { $blocked = bb2_db_query("SELECT COUNT(*) FROM " . $bb_settings['log_table'] . " WHERE `key` NOT LIKE '00000000'"); if ($blocked !== FALSE) { $f3->set('bb2_stats', $blocked[0]["COUNT(*)"]); } } }
function bb2_insert_stats($force = false) { static $retval = null; $settings = bb2_read_settings(); if (!$force && !$settings['display_stats']) { return ''; // not cached } if ($retval !== null) { return $retval; } $blocked = bb2_db_query("SELECT COUNT(*) AS blocked FROM " . $settings['log_table'] . " WHERE `key` NOT LIKE '00000000'"); $row = bb2_db_rows($blocked); if ($blocked !== FALSE) { $retval = sprintf('<p><a href="http://www.bad-behavior.ioerror.us/">%1$s</a> %2$s <strong>%3$s</strong> %4$s</p>', 'Bad Behavior', 'has blocked', $row['blocked'], 'access attempts in the last 7 days.'); } return $retval; }
function bb2_insert_stats($force = false) { $settings = bb2_read_settings(); if ($force || $settings['display_stats']) { $blocked = bb2_db_query("SELECT COUNT(*) FROM " . $settings['log_table'] . " WHERE `key` NOT LIKE '00000000'"); if ($blocked !== FALSE) { echo sprintf('<p><a href="http://www.bad-behavior.ioerror.us/">%1$s</a> %2$s <strong>%3$s</strong> %4$s</p>', __('Bad Behavior'), __('has blocked'), $blocked[0]["COUNT(*)"], __('access attempts in the last 7 days.')); } } }
function bb2_manage() { global $wpdb; $request_uri = $_SERVER["REQUEST_URI"]; if (!$request_uri) { $request_uri = $_SERVER['SCRIPT_NAME']; } # IIS $settings = bb2_read_settings(); $rows_per_page = 100; $where = ""; // Get query variables desired by the user with input validation $paged = 0 + $_GET['paged']; if (!$paged) { $paged = 1; } if ($_GET['key']) { $where .= "AND `key` = '" . $wpdb->escape($_GET['key']) . "' "; } if ($_GET['blocked']) { $where .= "AND `key` != '00000000' "; } else { if ($_GET['permitted']) { $where .= "AND `key` = '00000000' "; } } if ($_GET['ip']) { $where .= "AND `ip` = '" . $wpdb->escape($_GET['ip']) . "' "; } if ($_GET['user_agent']) { $where .= "AND `user_agent` = '" . $wpdb->escape($_GET['user_agent']) . "' "; } if ($_GET['request_method']) { $where .= "AND `request_method` = '" . $wpdb->escape($_GET['request_method']) . "' "; } // Query the DB based on variables selected $r = bb2_db_query("SELECT COUNT(id) FROM `" . $settings['log_table']); $results = bb2_db_rows($r); $totalcount = $results[0]["COUNT(id)"]; $r = bb2_db_query("SELECT COUNT(id) FROM `" . $settings['log_table'] . "` WHERE 1=1 " . $where); $results = bb2_db_rows($r); $count = $results[0]["COUNT(id)"]; $pages = ceil($count / 100); $r = bb2_db_query("SELECT * FROM `" . $settings['log_table'] . "` WHERE 1=1 " . $where . "ORDER BY `date` DESC LIMIT " . ($paged - 1) * $rows_per_page . "," . $rows_per_page); $results = bb2_db_rows($r); // Display rows to the user ?> <div class="wrap"> <?php echo bb2_donate_button(admin_url("tools.php?page=bb2_manage")); ?> <h2><?php _e("Bad Behavior Log"); ?> </h2> <form method="post" action="<?php echo admin_url("tools.php?page=bb2_manage"); ?> "> <p>For more information please visit the <a href="http://bad-behavior.ioerror.us/">Bad Behavior</a> homepage.</p> <p>See also: <a href="<?php echo admin_url("options-general.php?page=bb2_options"); ?> ">Settings</a> | <a href="<?php echo admin_url("options-general.php?page=bb2_whitelist"); ?> ">Whitelist</a></p> <div class="tablenav"> <?php $page_links = paginate_links(array('base' => add_query_arg("paged", "%#%"), 'format' => '', 'total' => $pages, 'current' => $paged)); if ($page_links) { echo "<div class=\"tablenav-pages\">{$page_links}</div>\n"; } ?> <div class="alignleft"> <?php if ($count < $totalcount) { ?> Displaying <strong><?php echo $count; ?> </strong> of <strong><?php echo $totalcount; ?> </strong> records filtered by:<br/> <?php if ($_GET['key']) { echo "Status [<a href=\"" . esc_url(remove_query_arg(array("paged", "key"), $request_uri)) . "\">X</a>] "; } if ($_GET['blocked']) { echo "Blocked [<a href=\"" . esc_url(remove_query_arg(array("paged", "blocked", "permitted"), $request_uri)) . "\">X</a>] "; } if ($_GET['permitted']) { echo "Permitted [<a href=\"" . esc_url(remove_query_arg(array("paged", "blocked", "permitted"), $request_uri)) . "\">X</a>] "; } if ($_GET['ip']) { echo "IP [<a href=\"" . esc_url(remove_query_arg(array("paged", "ip"), $request_uri)) . "\">X</a>] "; } if ($_GET['user_agent']) { echo "User Agent [<a href=\"" . esc_url(remove_query_arg(array("paged", "user_agent"), $request_uri)) . "\">X</a>] "; } if ($_GET['request_method']) { echo "GET/POST [<a href=\"" . esc_url(remove_query_arg(array("paged", "request_method"), $request_uri)) . "\">X</a>] "; } } else { ?> Displaying all <strong><?php echo $totalcount; ?> </strong> records<br/> <?php } if (!$_GET['key'] && !$_GET['blocked']) { ?> <a href="<?php echo esc_url(add_query_arg(array("blocked" => "1", "permitted" => "0", "paged" => false), $request_uri)); ?> ">Show Blocked</a> <?php } if (!$_GET['key'] && !$_GET['permitted']) { ?> <a href="<?php echo esc_url(add_query_arg(array("permitted" => "1", "blocked" => "0", "paged" => false), $request_uri)); ?> ">Show Permitted</a> <?php } ?> </div> </div> <table class="widefat"> <thead> <tr> <th scope="col" class="check-column"><input type="checkbox" onclick="checkAll(document.getElementById('request-filter'));" /></th> <th scope="col"><?php _e("IP/Date/Status"); ?> </th> <th scope="col"><?php _e("Headers"); ?> </th> <th scope="col"><?php _e("Entity"); ?> </th> </tr> </thead> <tbody> <?php $alternate = 0; if ($results) { foreach ($results as $result) { $key = bb2_get_response($result["key"]); $alternate++; if ($alternate % 2) { echo "<tr id=\"request-" . $result["id"] . "\" valign=\"top\">\n"; } else { echo "<tr id=\"request-" . $result["id"] . "\" class=\"alternate\" valign=\"top\">\n"; } echo "<th scope=\"row\" class=\"check-column\"><input type=\"checkbox\" name=\"submit[]\" value=\"" . $result["id"] . "\" /></th>\n"; $httpbl = bb2_httpbl_lookup($result["ip"]); $host = @gethostbyaddr($result["ip"]); if (!strcmp($host, $result["ip"])) { $host = ""; } else { $host .= "<br/>\n"; } echo "<td><a href=\"" . esc_url(add_query_arg("ip", $result["ip"], remove_query_arg("paged", $request_uri))) . "\">" . $result["ip"] . "</a><br/>{$host}<br/>\n" . $result["date"] . "<br/><br/><a href=\"" . esc_url(add_query_arg("key", $result["key"], remove_query_arg(array("paged", "blocked", "permitted"), $request_uri))) . "\">" . $key["log"] . "</a>\n"; if ($httpbl) { echo "<br/><br/><a href=\"http://www.projecthoneypot.org/ip_{$result['ip']}\">http:BL</a>:<br/>{$httpbl}\n"; } echo "</td>\n"; $headers = str_replace("\n", "<br/>\n", htmlspecialchars($result['http_headers'])); if (@strpos($headers, $result['user_agent']) !== FALSE) { $headers = substr_replace($headers, "<a href=\"" . esc_url(add_query_arg("user_agent", rawurlencode($result["user_agent"]), remove_query_arg("paged", $request_uri))) . "\">" . $result['user_agent'] . "</a>", strpos($headers, $result['user_agent']), strlen($result['user_agent'])); } if (@strpos($headers, $result['request_method']) !== FALSE) { $headers = substr_replace($headers, "<a href=\"" . esc_url(add_query_arg("request_method", rawurlencode($result["request_method"]), remove_query_arg("paged", $request_uri))) . "\">" . $result['request_method'] . "</a>", strpos($headers, $result['request_method']), strlen($result['request_method'])); } echo "<td>{$headers}</td>\n"; echo "<td>" . str_replace("\n", "<br/>\n", htmlspecialchars($result["request_entity"])) . "</td>\n"; echo "</tr>\n"; } } ?> </tbody> </table> <div class="tablenav"> <?php $page_links = paginate_links(array('base' => add_query_arg("paged", "%#%"), 'format' => '', 'total' => $pages, 'current' => $paged)); if ($page_links) { echo "<div class=\"tablenav-pages\">{$page_links}</div>\n"; } ?> <div class="alignleft"> </div> </div> </form> </div> <?php }