vb.org Archive
Page 1 of 4 1 23 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Modification Requests/Questions (Unpaid) (https://vborg.vbsupport.ru/forumdisplay.php?f=112)
-   -   Zb Block - Stop Spam & 'bots @ Server (https://vborg.vbsupport.ru/showthread.php?t=254331)

adwade 11-27-2010 06:09 PM
Zb Block - Stop Spam & 'bots @ Server
 
I tripped across ZB BLOCK (a GPL V2 PHP Protection Script) this week by accident and have been pretty impressed at what all it does, completely for FREE. Anyway, for those unaware I just wanted to share the information so they could beef-up their own website's security against all the various nasty's out there.

ZB BLOCK
Don't let the robots in the door!
A GPL V2 PHP Protection Script for your site.

This php security script is designed to detect certain behaviors detrimental to websites, or known bad addresses attempting to access your site. It then will send the bad robot (usually) or hacker an authentic 403 FORBIDDEN page with a description of what the problem was. If the attacker persists, then they will be served up a permanently reccurring 503 OVERLOAD message with a 24 hour timeout.

What ZB Block is Excellent at:
  • Saves money by reducing hacker bandwith usage! (by 2,500% on this site's index page alone!)
  • Strengthing your site against defacement.
  • Preventing PHP script exploitation.
  • Ending Remote File Include (RFI) exploits.
  • Protecting against directory traversal attacks.
  • Stopping MySQL database injection and tampering.
  • Removing access from known bad addresses and domain names.
  • Blocking access from top level domains, like .cn (China) and .kp (North Korea).
What ZB Block is Good at:
  • Avoiding website scraping/content theft.
  • Deterring bad user agents.
  • Halting referrer spam.
  • Impeding some Cross Site Scripting (XSS) attacks.
What ZB Block will not do:
  • Protect non-PHP pages.
  • Stop access to non-exploitable resource files like .gif, .jpg, or .swf .
ZB Block is also fast, not only does ZB Block check for over 100,000,000 bad IPs/Hostnames and many thousands of bots, but standard execution times are around 1/10th of a second on an aged PIII 930, which is unnoticeable to the web surfer. This anti-exploit / anti-'sploit / anti-hacking / anti-injection script should find many uses around the web as it's good at detecting, and stopping exploitation probes from many of the worst known skript kiddie tools.
Moderator(s), MOVE this thread to wherever you think it will do the most good for fellow vB Adminstrators.

adwade 11-27-2010 06:12 PM
In just a couple of days, ZB BLOCK has denied over 1,000 bad-bot behaviors on my website. Below is a sampling of my logs as a result of having it installed...

Code:
#: 14 @: Wed, 24 Nov 2010 00:39:55 -0500
Host: ks310145.kimsufi.com
IP: 188.165.200.113
Score: 1
Why blocked: kimsufi, forum spambots. .
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FREE; .NET CLR 1.1.4322)


#: 17 @: Wed, 24 Nov 2010 00:42:16 -0500
Host: ec2-174-129-146-20.compute-1.amazonaws.com
IP: 174.129.146.20
Score: 1
Why blocked: Amazon Web Services. Not an ISP. Used by hackers, Keyword spamming SEO bots, and other unsavories. Checked for bypass.
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)


#: 23 @: Wed, 24 Nov 2010 00:54:54 -0500
Host: 221.194.132.229
IP: 221.194.132.229
Score: 1
Why blocked: No registrations, or logins, from hosts listed as hostile on http://www.stopforumspam.com/ (remote). . .
Query: do=register
User Agent: Mozilla/4.0 (compatible; MSIE 4.01; Digital AlphaServer 1000A 4/233; Windows NT; Powered By 64-Bit Alpha Processor)


#: 28 @: Wed, 24 Nov 2010 01:42:22 -0500
Host: 61.135.167.74
IP: 61.135.167.74
Score: 1
Why blocked: Your computer is infected with Trojan Downloader tencenttraveler . Go to http://www.safer-networking.org and get Spybot Search & Destroy, clean your machine, then come back.
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;TencentTraveler)


#: 35 @: Wed, 24 Nov 2010 02:08:52 -0500
Host: 212-95-58-200.local
IP: 212.95.58.200
Score: 1
Why blocked: Ecatel/internetserviceteam.com/netdirekt e.K./NetDirect/jmhservices.com notorious forum spammers. .
Query: tag=tandem
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 4.0) Opera 7.0 [en]


#: 47 @: Wed, 24 Nov 2010 02:30:43 -0500
Host: crawl5.dotnetdotcom.org
IP: 208.115.111.246
Score: 4
Why blocked: Dotbot - Paid Service SEO Service (Keyword Spamming Aides). SEOMOZ keyword scraper. Bad search spider. Ignores robots.txt. Offers an explosive .zip to those who try to use their services. Dotbot - Paid Service SEO Service (Keyword Spamming Aides).
Query: ?
User Agent: Mozilla/5.0 (compatible; DotBot/1.1; http://www.dotnetdotcom.org/, crawler@dotnetdotcom.org)


#: 55 @: Wed, 24 Nov 2010 02:40:40 -0500
Host: ip-212-117-169-11.server.lu
IP: 212.117.169.11
Score: 1
Why blocked: Forum spamming bot, real announces as "AOL". .
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.2; Windows NT 5.1; SV1; .NET CLR 1.1.4322)


#: 104 @: Wed, 24 Nov 2010 05:27:45 -0500
Host: serwer.exforum.pl
IP: 188.40.49.199
Score: 1
Why blocked: Referer code injection thru referer logging attempt, ++ after php, should be ? or +. .
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)


#: 113 @: Wed, 24 Nov 2010 05:45:36 -0500
Host: 178.73.204.111
IP: 178.73.204.111
Score: 1
Why blocked: Windows 95 is unusable. .
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 95; MSIECrawler)


: 122 @: Wed, 24 Nov 2010 07:05:02 -0500
Host: fiberlink-37-136.mioveni.rdsnet.ro
IP: 79.116.136.37
Score: 1
Why blocked: Bothost and/or Server Farm. .
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.1.4322; PeoplePal 6.2)


#: 183 @: Wed, 24 Nov 2010 11:51:53 -0500
Host: 213.186.120.196.utel.net.ua
IP: 213.186.120.196
Score: 1
Why blocked: RBN.
Query: do=markread&markreadhash=guest
User Agent: Mozilla/5.0 (compatible; SiteBot/0.1; +http://www.sitebot.org/robot/)


#: 263 @: Wed, 24 Nov 2010 15:09:09 -0500
Host: 195.162.68.27
IP: 195.162.68.27
Score: 1
Why blocked: Your computer is infected with spyware/mail.ru_agent . Go to http://www.safer-networking.org and get Spybot Search & Destroy, clean your machine, then come back. .
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MRA 4.3 (build 01218); .NET CLR 1.1.4322)


#: 323 @: Wed, 24 Nov 2010 21:29:54 -0500
Host: 131.51.150.178.triolan.net
IP: 178.150.51.131
Score: 1
Why blocked: RFI attack/SQL injection (nested percents, level 1). . .
Query: f=25%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2BResult:%2B%2525E7%2525E0%2525F0%2525E5%2525E3%2525E8%2525F1%2525F2%2525F0%2525E8%2525F0%2525EE%2525E2%2525E0%2525EB%2525E8%2525F1%2525FC%2B%252528%2525E2%2525EA%2525EB%2525FE%2525F7%2525E5%2525ED%2B%2525F0%2525E5%2525E6%2525E8%2525EC%2B%2525F2%2525EE%2525EB%2525FC%2525EA%2525EE%2B%2525F0%2525E5%2525E3%2525E8%2525F1%2525F2%2525F0%2525E0%2525F6%2525E8%2525E8%252529%253b
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.0 Beta 1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)


#: 350 @: Wed, 24 Nov 2010 23:15:08 -0500
Host: dsl212-235-107-31.bb.netvision.net.il
IP: 212.235.107.31
Score: 2
Why blocked: ISP with a filthy reputation. netvision.net.il (filthy reputation ISP). .
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; APC; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50215; InfoPath.1)


#: 574 @: Thu, 25 Nov 2010 16:21:39 -0500
Host: 179.200-62-69.ftth.dyn.surewest.net
IP: 69.62.200.179
Score: 1
Why blocked: Windows 95 is unusable. .
Query: dest=aHR0cDovL3ZpenJ0c2VydmVyLzo0MDgwL25vbmF1dGgvZGVueS5waHA/ZGVzdD1hSFIwY0RvdkwzWnBlbkowYzJWeWRtVnlMem8wTURnd0wyNXZibUYxZEdndlpHVnVlUzV3YUhBL1pHVnpkRDFoU0ZJd1kwUnZka3d6WkROa2VUVjVXbGRPTVdKWFNteGlibEo1WVZkU2JHTnVUWFZpTTBwdVRESmFkbU51Vm5SamVUbDZZVWM1TTJSSGFIbGFWMFpyVEc1Q2IyTkVPVEJRVkdONlRVRTlQU1pKUkQxTlZGRm5UbWM5UFNaRVFrdzkmSUQ9TVRRZ05nPT0mREJMPQ==&ID=MTQgNg==&DBL=
User Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 95; MSIECrawler)


#: 587 @: Thu, 25 Nov 2010 16:37:01 -0500
Host: 91-40-134-95.pool.ukrtel.net
IP: 95.134.40.91
Score: 4
Why blocked: Robot Probe. ukrtel, forum spambots. Filthy Russian Netblock. HTTP_REFERER pollution of serverlogs with spam ad word porn, we don't link from there.
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Deepnet Explorer 1.5.0; .NET CLR 1.0.3705)

#: 736 @: Fri, 26 Nov 2010 07:19:41 -0500
Host: 88.81.88.18
IP: 88.81.88.18
Score: 1
Why blocked: Referer code injection thru referer logging attempt, ++ after php, should be ? or +. .
Query:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)

#: 863 @: Fri, 26 Nov 2010 13:20:06 -0500
Host: dynamic-adsl-62-10-64-128.clienti.tiscali.it
IP: 62.10.64.128
Score: 1
Why blocked: tiscali, constant source of forum spam attempts.
Query: t=1122
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)

#: 1026 @: Sat, 27 Nov 2010 04:57:09 -0500
Host: comyoucom.net
IP: 109.169.41.22
Score: 7
Why blocked: g Rapidswitch, dangerous network. POST cloaking attempt POST-17. POST print attempt POST-19. POST RFI attempt POST-28. POST username forcing attempt POST-29. POST execution wedge via bbcode POST-31.0. POST execution wedge via bbcode POST-32.
Query:
User Agent: Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)

biggazillakilla 12-15-2010 03:34 PM
I just stumbled across this while looking at the stopforumspam.com website. Yes, it looks interesting.

adwade 12-15-2010 05:12 PM
It's a TREMENDOUS add-on for any PHP based application, vBulletin included. :D Since adding it to our forums in NOV, our Bandwidth usage has dropped due to fewer spambots being able to crawl the website any longer.(see log entries in above post)

On some days, unsavory spiders had pushed our BW usage up over 1gB/day, whereas normal (for us) was around 200-300mB/day. We were faced with having to double our costs :eek: (i.e. by going to a larger hosting plan) when ZB BLOCK helped us to curtail a lot of wasted bandwidth 'some' robots were chewing up for no good reason at all. :mad:

Visit http://www.spambotsecurity.com/ for more info. :up: Highly Recommended!

OldSchoolDSL 12-16-2010 04:45 AM
This was worth reading and applying. Installed.

Lets hope this does not block out valid bots though, such as Google or valid members.

This basically will prevent anyone not welcome onto your community.

adwade 12-16-2010 09:19 AM
1 Attachment(s)
Quote:
Originally Posted by OldSchoolDSL (Post 2134651)
Lets hope this does not block out valid bots though, such as Google or valid members.
There are plenty of 'well-behaved' bots, crawling my site all the time. Meanwhile, as you mentioned it's preventing many unsavory 'bots access from our community.

BirdOPrey5 12-16-2010 08:21 PM
So are you guys adding the 1 line of php code to your vBulletin files or to your major templates? (forumhome, forumdisplay, showthread)? Or is there a better place?

adwade 12-17-2010 01:10 AM
Well, per this thread ZB Hook (needed) only global.php? it's only needed in the global.php file from what I gathered.

However since I understand oh-so-little of all this -and- I'm a bit paranoid, I also added the single line of code to my index.php; login.php and register.php files as well.(overkill? probably:o)

My train of thought behind doing so was, what if someone access the register.php file directly from off-site? I wasn't sure global.php was called in that instance so I figured, better safe than sorry.

I'm sure someone more intelligent than me in how vBulletin's internals actually run could say for sure...but until then. ;)

BirdOPrey5 12-17-2010 01:23 AM
Well global.php is definitely called by register.php and login.php, and every .php file basically besides functions (which themselves are called by global to begin with) so I'd imagine just adding to global is enough...

However it might be easy to forget to re-edit global.php on an upgrade so I'm wondering if it isn't better to put this line in a plugin on a hook in global.php instead so you don't need to worry about upgrades...

onehost 12-17-2010 01:37 AM
sounds pretty awesome.

I knew those china spiders were up to no good....

to be honest, I do not know a lot about spiders, but I do most
do not appear useful, and i normally see 5+ trying to register
at any given time on my forum...rather then some spiders
trying to help your forum/content grow, they would rather hurt you.


All times are GMT. The time now is 07:00 PM.
Page 1 of 4 1 23 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01334 seconds
  • Memory Usage 1,781KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete