Example #1
0
function bb2_log_denial($settings, $package, $key, $previous_key = false)
{
    if (!$settings['logging']) {
        return;
    }
    bb2_db_query(bb2_insert($settings, $package, $key));
}
Example #2
0
function bb2_httpbl($settings, $package)
{
    // Can't use IPv6 addresses yet
    if (@is_ipv6($package['ip'])) {
        return false;
    }
    if (@(!$settings['httpbl_key'])) {
        return false;
    }
    // Workaround for "MySQL server has gone away"
    bb2_db_query("SET @@session.wait_timeout = 90");
    $find = implode('.', array_reverse(explode('.', $package['ip'])));
    $result = gethostbynamel($settings['httpbl_key'] . ".{$find}.dnsbl.httpbl.org.");
    if (!empty($result)) {
        $ip = explode('.', $result[0]);
        // Check if threat
        if ($ip[0] == 127 && $ip[3] & 7 && $ip[2] >= $settings['httpbl_threat'] && $ip[1] <= $settings['httpbl_maxage']) {
            return '2b021b1f';
        }
        // Check if search engine
        if ($ip[3] == 0) {
            return 1;
        }
    }
    return false;
}
Example #3
0
function bb2_post($settings, $package)
{
    // Check blackhole lists for known spam/malicious activity
    require_once BB2_CORE . "/blackhole.inc.php";
    bb2_test($settings, $package, bb2_blackhole($package));
    // MovableType needs specialized screening
    if (stripos($package['headers_mixed']['User-Agent'], "MovableType") !== FALSE) {
        if (strcmp($package['headers_mixed']['Range'], "bytes=0-99999")) {
            return "7d12528e";
        }
    }
    // Trackbacks need special screening
    $request_entity = $package['request_entity'];
    if (isset($request_entity['title']) && isset($request_entity['url']) && isset($request_entity['blog_name'])) {
        require_once BB2_CORE . "/trackback.inc.php";
        return bb2_trackback($package);
    }
    // Catch a few completely broken spambots
    foreach ($request_entity as $key => $value) {
        $pos = strpos($key, "\tdocument.write");
        if ($pos !== FAlSE) {
            return "dfd9b1ad";
        }
    }
    // Screen by cookie/JavaScript form add
    if (isset($_COOKIE[BB2_COOKIE])) {
        $screener1 = explode(" ", $_COOKIE[BB2_COOKIE]);
    }
    if (isset($_POST[BB2_COOKIE])) {
        $screener2 = explode(" ", $_POST[BB2_COOKIE]);
    }
    $screener = max($screener1[0], $screener2[0]);
    if ($screener > 0) {
        // Posting too fast? 5 sec
        // FIXME: even 5 sec is too intrusive
        // if ($screener + 5 > time())
        //	return "408d7e72";
        // Posting too slow? 48 hr
        if ($screener + 172800 < time()) {
            return "b40c8ddc";
        }
        // Screen by IP address
        $ip = ip2long($package['ip']);
        $ip_screener = ip2long($screener[1]);
        //		FIXME: This is b0rked, but why?
        //		if ($ip && $ip_screener && abs($ip_screener - $ip) > 256)
        //			return "c1fa729b";
        // Screen for user agent changes
        // User connected previously with blank user agent
        $q = bb2_db_query("SELECT `ip` FROM " . $settings['log_table'] . " WHERE (`ip` = '" . $package['ip'] . "' OR `ip` = '" . $screener[1] . "') AND `user_agent` != '" . $package['user_agent'] . "' AND `date` > DATE_SUB('" . bb2_db_date() . "', INTERVAL 5 MINUTE)");
        // Damnit, too many ways for this to fail :(
        if ($q !== FALSE && $q != NULL && bb2_db_num_rows($q) > 0) {
            return "799165c2";
        }
    }
    return false;
}
Example #4
0
function bb2_housekeeping($settings, $package)
{
    // FIXME Yes, the interval's hard coded (again) for now.
    $query = "DELETE FROM `" . $settings['log_table'] . "` WHERE `date` < " . (bb2_db_date() - 60 * 60 * 24 * 7);
    bb2_db_query($query);
    // Waste a bunch more of the spammer's time, sometimes.
    if (rand(1, 1000) == 1) {
        sleep(10);
    }
}
Example #5
0
function bb2_housekeeping($settings, $package)
{
    // FIXME Yes, the interval's hard coded (again) for now.
    $query = "DELETE FROM `" . $settings['log_table'] . "` WHERE `date` < DATE_SUB('" . bb2_db_date() . "', INTERVAL 7 DAY)";
    bb2_db_query($query);
    // Waste a bunch more of the spammer's time, sometimes.
    if (rand(1, 25) == 1) {
        $query = "OPTIMIZE TABLE `" . $settings['log_table'] . "`";
        bb2_db_query($query);
    }
}
Example #6
0
function bb2_approved($settings, $package)
{
    // Dirk wanted this
    if (is_callable('bb2_approved_callback')) {
        bb2_approved_callback($settings, $package);
    }
    // Decide what to log on approved requests.
    if ($settings['verbose'] && $settings['logging'] || empty($package['user_agent'])) {
        bb2_db_query(bb2_insert($settings, $package, "00000000"));
    }
}
Example #7
0
function bb2_blacklist($settings, $package)
{
    // Blacklisted user agents
    // These user agent strings occur at the beginning of the line.
    $bb2_spambots_0 = array("8484 Boston Project", "adwords", "autoemailspider", "blogsearchbot-martin", "BrowserEmulator/", "CherryPicker", "core-project/", "Diamond", "Digger", "ecollector", "EmailCollector", "Email Siphon", "EmailSiphon", "Forum Poster", "grub crawler", "HttpProxy", "Internet Explorer", "ISC Systems iRc", "Jakarta Commons", "Java 1.", "Java/1.", "libwww-perl", "LWP", "lwp", "Microsoft Internet Explorer/", "Microsoft URL", "Missigua", "MJ12bot/v1.0.8", "Morfeus", "Movable Type", "Mozilla/0", "Mozilla/1", "Mozilla/2", "Mozilla/3", "Mozilla/4.0(", "Mozilla/4.0+(compatible;+", "Mozilla/4.0 (Hydra)", "MSIE", "MVAClient", "Nessus", "NutchCVS", "Nutscrape/", "OmniExplorer", "Opera/9.64(", "PMAFind", "psycheclone", "PussyCat ", "PycURL", "Python-urllib", "revolt", "sqlmap/", "Super Happy Fun ", "TrackBack/", "user", "User Agent: ", "User-Agent: ", "w3af", "WebSite-X Suite", "Winnie Poh", "Wordpress", "\"");
    // These user agent strings occur anywhere within the line.
    $bb2_spambots = array("\r", "<sc", "; Widows ", "a href=", "Bad Behavior Test", "compatible ; MSIE", "compatible-", "DTS Agent", "Email Extractor", "Firebird/", "Gecko/2525", "grub-client", "hanzoweb", "Havij", "Indy Library", "Ming Mong", "MSIE 7.0;  Windows NT 5.2", "Murzillo compatible", ".NET CLR 1)", ".NET CLR1", "Netsparker", "Nikto/", "Perman Surfer", "POE-Component-Client", "Teh Forest Lobster", "Turing Machine", "Ubuntu/9.25", "unspecified.mail", "User-agent: ", "WebaltBot", "WISEbot", "WISEnutbot", "Win95", "Win98", "WinME", "Win 9x 4.90", "Windows 3", "Windows 95", "Windows 98", "Windows NT 4", "Windows NT;", "Windows NT 5.0;)", "Windows NT 5.1;)", "Windows XP 5", "WordPress/4.01", "Xedant Human Emulator", "ZmEu", "\\\\)", "Bot Banned");
    // These are regular expression matches.
    $bb2_spambots_regex = array("/^[A-Z]{10}\$/", "/[bcdfghjklmnpqrstvwxz ]{8,}/", "/MSIE [2345]/");
    // Blacklisted URL strings
    // These strings are considered case-insensitive.
    $bb2_spambots_url = array("0x31303235343830303536", "../", "..\\", "%60information_schema%60", "+%2F*%21", "+and+%", "+and+1%", "+and+if", "%27--", "%27--", "%27 --", "%27%23", "%27 %23", "benchmark%28", "insert+into+", "r3dm0v3", "select+1+from", "union+all+select", "union+select", "waitfor+delay+", "w00tw00t");
    $bb2_spambot_refer = array("gamesthelife.tr.gg");
    // Do not edit below this line.
    @($ua = $package['headers_mixed']['User-Agent']);
    @($uri = $package['request_uri']);
    @($refer = $package['Referer']);
    foreach ($bb2_spambots_0 as $spambot) {
        $pos = strpos($ua, $spambot);
        if ($pos !== FALSE && $pos == 0) {
            return "17f4e8c8";
        }
    }
    // custom check for known refers
    foreach ($bb2_spambot_refer as $spambot) {
        if (strpos($refer, $spambot) != FALSE) {
            return "174e8c9";
        }
    }
    foreach ($bb2_spambots as $spambot) {
        if (strpos($ua, $spambot) !== FALSE) {
            return "17f4e8c8";
        }
    }
    foreach ($bb2_spambots_regex as $spambot) {
        if (preg_match($spambot, $ua)) {
            return "17f4e8c8";
        }
    }
    foreach ($bb2_spambots_url as $spambot) {
        if (stripos($uri, $spambot) !== FALSE) {
            return "96c0bd29";
        }
    }
    // do our DB check here
    $ip = $package['ip'];
    $sql = "SELECT * FROM " . $settings['ban_table'] . " WHERE ip = INET_ATON('" . bb2_db_escape($ip) . "')";
    $result = bb2_db_query($sql);
    if (bb2_db_num_rows($result) > 0) {
        return "96c0bd30";
    }
    return FALSE;
}
Example #8
0
function bb2_post($package)
{
    // MovableType needs specialized screening
    if (stripos($package['headers_mixed']['User-Agent'], "MovableType") !== FALSE) {
        if (strcmp($package['headers_mixed']['Range'], "bytes=0-99999")) {
            return "7d12528e";
        }
    }
    // Trackbacks need special screening
    $request_entity = $package['request_entity'];
    if (isset($request_entity['title']) && isset($request_entity['url']) && isset($request_entity['blog_name'])) {
        require_once BB2_CORE . "/trackback.inc.php";
        return bb2_trackback($package);
    }
    // Catch a few broken spambots
    if (isset($request_entity['	document.write(Math.round ('])) {
        return "dfd9b1ad";
    }
    // Screen by cookie/JavaScript form add
    if (isset($_COOKIE[BB2_COOKIE])) {
        $screener1 = explode(" ", $_COOKIE[BB2_COOKIE]);
    }
    if (isset($_POST[BB2_COOKIE])) {
        $screener2 = explode(" ", $_POST[BB2_COOKIE]);
    }
    $screener = max($screener[0], $screener2[0]);
    if ($screener > 0) {
        // Posting too fast? 5 sec
        // FIXME: even 5 sec is too intrusive
        // if ($screener + 5 > time())
        //	return "408d7e72";
        // Posting too slow? 48 hr
        if ($screener + 172800 < time()) {
            return "b40c8ddc";
        }
    }
    // Screen by IP address
    $ip = ip2long($package['ip']);
    $ip_screener = ip2long($screener[1]);
    //	FIXME: This is b0rked, but why?
    //	if ($ip && $ip_screener && abs($ip_screener - $ip) > 256)
    //		return "c1fa729b";
    return false;
    // Screen for user agent changes
    $q = bb2_db_query("SELECT COUNT(*) FROM " . $settings['log_table'] . " WHERE (`ip` = '" . $package['ip'] . "' OR `ip` = '" . $screener[1] . "') AND `http_headers` NOT LIKE '%User-Agent: %'");
    if ($q !== FALSE) {
        return "799165c2";
    }
    return false;
}
Example #9
0
function bb2_install()
{
    $settings = bb2_read_settings();
    if (defined('BB2_NO_CREATE')) {
        return;
    }
    bb2_db_query(bb2_table_structure($settings['log_table']));
}
Example #10
0
function bb2_install()
{
    $settings = bb2_read_settings();
    if ($settings['is_installed'] == false) {
        bb2_db_query(bb2_table_structure($settings['log_table']));
        $settings['is_installed'] = true;
        bb2_write_settings($settings);
    }
}
Example #11
0
/**
 * Display Statistics (default off)
 * Enabling this option will return a string to add a blurb to your site footer
 * advertising Bad Behavior’s presence and the number of recently blocked requests.
 *
 * This option is not available or has no effect when logging is not in use.
 *
 * @param bool $force
 */
function bb2_insert_stats($force = false)
{
    global $txt;
    $settings = bb2_read_settings();
    if ($force || $settings['display_stats']) {
        // Get the blocked count for the last 7 days ... cache this as well
        if (($bb2_blocked = cache_get_data('bb2_blocked', 900)) === null) {
            $bb2_blocked = bb2_db_query('SELECT COUNT(*) FROM {db_prefix}log_badbehavior WHERE `valid` NOT LIKE \'00000000\'');
            cache_put_data('bb2_blocked', $bb2_blocked, 900);
        }
        if ($bb2_blocked !== false) {
            return sprintf($txt['badbehavior_blocked'], $bb2_blocked[0]['COUNT(*)']);
        }
    }
}
Example #12
0
function bb2_insert_stats($force = false)
{
    global $bb2_result;
    $settings = bb2_read_settings();
    if ($force || $settings['display_stats']) {
        $blocked = bb2_db_query("SELECT COUNT(*) FROM " . $settings['log_table'] . " WHERE `key` NOT LIKE '00000000'");
        if ($blocked !== FALSE) {
            echo sprintf('<p><a href="http://bad-behavior.ioerror.us/">%1$s</a> %2$s <strong>%3$s</strong> %4$s</p>', __('Bad Behavior'), __('has blocked'), $blocked[0]["COUNT(*)"], __('access attempts in the last 7 days.'));
        }
    }
    if (@(!empty($bb2_result))) {
        echo sprintf("\n<!-- Bad Behavior result was %s! This request would have been blocked. -->\n", $bb2_result);
        unset($bb2_result);
    }
}
Example #13
0
function bb2_log_denial($settings, $package, $key, $previous_key = false)
{
    bb2_db_query(bb2_insert($settings, $package, $key));
}
Example #14
0
function bb2_install()
{
    $settings = bb2_read_settings();
    bb2_db_query(bb2_table_structure($settings['log_table']));
}
Example #15
0
function bb2_insert_stats($force = false)
{
    global $bb_settings, $f3;
    if ($force || $bb_settings['display_stats']) {
        $blocked = bb2_db_query("SELECT COUNT(*) FROM " . $bb_settings['log_table'] . " WHERE `key` NOT LIKE '00000000'");
        if ($blocked !== FALSE) {
            $f3->set('bb2_stats', $blocked[0]["COUNT(*)"]);
        }
    }
}
Example #16
0
function bb2_insert_stats($force = false)
{
    static $retval = null;
    $settings = bb2_read_settings();
    if (!$force && !$settings['display_stats']) {
        return '';
        // not cached
    }
    if ($retval !== null) {
        return $retval;
    }
    $blocked = bb2_db_query("SELECT COUNT(*) AS blocked FROM " . $settings['log_table'] . " WHERE `key` NOT LIKE '00000000'");
    $row = bb2_db_rows($blocked);
    if ($blocked !== FALSE) {
        $retval = sprintf('<p><a href="http://www.bad-behavior.ioerror.us/">%1$s</a> %2$s <strong>%3$s</strong> %4$s</p>', 'Bad Behavior', 'has blocked', $row['blocked'], 'access attempts in the last 7 days.');
    }
    return $retval;
}
Example #17
0
function bb2_insert_stats($force = false)
{
    $settings = bb2_read_settings();
    if ($force || $settings['display_stats']) {
        $blocked = bb2_db_query("SELECT COUNT(*) FROM " . $settings['log_table'] . " WHERE `key` NOT LIKE '00000000'");
        if ($blocked !== FALSE) {
            echo sprintf('<p><a href="http://www.bad-behavior.ioerror.us/">%1$s</a> %2$s <strong>%3$s</strong> %4$s</p>', __('Bad Behavior'), __('has blocked'), $blocked[0]["COUNT(*)"], __('access attempts in the last 7 days.'));
        }
    }
}
Example #18
0
function bb2_manage()
{
    global $wpdb;
    $request_uri = $_SERVER["REQUEST_URI"];
    if (!$request_uri) {
        $request_uri = $_SERVER['SCRIPT_NAME'];
    }
    # IIS
    $settings = bb2_read_settings();
    $rows_per_page = 100;
    $where = "";
    // Get query variables desired by the user with input validation
    $paged = 0 + $_GET['paged'];
    if (!$paged) {
        $paged = 1;
    }
    if ($_GET['key']) {
        $where .= "AND `key` = '" . $wpdb->escape($_GET['key']) . "' ";
    }
    if ($_GET['blocked']) {
        $where .= "AND `key` != '00000000' ";
    } else {
        if ($_GET['permitted']) {
            $where .= "AND `key` = '00000000' ";
        }
    }
    if ($_GET['ip']) {
        $where .= "AND `ip` = '" . $wpdb->escape($_GET['ip']) . "' ";
    }
    if ($_GET['user_agent']) {
        $where .= "AND `user_agent` = '" . $wpdb->escape($_GET['user_agent']) . "' ";
    }
    if ($_GET['request_method']) {
        $where .= "AND `request_method` = '" . $wpdb->escape($_GET['request_method']) . "' ";
    }
    // Query the DB based on variables selected
    $r = bb2_db_query("SELECT COUNT(id) FROM `" . $settings['log_table']);
    $results = bb2_db_rows($r);
    $totalcount = $results[0]["COUNT(id)"];
    $r = bb2_db_query("SELECT COUNT(id) FROM `" . $settings['log_table'] . "` WHERE 1=1 " . $where);
    $results = bb2_db_rows($r);
    $count = $results[0]["COUNT(id)"];
    $pages = ceil($count / 100);
    $r = bb2_db_query("SELECT * FROM `" . $settings['log_table'] . "` WHERE 1=1 " . $where . "ORDER BY `date` DESC LIMIT " . ($paged - 1) * $rows_per_page . "," . $rows_per_page);
    $results = bb2_db_rows($r);
    // Display rows to the user
    ?>
<div class="wrap">
<?php 
    echo bb2_donate_button(admin_url("tools.php?page=bb2_manage"));
    ?>
<h2><?php 
    _e("Bad Behavior Log");
    ?>
</h2>
<form method="post" action="<?php 
    echo admin_url("tools.php?page=bb2_manage");
    ?>
">
	<p>For more information please visit the <a href="http://bad-behavior.ioerror.us/">Bad Behavior</a> homepage.</p>
	<p>See also: <a href="<?php 
    echo admin_url("options-general.php?page=bb2_options");
    ?>
">Settings</a> | <a href="<?php 
    echo admin_url("options-general.php?page=bb2_whitelist");
    ?>
">Whitelist</a></p>
<div class="tablenav">
<?php 
    $page_links = paginate_links(array('base' => add_query_arg("paged", "%#%"), 'format' => '', 'total' => $pages, 'current' => $paged));
    if ($page_links) {
        echo "<div class=\"tablenav-pages\">{$page_links}</div>\n";
    }
    ?>
<div class="alignleft">
<?php 
    if ($count < $totalcount) {
        ?>
Displaying <strong><?php 
        echo $count;
        ?>
</strong> of <strong><?php 
        echo $totalcount;
        ?>
</strong> records filtered by:<br/>
<?php 
        if ($_GET['key']) {
            echo "Status [<a href=\"" . esc_url(remove_query_arg(array("paged", "key"), $request_uri)) . "\">X</a>] ";
        }
        if ($_GET['blocked']) {
            echo "Blocked [<a href=\"" . esc_url(remove_query_arg(array("paged", "blocked", "permitted"), $request_uri)) . "\">X</a>] ";
        }
        if ($_GET['permitted']) {
            echo "Permitted [<a href=\"" . esc_url(remove_query_arg(array("paged", "blocked", "permitted"), $request_uri)) . "\">X</a>] ";
        }
        if ($_GET['ip']) {
            echo "IP [<a href=\"" . esc_url(remove_query_arg(array("paged", "ip"), $request_uri)) . "\">X</a>] ";
        }
        if ($_GET['user_agent']) {
            echo "User Agent [<a href=\"" . esc_url(remove_query_arg(array("paged", "user_agent"), $request_uri)) . "\">X</a>] ";
        }
        if ($_GET['request_method']) {
            echo "GET/POST [<a href=\"" . esc_url(remove_query_arg(array("paged", "request_method"), $request_uri)) . "\">X</a>] ";
        }
    } else {
        ?>
Displaying all <strong><?php 
        echo $totalcount;
        ?>
</strong> records<br/>
<?php 
    }
    if (!$_GET['key'] && !$_GET['blocked']) {
        ?>
<a href="<?php 
        echo esc_url(add_query_arg(array("blocked" => "1", "permitted" => "0", "paged" => false), $request_uri));
        ?>
">Show Blocked</a> <?php 
    }
    if (!$_GET['key'] && !$_GET['permitted']) {
        ?>
<a href="<?php 
        echo esc_url(add_query_arg(array("permitted" => "1", "blocked" => "0", "paged" => false), $request_uri));
        ?>
">Show Permitted</a> <?php 
    }
    ?>
</div>
</div>

<table class="widefat">
	<thead>
	<tr>
	<th scope="col" class="check-column"><input type="checkbox" onclick="checkAll(document.getElementById('request-filter'));" /></th>
	<th scope="col"><?php 
    _e("IP/Date/Status");
    ?>
</th>
	<th scope="col"><?php 
    _e("Headers");
    ?>
</th>
	<th scope="col"><?php 
    _e("Entity");
    ?>
</th>
	</tr>
	</thead>
	<tbody>
<?php 
    $alternate = 0;
    if ($results) {
        foreach ($results as $result) {
            $key = bb2_get_response($result["key"]);
            $alternate++;
            if ($alternate % 2) {
                echo "<tr id=\"request-" . $result["id"] . "\" valign=\"top\">\n";
            } else {
                echo "<tr id=\"request-" . $result["id"] . "\" class=\"alternate\" valign=\"top\">\n";
            }
            echo "<th scope=\"row\" class=\"check-column\"><input type=\"checkbox\" name=\"submit[]\" value=\"" . $result["id"] . "\" /></th>\n";
            $httpbl = bb2_httpbl_lookup($result["ip"]);
            $host = @gethostbyaddr($result["ip"]);
            if (!strcmp($host, $result["ip"])) {
                $host = "";
            } else {
                $host .= "<br/>\n";
            }
            echo "<td><a href=\"" . esc_url(add_query_arg("ip", $result["ip"], remove_query_arg("paged", $request_uri))) . "\">" . $result["ip"] . "</a><br/>{$host}<br/>\n" . $result["date"] . "<br/><br/><a href=\"" . esc_url(add_query_arg("key", $result["key"], remove_query_arg(array("paged", "blocked", "permitted"), $request_uri))) . "\">" . $key["log"] . "</a>\n";
            if ($httpbl) {
                echo "<br/><br/><a href=\"http://www.projecthoneypot.org/ip_{$result['ip']}\">http:BL</a>:<br/>{$httpbl}\n";
            }
            echo "</td>\n";
            $headers = str_replace("\n", "<br/>\n", htmlspecialchars($result['http_headers']));
            if (@strpos($headers, $result['user_agent']) !== FALSE) {
                $headers = substr_replace($headers, "<a href=\"" . esc_url(add_query_arg("user_agent", rawurlencode($result["user_agent"]), remove_query_arg("paged", $request_uri))) . "\">" . $result['user_agent'] . "</a>", strpos($headers, $result['user_agent']), strlen($result['user_agent']));
            }
            if (@strpos($headers, $result['request_method']) !== FALSE) {
                $headers = substr_replace($headers, "<a href=\"" . esc_url(add_query_arg("request_method", rawurlencode($result["request_method"]), remove_query_arg("paged", $request_uri))) . "\">" . $result['request_method'] . "</a>", strpos($headers, $result['request_method']), strlen($result['request_method']));
            }
            echo "<td>{$headers}</td>\n";
            echo "<td>" . str_replace("\n", "<br/>\n", htmlspecialchars($result["request_entity"])) . "</td>\n";
            echo "</tr>\n";
        }
    }
    ?>
	</tbody>
</table>
<div class="tablenav">
<?php 
    $page_links = paginate_links(array('base' => add_query_arg("paged", "%#%"), 'format' => '', 'total' => $pages, 'current' => $paged));
    if ($page_links) {
        echo "<div class=\"tablenav-pages\">{$page_links}</div>\n";
    }
    ?>
<div class="alignleft">
</div>
</div>
</form>
</div>
<?php 
}