Go Back   vb.org Archive > Community Discussions > Modification Requests/Questions (Unpaid)
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 11-27-2010, 06:09 PM
adwade adwade is offline
 
Join Date: Aug 2006
Location: SouthEast, TN
Posts: 323
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Zb Block - Stop Spam & 'bots @ Server

I tripped across ZB BLOCK (a GPL V2 PHP Protection Script) this week by accident and have been pretty impressed at what all it does, completely for FREE. Anyway, for those unaware I just wanted to share the information so they could beef-up their own website's security against all the various nasty's out there.

ZB BLOCK
Don't let the robots in the door!
A GPL V2 PHP Protection Script for your site.

This php security script is designed to detect certain behaviors detrimental to websites, or known bad addresses attempting to access your site. It then will send the bad robot (usually) or hacker an authentic 403 FORBIDDEN page with a description of what the problem was. If the attacker persists, then they will be served up a permanently reccurring 503 OVERLOAD message with a 24 hour timeout.

What ZB Block is Excellent at:
  • Saves money by reducing hacker bandwith usage! (by 2,500% on this site's index page alone!)
  • Strengthing your site against defacement.
  • Preventing PHP script exploitation.
  • Ending Remote File Include (RFI) exploits.
  • Protecting against directory traversal attacks.
  • Stopping MySQL database injection and tampering.
  • Removing access from known bad addresses and domain names.
  • Blocking access from top level domains, like .cn (China) and .kp (North Korea).
What ZB Block is Good at:
  • Avoiding website scraping/content theft.
  • Deterring bad user agents.
  • Halting referrer spam.
  • Impeding some Cross Site Scripting (XSS) attacks.
What ZB Block will not do:
  • Protect non-PHP pages.
  • Stop access to non-exploitable resource files like .gif, .jpg, or .swf .
ZB Block is also fast, not only does ZB Block check for over 100,000,000 bad IPs/Hostnames and many thousands of bots, but standard execution times are around 1/10th of a second on an aged PIII 930, which is unnoticeable to the web surfer. This anti-exploit / anti-'sploit / anti-hacking / anti-injection script should find many uses around the web as it's good at detecting, and stopping exploitation probes from many of the worst known skript kiddie tools.
Moderator(s), MOVE this thread to wherever you think it will do the most good for fellow vB Adminstrators.
Reply With Quote
  #2  
Old 11-27-2010, 06:12 PM
adwade adwade is offline
 
Join Date: Aug 2006
Location: SouthEast, TN
Posts: 323
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

In just a couple of days, ZB BLOCK has denied over 1,000 bad-bot behaviors on my website. Below is a sampling of my logs as a result of having it installed...

Code:
#: 14 @: Wed, 24 Nov 2010 00:39:55 -0500
Host: ks310145.kimsufi.com
IP: 188.165.200.113
Score: 1
Why blocked: kimsufi, forum spambots. . 
Query: 
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FREE; .NET CLR 1.1.4322)


#: 17 @: Wed, 24 Nov 2010 00:42:16 -0500
Host: ec2-174-129-146-20.compute-1.amazonaws.com
IP: 174.129.146.20
Score: 1
Why blocked: Amazon Web Services. Not an ISP. Used by hackers, Keyword spamming SEO bots, and other unsavories. Checked for bypass. 
Query: 
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)


#: 23 @: Wed, 24 Nov 2010 00:54:54 -0500
Host: 221.194.132.229
IP: 221.194.132.229
Score: 1
Why blocked: No registrations, or logins, from hosts listed as hostile on http://www.stopforumspam.com/ (remote). . . 
Query: do=register
User Agent: Mozilla/4.0 (compatible; MSIE 4.01; Digital AlphaServer 1000A 4/233; Windows NT; Powered By 64-Bit Alpha Processor)


#: 28 @: Wed, 24 Nov 2010 01:42:22 -0500
Host: 61.135.167.74
IP: 61.135.167.74
Score: 1
Why blocked: Your computer is infected with Trojan Downloader tencenttraveler . Go to http://www.safer-networking.org and get Spybot Search & Destroy, clean your machine, then come back. 
Query: 
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;TencentTraveler)


#: 35 @: Wed, 24 Nov 2010 02:08:52 -0500
Host: 212-95-58-200.local
IP: 212.95.58.200
Score: 1
Why blocked: Ecatel/internetserviceteam.com/netdirekt e.K./NetDirect/jmhservices.com notorious forum spammers. . 
Query: tag=tandem
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 4.0) Opera 7.0 [en]


#: 47 @: Wed, 24 Nov 2010 02:30:43 -0500
Host: crawl5.dotnetdotcom.org
IP: 208.115.111.246
Score: 4
Why blocked: Dotbot - Paid Service SEO Service (Keyword Spamming Aides). SEOMOZ keyword scraper. Bad search spider. Ignores robots.txt. Offers an explosive .zip to those who try to use their services. Dotbot - Paid Service SEO Service (Keyword Spamming Aides). 
Query: ?
User Agent: Mozilla/5.0 (compatible; DotBot/1.1; http://www.dotnetdotcom.org/, crawler@dotnetdotcom.org)


#: 55 @: Wed, 24 Nov 2010 02:40:40 -0500
Host: ip-212-117-169-11.server.lu
IP: 212.117.169.11
Score: 1
Why blocked: Forum spamming bot, real announces as "AOL". . 
Query: 
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.2; Windows NT 5.1; SV1; .NET CLR 1.1.4322)


#: 104 @: Wed, 24 Nov 2010 05:27:45 -0500
Host: serwer.exforum.pl
IP: 188.40.49.199
Score: 1
Why blocked: Referer code injection thru referer logging attempt, ++ after php, should be ? or +. . 
Query: 
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)


#: 113 @: Wed, 24 Nov 2010 05:45:36 -0500
Host: 178.73.204.111
IP: 178.73.204.111
Score: 1
Why blocked: Windows 95 is unusable. . 
Query: 
User Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 95; MSIECrawler)


: 122 @: Wed, 24 Nov 2010 07:05:02 -0500
Host: fiberlink-37-136.mioveni.rdsnet.ro
IP: 79.116.136.37
Score: 1
Why blocked: Bothost and/or Server Farm. . 
Query: 
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.1.4322; PeoplePal 6.2)


#: 183 @: Wed, 24 Nov 2010 11:51:53 -0500
Host: 213.186.120.196.utel.net.ua
IP: 213.186.120.196
Score: 1
Why blocked: RBN. 
Query: do=markread&markreadhash=guest
User Agent: Mozilla/5.0 (compatible; SiteBot/0.1; +http://www.sitebot.org/robot/)


#: 263 @: Wed, 24 Nov 2010 15:09:09 -0500
Host: 195.162.68.27
IP: 195.162.68.27
Score: 1
Why blocked: Your computer is infected with spyware/mail.ru_agent . Go to http://www.safer-networking.org and get Spybot Search & Destroy, clean your machine, then come back. . 
Query: 
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MRA 4.3 (build 01218); .NET CLR 1.1.4322)


#: 323 @: Wed, 24 Nov 2010 21:29:54 -0500
Host: 131.51.150.178.triolan.net
IP: 178.150.51.131
Score: 1
Why blocked: RFI attack/SQL injection (nested percents, level 1). . . 
Query: f=25%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2BResult:%2B%2525E7%2525E0%2525F0%2525E5%2525E3%2525E8%2525F1%2525F2%2525F0%2525E8%2525F0%2525EE%2525E2%2525E0%2525EB%2525E8%2525F1%2525FC%2B%252528%2525E2%2525EA%2525EB%2525FE%2525F7%2525E5%2525ED%2B%2525F0%2525E5%2525E6%2525E8%2525EC%2B%2525F2%2525EE%2525EB%2525FC%2525EA%2525EE%2B%2525F0%2525E5%2525E3%2525E8%2525F1%2525F2%2525F0%2525E0%2525F6%2525E8%2525E8%252529%253b
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.0 Beta 1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)


#: 350 @: Wed, 24 Nov 2010 23:15:08 -0500
Host: dsl212-235-107-31.bb.netvision.net.il
IP: 212.235.107.31
Score: 2
Why blocked: ISP with a filthy reputation. netvision.net.il (filthy reputation ISP). . 
Query: 
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; APC; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50215; InfoPath.1)


#: 574 @: Thu, 25 Nov 2010 16:21:39 -0500
Host: 179.200-62-69.ftth.dyn.surewest.net
IP: 69.62.200.179
Score: 1
Why blocked: Windows 95 is unusable. . 
Query: dest=aHR0cDovL3ZpenJ0c2VydmVyLzo0MDgwL25vbmF1dGgvZGVueS5waHA/ZGVzdD1hSFIwY0RvdkwzWnBlbkowYzJWeWRtVnlMem8wTURnd0wyNXZibUYxZEdndlpHVnVlUzV3YUhBL1pHVnpkRDFoU0ZJd1kwUnZka3d6WkROa2VUVjVXbGRPTVdKWFNteGlibEo1WVZkU2JHTnVUWFZpTTBwdVRESmFkbU51Vm5SamVUbDZZVWM1TTJSSGFIbGFWMFpyVEc1Q2IyTkVPVEJRVkdONlRVRTlQU1pKUkQxTlZGRm5UbWM5UFNaRVFrdzkmSUQ9TVRRZ05nPT0mREJMPQ==&ID=MTQgNg==&DBL=
User Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 95; MSIECrawler)


#: 587 @: Thu, 25 Nov 2010 16:37:01 -0500
Host: 91-40-134-95.pool.ukrtel.net
IP: 95.134.40.91
Score: 4
Why blocked: Robot Probe. ukrtel, forum spambots. Filthy Russian Netblock. HTTP_REFERER pollution of serverlogs with spam ad word porn, we don't link from there. 
Query: 
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Deepnet Explorer 1.5.0; .NET CLR 1.0.3705)

#: 736 @: Fri, 26 Nov 2010 07:19:41 -0500
Host: 88.81.88.18
IP: 88.81.88.18
Score: 1
Why blocked: Referer code injection thru referer logging attempt, ++ after php, should be ? or +. . 
Query: 
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)

#: 863 @: Fri, 26 Nov 2010 13:20:06 -0500
Host: dynamic-adsl-62-10-64-128.clienti.tiscali.it
IP: 62.10.64.128
Score: 1
Why blocked: tiscali, constant source of forum spam attempts. 
Query: t=1122
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)

#: 1026 @: Sat, 27 Nov 2010 04:57:09 -0500
Host: comyoucom.net
IP: 109.169.41.22
Score: 7
Why blocked: g Rapidswitch, dangerous network. POST cloaking attempt POST-17. POST print attempt POST-19. POST RFI attempt POST-28. POST username forcing attempt POST-29. POST execution wedge via bbcode POST-31.0. POST execution wedge via bbcode POST-32. 
Query: 
User Agent: Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)
Reply With Quote
  #3  
Old 12-15-2010, 03:34 PM
biggazillakilla biggazillakilla is offline
 
Join Date: Mar 2004
Posts: 46
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I just stumbled across this while looking at the stopforumspam.com website. Yes, it looks interesting.
Reply With Quote
  #4  
Old 12-15-2010, 05:12 PM
adwade adwade is offline
 
Join Date: Aug 2006
Location: SouthEast, TN
Posts: 323
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It's a TREMENDOUS add-on for any PHP based application, vBulletin included. Since adding it to our forums in NOV, our Bandwidth usage has dropped due to fewer spambots being able to crawl the website any longer.(see log entries in above post)

On some days, unsavory spiders had pushed our BW usage up over 1gB/day, whereas normal (for us) was around 200-300mB/day. We were faced with having to double our costs (i.e. by going to a larger hosting plan) when ZB BLOCK helped us to curtail a lot of wasted bandwidth 'some' robots were chewing up for no good reason at all.

Visit http://www.spambotsecurity.com/ for more info. :up: Highly Recommended!
Reply With Quote
  #5  
Old 12-16-2010, 04:45 AM
OldSchoolDSL OldSchoolDSL is offline
 
Join Date: Oct 2010
Posts: 1,196
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

This was worth reading and applying. Installed.

Lets hope this does not block out valid bots though, such as Google or valid members.

This basically will prevent anyone not welcome onto your community.
Reply With Quote
  #6  
Old 12-16-2010, 09:19 AM
adwade adwade is offline
 
Join Date: Aug 2006
Location: SouthEast, TN
Posts: 323
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by OldSchoolDSL View Post
Lets hope this does not block out valid bots though, such as Google or valid members.
There are plenty of 'well-behaved' bots, crawling my site all the time. Meanwhile, as you mentioned it's preventing many unsavory 'bots access from our community.
Attached Images
File Type: jpg Picture 109.jpg (29.4 KB, 0 views)
Reply With Quote
  #7  
Old 12-16-2010, 08:21 PM
BirdOPrey5's Avatar
BirdOPrey5 BirdOPrey5 is offline
Senior Member
 
Join Date: Jun 2008
Location: New York
Posts: 10,610
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

So are you guys adding the 1 line of php code to your vBulletin files or to your major templates? (forumhome, forumdisplay, showthread)? Or is there a better place?
Reply With Quote
  #8  
Old 12-17-2010, 01:10 AM
adwade adwade is offline
 
Join Date: Aug 2006
Location: SouthEast, TN
Posts: 323
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well, per this thread ZB Hook (needed) only global.php? it's only needed in the global.php file from what I gathered.

However since I understand oh-so-little of all this -and- I'm a bit paranoid, I also added the single line of code to my index.php; login.php and register.php files as well.(overkill? probably)

My train of thought behind doing so was, what if someone access the register.php file directly from off-site? I wasn't sure global.php was called in that instance so I figured, better safe than sorry.

I'm sure someone more intelligent than me in how vBulletin's internals actually run could say for sure...but until then.
Reply With Quote
  #9  
Old 12-17-2010, 01:23 AM
BirdOPrey5's Avatar
BirdOPrey5 BirdOPrey5 is offline
Senior Member
 
Join Date: Jun 2008
Location: New York
Posts: 10,610
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well global.php is definitely called by register.php and login.php, and every .php file basically besides functions (which themselves are called by global to begin with) so I'd imagine just adding to global is enough...

However it might be easy to forget to re-edit global.php on an upgrade so I'm wondering if it isn't better to put this line in a plugin on a hook in global.php instead so you don't need to worry about upgrades...
Reply With Quote
  #10  
Old 12-17-2010, 01:37 AM
onehost onehost is offline
 
Join Date: Jul 2006
Posts: 378
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

sounds pretty awesome.

I knew those china spiders were up to no good....

to be honest, I do not know a lot about spiders, but I do most
do not appear useful, and i normally see 5+ trying to register
at any given time on my forum...rather then some spiders
trying to help your forum/content grow, they would rather hurt you.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:27 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04671 seconds
  • Memory Usage 2,300KB
  • Queries Executed 14 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (1)postbit_attachment
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • postbit_attachment
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete