[geeklog-devel] New addition to the demo site - zbblock

Michael Brusletten ironmax at spacequad.com
Thu Sep 22 22:15:28 EDT 2011 

Tom,

All should be fixed in regards to what you mentioned below now.

I did notice one user make a post about the ZBBLOCK that they could not
enter the site from their home computer, but had no problem from other
systems outside their home.  Unfortunately, I cannot help this user unless
they are willing to provide the requested information to help me track down
why they were blocked.  It could be something so simple, that I could make
an adjustment to my script.  Perhaps I could turn on direct email to a
special email account I could setup, so that they could click and I get this
information with a message from them.

Here are just a few log entries I've pasted here, so you can see examples of
what it blocks.  The first entry is the test url to verify it works.

#: 1 @: Thu, 22 Sep 2011 08:27:39 -0400 Running: 0.4.9_Final
Host: node1.spacequad.com
IP: 192.168.0.254
Score: 1
Violation count: 0
Why blocked: QUERY Test Trigger to test function.
Query: test=xtestx
Referer:
User Agent: Mozilla/5.0 (Windows NT 5.0; rv:5.0.1) Gecko/20100101
Firefox/5.0.1
Reconstructed URL: http:// demo.geeklog.net /index.php?test=xtestx

#: 2 @: Thu, 22 Sep 2011 08:30:13 -0400 Running: 0.4.9_Final
Host: ec2-50-16-26-215.compute-1.amazonaws.com
IP: 50.16.26.215
Score: 1
Violation count: 1
Why blocked: Amazon Web Services. Not an ISP. Used by hackers, Keyword
spamming SEO bots, and other unsavories. Checked for bypass -
Query:
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
GTB6.4)
Reconstructed URL: http:// demo.geeklog.net /index.php

#: 3 @: Thu, 22 Sep 2011 08:33:56 -0400 Running: 0.4.9_Final
Host: alexandria84.etcserver.com
IP: 174.123.137.18
Score: 1
Violation count: 1
Why blocked: Scrapebot, SEO scum.
Query: method=newtopic&forum=1
Referer: http://demo.geeklog.net/
User Agent: Mozilla/4.0 (vBSEO; http://www.vbseo.com)
Reconstructed URL: http:// demo.geeklog.net
/forum/createtopic.php?method=newtopic&forum=1

#: 4 @: Thu, 22 Sep 2011 08:44:57 -0400 Running: 0.4.9_Final
Host: sentriless-lantern.volia.net
IP: 93.72.18.22
Score: 3
Violation count: 1 INSTA-BANNED
Why blocked: Robot Probe. INSTA-BAN. Bot UA. RBN. You have been instantly
banned due to extremely hazardous behavior!
Query: method=newtopic&forum=1
Referer:
http://demo.geeklog.net/forum/createtopic.php?method=newtopic&forum=1
User Agent: Mozilla/0.91 Beta (Windows)
Reconstructed URL: http:// demo.geeklog.net
/forum/createtopic.php?method=newtopic&forum=1

#: 5 @: Thu, 22 Sep 2011 08:54:03 -0400 Running: 0.4.9_Final
Host: chols252.krypt.com
IP: 98.126.47.234
Score: 2
Violation count: 1
Why blocked: RFI attack/SQL injection (some browser plugins like
Linkification for Firefox may cause this). Execution Attempt.
Query:
method=newtopic&forum=1+Result:+captcha+recognized;+choosen+values+in+select
+field+-+%22blah%22;+success+-+posted+to+first+encountered+partition+%22inde
x.php?forum=1%22;+BB-code+not+working;
Referer: http://www.discountonline-uggboots.com]
User Agent: Mozilla/4.76 [en] (Windows NT 5.0; U)
Reconstructed URL: http:// demo.geeklog.net
/forum/createtopic.php?method=newtopic&forum=1+Result:+captcha+recognized;+c
hoosen+values+in+select+field+-+%22blah%22;+success+-+posted+to+first+encoun
tered+partition+%22index.php?forum=1%22;+BB-code+not+working;

#: 6 @: Thu, 22 Sep 2011 08:54:12 -0400 Running: 0.4.9_Final
Host: chols252.krypt.com
IP: 98.126.47.234
Score: 2
Violation count: 2
Why blocked: RFI attack/SQL injection (some browser plugins like
Linkification for Firefox may cause this). Execution Attempt.
Query:
method=newtopic&forum=1+Result:+captcha+recognized;+choosen+values+in+select
+field+-+%22blah%22;+success+-+posted+to+first+encountered+partition+%22inde
x.php?forum=1%22;+BB-code+not+working;
Referer:
http://demo.geeklog.net/forum/createtopic.php?method=newtopic&forum=1+result:+captcha+recognized;+choosen+values+in+select+field+-+%22blah%22;+success+-+posted+to+first+encountered+partition+%22index.php?forum=1%22;+bb-code+not+working;
User Agent: Mozilla/4.76 [en] (Windows NT 5.0; U)
Reconstructed URL: http:// demo.geeklog.net
/forum/createtopic.php?method=newtopic&forum=1+Result:+captcha+recognized;+c
hoosen+values+in+select+field+-+%22blah%22;+success+-+posted+to+first+encoun
tered+partition+%22index.php?forum=1%22;+BB-code+not+working;

#: 7 @: Thu, 22 Sep 2011 09:02:23 -0400 Running: 0.4.9_Final
Host: 70-40-95-178.pool.ukrtel.net
IP: 178.95.40.70
Score: 1
Violation count: 1
Why blocked: ukrtel, forum spambots.
Query: method=newtopic&forum=1
Referer:
http://demo.geeklog.net/forum/createtopic.php?method=newtopic&forum=1
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MRA 4.6
(build 01425))
Reconstructed URL: http:// demo.geeklog.net
/forum/createtopic.php?method=newtopic&forum=1

#: 8 @: Thu, 22 Sep 2011 09:02:31 -0400 Running: 0.4.9_Final
Host: 70-40-95-178.pool.ukrtel.net
IP: 178.95.40.70
Score: 1
Violation count: 2
Why blocked: ukrtel, forum spambots.
Query:
Referer:
http://demo.geeklog.net/forum/createtopic.php?method=newtopic&forum=1
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MRA 4.6
(build 01425))
Reconstructed URL: http:// demo.geeklog.net /index.php

Hopefully with some tweaking, I can forgo the perminant ban after the 3
strike rule and just provide the user with the actual error page everytime,
instead a few words that they've been banned.

Michael


> ------------------------------
>
> Message: 2
> Date: Thu, 22 Sep 2011 14:09:44 -0400
> From: "Tom" <websitemaster at cogeco.net>
> Subject: Re: [geeklog-devel] New addition to the demo site - zbblock
> To: "'Geeklog Development'" <geeklog-devel at lists.geeklog.net>
> Message-ID: <00e301cc7952$ce5492b0$6afdb810$@cogeco.net>
> Content-Type: text/plain; charset="us-ascii"
>
> Hey Michael,
>
>
>
> I just noticed on the demo site that the "Welcome to Geeklog"  story
> contains links to the old forum plugins website. Could you update it to
> http://code.google.com/p/geeklog/ when you get a chance?
>
>
>
> The Captcha plugin also has been taken over by Ben of Geeklog.fr
>
>
>
> In regards to your email, I haven't heard of ZB Block before, I will have
to
> read up on it.
>
>
>
> Thanks
>
>
>
> Tom
>
>
>
> From: geeklog-devel-bounces at lists.geeklog.net
> [mailto:geeklog-devel-bounces at lists.geeklog.net] On Behalf Of Michael
> Brusletten
> Sent: September-22-11 12:35 PM
> To: geeklog-devel at lists.geeklog.net
> Subject: [geeklog-devel] New addition to the demo site - zbblock
>
>
>
> To All:
>
>
>
> I have added ZBBLOCK <http://www.spambotsecurity.com/zbblock.php>  to the
> Geeklog Demo Site because I thought it was time to finally stop the
> onslaught of really bad behavior that should not be let into the site in
the
> first place.  What this script does is the following:
>
>
>
> This php security script is designed to detect certain behaviors
detrimental
> to websites, or known bad addresses attempting to access your site. It
then
> will send the bad robot (usually) or hacker an authentic 403 FORBIDDEN
page
> with a description of what the problem was. If the attacker persists, then
> they will be served up a permanently reccurring 503 OVERLOAD message with
a
> 24 hour timeout.
>
> If you are looking for a script to help with protection of a
Counter-Strike
> Gaming server, this is not the zBlock program you are looking for. You can
> find them at  <http://zblock.mgamez.eu/> http://zblock.mgamez.eu/ ,
however,
> many of the same sites could also benefit from what this site has to
offer.
> The name is purely coincidental (I have been using the moniker Zaphod
> Breeblebrox for 25 years), and their version number is V. 4.4 a
> post-release. While ZB Block (double Bs and a space) is still in beta
> development.
>
>
> What ZB Block is Excellent at:
>
>
> * Saves money by reducing hacker bandwith usage! (by 2,500% on this
> site's index page alone!)
> * Strengthing your site against defacement.
> * Preventing PHP script exploitation.
> * Ending Remote File Include (RFI) exploits.
> * Protecting against directory traversal attacks.
> * Stopping MySQL database injection and tampering.
> * Removing access from known bad addresses and domain names.
> * Blocking access from top level domains, like .cn (China) and .kp
> (North Korea).
>
>
> What ZB Block is Good at:
>
>
> * Avoiding website scraping/content theft.
> * Deterring bad user agents.
> * Halting referrer spam.
> * Impeding some Cross Site Scripting (XSS) attacks.
>
>
> What ZB Block will not do:
>
>
> * Protect non-PHP pages.
> * Stop access to non-exploitable resource files like .gif, .jpg, or
> .swf .
>
> ZB Block is also fast, not only does ZB Block check for over 100,000,000
bad
> IPs/Hostnames and many thousands of bots, but standard execution times are
> around 1/10th of a second on an aged PIII 930, which is unnoticable to the
> web surfer. This anti-exploit / anti-'sploit / anti-hacking /
anti-injection
> script should find many uses around the web as it's good at detecting, and
> stopping exploitation probes from many of the worst known skript kiddie
> tools.
>
>
>
>
> Why ZB Block is BETTER than .htaccess methods...
>
>
> 1. Under certiain tasks, it is FASTER than htaccess due to only polling
> the server for data once per execution. An example of this is domain
> blocking.
> 2. It will run on webservers that do not support the full gamut of
> .htaccess commands (And there are quite a few).
> 3. It allows for intelligent detection of problem clients without
> previous knowledge of their address.
> 4. It can sniff query strings to find attack sequences from all IPs,
> while allowing legitimate requests to go through.
> 5. Through proper signature use, it can automatically remove some
> blocks that have met a condition. (such as registration of domain)
> 6. It can ban whole whole ranges of IPs written in classic decimal
> quadot notation. You can put your own custom ones in the signatures like
> 193.189.126.5 through 193.189.127.252 . (.htaccess gets a big FAIL! on
> dealing with IPs as it uses tricky to maintain CIDR ranges that only work
in
> a most signifigant bit (MSB) method, sometimes requiring multiple entries
> for oddball ranges. 'Did I really include all the IPs? Did I accidentally
go
> to far?')
> 7. Some hosts don't like custom 403s, so they don't allow you to use
> your own .htaccess driven 403. ZB Block doesn't care if the .htaccess is
> emplaced.
> 8. It logs banned accesses for later review in plain, easy to read
> english, with a description as to why said session was blocked.
> 9. It's simple and easy to use, and requires no authorization beyond
> the ability to upload files to your php equipped web-server.
> 10. Most importantly, it slows down evil robot machines to a crawl
> (sometimes) and helps alleviate (we hope) your fellow hosts/webmasters
from
> some of the unwanted traffic!
> 11. For more information, see http://www.spambotsecurity.com/zbblock.php
>
> To download the script, goto their site
> http://www.spambotsecurity.com/zbblock.php and check it out.
>
>
>
> I have added a message to the 404 Error page that will be shown to those
> that have issues to copy and paste the message they get in a forum post on
> the geeklog site for help.  However, it is my belief that there will be
> little to no problems with normal operations other that a dramatic
decrease
> in spammer/hacker traffic.
>
>
>
> Michael
>
>

More information about the geeklog-devel mailing list