The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
Zb Block - Stop Spam & 'bots @ Server
I tripped across ZB BLOCK (a GPL V2 PHP Protection Script) this week by accident and have been pretty impressed at what all it does, completely for FREE. Anyway, for those unaware I just wanted to share the information so they could beef-up their own website's security against all the various nasty's out there.
ZB BLOCK Don't let the robots in the door! A GPL V2 PHP Protection Script for your site. This php security script is designed to detect certain behaviors detrimental to websites, or known bad addresses attempting to access your site. It then will send the bad robot (usually) or hacker an authentic 403 FORBIDDEN page with a description of what the problem was. If the attacker persists, then they will be served up a permanently reccurring 503 OVERLOAD message with a 24 hour timeout. What ZB Block is Excellent at:
Moderator(s), MOVE this thread to wherever you think it will do the most good for fellow vB Adminstrators. |
#2
|
|||
|
|||
In just a couple of days, ZB BLOCK has denied over 1,000 bad-bot behaviors on my website. Below is a sampling of my logs as a result of having it installed...
Code:
#: 14 @: Wed, 24 Nov 2010 00:39:55 -0500 Host: ks310145.kimsufi.com IP: 188.165.200.113 Score: 1 Why blocked: kimsufi, forum spambots. . Query: User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FREE; .NET CLR 1.1.4322) #: 17 @: Wed, 24 Nov 2010 00:42:16 -0500 Host: ec2-174-129-146-20.compute-1.amazonaws.com IP: 174.129.146.20 Score: 1 Why blocked: Amazon Web Services. Not an ISP. Used by hackers, Keyword spamming SEO bots, and other unsavories. Checked for bypass. Query: User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E) #: 23 @: Wed, 24 Nov 2010 00:54:54 -0500 Host: 221.194.132.229 IP: 221.194.132.229 Score: 1 Why blocked: No registrations, or logins, from hosts listed as hostile on http://www.stopforumspam.com/ (remote). . . Query: do=register User Agent: Mozilla/4.0 (compatible; MSIE 4.01; Digital AlphaServer 1000A 4/233; Windows NT; Powered By 64-Bit Alpha Processor) #: 28 @: Wed, 24 Nov 2010 01:42:22 -0500 Host: 61.135.167.74 IP: 61.135.167.74 Score: 1 Why blocked: Your computer is infected with Trojan Downloader tencenttraveler . Go to http://www.safer-networking.org and get Spybot Search & Destroy, clean your machine, then come back. Query: User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;TencentTraveler) #: 35 @: Wed, 24 Nov 2010 02:08:52 -0500 Host: 212-95-58-200.local IP: 212.95.58.200 Score: 1 Why blocked: Ecatel/internetserviceteam.com/netdirekt e.K./NetDirect/jmhservices.com notorious forum spammers. . Query: tag=tandem User Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 4.0) Opera 7.0 [en] #: 47 @: Wed, 24 Nov 2010 02:30:43 -0500 Host: crawl5.dotnetdotcom.org IP: 208.115.111.246 Score: 4 Why blocked: Dotbot - Paid Service SEO Service (Keyword Spamming Aides). SEOMOZ keyword scraper. Bad search spider. Ignores robots.txt. Offers an explosive .zip to those who try to use their services. Dotbot - Paid Service SEO Service (Keyword Spamming Aides). Query: ? User Agent: Mozilla/5.0 (compatible; DotBot/1.1; http://www.dotnetdotcom.org/, crawler@dotnetdotcom.org) #: 55 @: Wed, 24 Nov 2010 02:40:40 -0500 Host: ip-212-117-169-11.server.lu IP: 212.117.169.11 Score: 1 Why blocked: Forum spamming bot, real announces as "AOL". . Query: User Agent: Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.2; Windows NT 5.1; SV1; .NET CLR 1.1.4322) #: 104 @: Wed, 24 Nov 2010 05:27:45 -0500 Host: serwer.exforum.pl IP: 188.40.49.199 Score: 1 Why blocked: Referer code injection thru referer logging attempt, ++ after php, should be ? or +. . Query: User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705) #: 113 @: Wed, 24 Nov 2010 05:45:36 -0500 Host: 178.73.204.111 IP: 178.73.204.111 Score: 1 Why blocked: Windows 95 is unusable. . Query: User Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 95; MSIECrawler) : 122 @: Wed, 24 Nov 2010 07:05:02 -0500 Host: fiberlink-37-136.mioveni.rdsnet.ro IP: 79.116.136.37 Score: 1 Why blocked: Bothost and/or Server Farm. . Query: User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.1.4322; PeoplePal 6.2) #: 183 @: Wed, 24 Nov 2010 11:51:53 -0500 Host: 213.186.120.196.utel.net.ua IP: 213.186.120.196 Score: 1 Why blocked: RBN. Query: do=markread&markreadhash=guest User Agent: Mozilla/5.0 (compatible; SiteBot/0.1; +http://www.sitebot.org/robot/) #: 263 @: Wed, 24 Nov 2010 15:09:09 -0500 Host: 195.162.68.27 IP: 195.162.68.27 Score: 1 Why blocked: Your computer is infected with spyware/mail.ru_agent . Go to http://www.safer-networking.org and get Spybot Search & Destroy, clean your machine, then come back. . Query: User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MRA 4.3 (build 01218); .NET CLR 1.1.4322) #: 323 @: Wed, 24 Nov 2010 21:29:54 -0500 Host: 131.51.150.178.triolan.net IP: 178.150.51.131 Score: 1 Why blocked: RFI attack/SQL injection (nested percents, level 1). . . Query: f=25%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2BResult:%2B%2525E7%2525E0%2525F0%2525E5%2525E3%2525E8%2525F1%2525F2%2525F0%2525E8%2525F0%2525EE%2525E2%2525E0%2525EB%2525E8%2525F1%2525FC%2B%252528%2525E2%2525EA%2525EB%2525FE%2525F7%2525E5%2525ED%2B%2525F0%2525E5%2525E6%2525E8%2525EC%2B%2525F2%2525EE%2525EB%2525FC%2525EA%2525EE%2B%2525F0%2525E5%2525E3%2525E8%2525F1%2525F2%2525F0%2525E0%2525F6%2525E8%2525E8%252529%253b User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 2.0.0 Beta 1; .NET CLR 1.0.3705; .NET CLR 1.1.4322) #: 350 @: Wed, 24 Nov 2010 23:15:08 -0500 Host: dsl212-235-107-31.bb.netvision.net.il IP: 212.235.107.31 Score: 2 Why blocked: ISP with a filthy reputation. netvision.net.il (filthy reputation ISP). . Query: User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; APC; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50215; InfoPath.1) #: 574 @: Thu, 25 Nov 2010 16:21:39 -0500 Host: 179.200-62-69.ftth.dyn.surewest.net IP: 69.62.200.179 Score: 1 Why blocked: Windows 95 is unusable. . Query: dest=aHR0cDovL3ZpenJ0c2VydmVyLzo0MDgwL25vbmF1dGgvZGVueS5waHA/ZGVzdD1hSFIwY0RvdkwzWnBlbkowYzJWeWRtVnlMem8wTURnd0wyNXZibUYxZEdndlpHVnVlUzV3YUhBL1pHVnpkRDFoU0ZJd1kwUnZka3d6WkROa2VUVjVXbGRPTVdKWFNteGlibEo1WVZkU2JHTnVUWFZpTTBwdVRESmFkbU51Vm5SamVUbDZZVWM1TTJSSGFIbGFWMFpyVEc1Q2IyTkVPVEJRVkdONlRVRTlQU1pKUkQxTlZGRm5UbWM5UFNaRVFrdzkmSUQ9TVRRZ05nPT0mREJMPQ==&ID=MTQgNg==&DBL= User Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 95; MSIECrawler) #: 587 @: Thu, 25 Nov 2010 16:37:01 -0500 Host: 91-40-134-95.pool.ukrtel.net IP: 95.134.40.91 Score: 4 Why blocked: Robot Probe. ukrtel, forum spambots. Filthy Russian Netblock. HTTP_REFERER pollution of serverlogs with spam ad word porn, we don't link from there. Query: User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Deepnet Explorer 1.5.0; .NET CLR 1.0.3705) #: 736 @: Fri, 26 Nov 2010 07:19:41 -0500 Host: 88.81.88.18 IP: 88.81.88.18 Score: 1 Why blocked: Referer code injection thru referer logging attempt, ++ after php, should be ? or +. . Query: User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461) #: 863 @: Fri, 26 Nov 2010 13:20:06 -0500 Host: dynamic-adsl-62-10-64-128.clienti.tiscali.it IP: 62.10.64.128 Score: 1 Why blocked: tiscali, constant source of forum spam attempts. Query: t=1122 User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729) #: 1026 @: Sat, 27 Nov 2010 04:57:09 -0500 Host: comyoucom.net IP: 109.169.41.22 Score: 7 Why blocked: g Rapidswitch, dangerous network. POST cloaking attempt POST-17. POST print attempt POST-19. POST RFI attempt POST-28. POST username forcing attempt POST-29. POST execution wedge via bbcode POST-31.0. POST execution wedge via bbcode POST-32. Query: User Agent: Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u) |
#3
|
|||
|
|||
I just stumbled across this while looking at the stopforumspam.com website. Yes, it looks interesting.
|
#4
|
|||
|
|||
It's a TREMENDOUS add-on for any PHP based application, vBulletin included. Since adding it to our forums in NOV, our Bandwidth usage has dropped due to fewer spambots being able to crawl the website any longer.(see log entries in above post)
On some days, unsavory spiders had pushed our BW usage up over 1gB/day, whereas normal (for us) was around 200-300mB/day. We were faced with having to double our costs (i.e. by going to a larger hosting plan) when ZB BLOCK helped us to curtail a lot of wasted bandwidth 'some' robots were chewing up for no good reason at all. Visit http://www.spambotsecurity.com/ for more info. :up: Highly Recommended! |
#5
|
|||
|
|||
This was worth reading and applying. Installed.
Lets hope this does not block out valid bots though, such as Google or valid members. This basically will prevent anyone not welcome onto your community. |
#6
|
|||
|
|||
There are plenty of 'well-behaved' bots, crawling my site all the time. Meanwhile, as you mentioned it's preventing many unsavory 'bots access from our community.
|
#7
|
||||
|
||||
So are you guys adding the 1 line of php code to your vBulletin files or to your major templates? (forumhome, forumdisplay, showthread)? Or is there a better place?
|
#8
|
|||
|
|||
Well, per this thread ZB Hook (needed) only global.php? it's only needed in the global.php file from what I gathered.
However since I understand oh-so-little of all this -and- I'm a bit paranoid, I also added the single line of code to my index.php; login.php and register.php files as well.(overkill? probably) My train of thought behind doing so was, what if someone access the register.php file directly from off-site? I wasn't sure global.php was called in that instance so I figured, better safe than sorry. I'm sure someone more intelligent than me in how vBulletin's internals actually run could say for sure...but until then. |
#9
|
||||
|
||||
Well global.php is definitely called by register.php and login.php, and every .php file basically besides functions (which themselves are called by global to begin with) so I'd imagine just adding to global is enough...
However it might be easy to forget to re-edit global.php on an upgrade so I'm wondering if it isn't better to put this line in a plugin on a hook in global.php instead so you don't need to worry about upgrades... |
#10
|
|||
|
|||
sounds pretty awesome.
I knew those china spiders were up to no good.... to be honest, I do not know a lot about spiders, but I do most do not appear useful, and i normally see 5+ trying to register at any given time on my forum...rather then some spiders trying to help your forum/content grow, they would rather hurt you. |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|