ZB Block Spambot Security

Discussion in 'General Support' started by david62311, Oct 5, 2015.

  1. david62311

    david62311 Well-Known Member

    Joined:
    Aug 29, 2013
    Messages:
    2,107
    Likes Received:
    235
    The bots are in repeat mode not realizing they need to give up. They are attempting sql injections on my site. ZB Block is blocking them and recording it in the killed log where I can see them. This has been going on last month. I got two attempts last month where ZB Block has been protecting. The records show their user-agent was opera/9. Just last evening and the morning before they really went after my Webid site. This time I had a .htacess block up for Opera/9 so, all they saw was a 403 page. My logs from yesterday show 21 attempts. The user-agents they were rotating out were Opera/9 and Mozilla/4. I've warned people to block out Mozilla 4. I can't show you the blocks or the logs because they are too dangerous out in the public but, I can suggest if you got a list going in your .htaccess file to block out Mozilla/4 and Opera/9 user-agents. The 21 attempts to inject my Webid site last evening were all done within a minute and their user-agent rotates out 4 different times. It started with Firefox/3, then Mozilla/4, then Opera/9, and then back to Mozilla/4.

    Add this in the middle if you got one already. If you add it to the end then remove the very last OR and add an OR to the one you just bumped up.
    Code:
    RewriteCond %{HTTP_USER_AGENT} Firefox/3\. [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Mozilla/4 [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Opera/9 [NC,OR]
    I will just share you my blocks. You can add this to your .htaccess files. The browser blocks are for very old browser and they should not be used today. You can remove them if you are not feeling comfortable about blocking super old browsers. You can remove anything you don't like here when you add it to your .htaccess file. Just make sure there is no OR on the last one.
    Code:
    # BLOCK USER AGENTS
    RewriteEngine on
    RewriteCond %{HTTP_USER_AGENT} beast [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} curl [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} echo [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} grab [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Firefox/2\. [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Firefox/3\. [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Firefox/4\. [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Firefox/5\. [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Firefox/6\. [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Firefox/8\. [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Firefox/1 [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Firefox/2 [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Firefox/31 [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Firefox/34 [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Chrome/1 [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Chrome/2 [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Chrome/9\. [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Chrome/3 [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Chrome/40 [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Mozilla/1 [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Mozilla/3 [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Mozilla/4 [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} OS\ X\ 10_7_5 [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} OS\ X\ 10_8_4 [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} OS\ X\ 10_8_5 [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} AskTbPTV [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Baiduspider [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} DotBot [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Fast [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Iceweasel [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Info [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Java [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Jorgee [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Konqueror [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Media [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Morfeus [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} NerdyBot [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Netcraft [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} nmap [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} PeoplePal [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Presto/2 [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Project [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Research [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} spbot [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Survey [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} test [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Trident/5 [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} YandexBot [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} console [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} dictionary [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} inspect [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} invoker [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} jsp [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} nutch [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} probethenet [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} robots [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Opera\ 7 [NC]
    RewriteRule !^robots\.txt$ - [F]
    By the way, I am not the only Webid user to get attacks like this. There are others. I've seen their ZB kill logs. Add ZB block and protect you Ras!
     
    Last edited: Oct 6, 2016
  2. Gary Harvey

    Gary Harvey New Member

    Joined:
    May 9, 2016
    Messages:
    7
    Likes Received:
    0
    FYI, I installed ZB-Block and it worked great for about a week and then one day I tried to log into the Admin and it blocked me. Contacted the hosting company and they found that ZB-Block was blocking everything on the site. Removed ZB-Block and tried to re-install WeBid and still it would not work. Had to completely reset my hosting account before I could do anything again. I now do not trust ZB-Block.
     
  3. david62311

    david62311 Well-Known Member

    Joined:
    Aug 29, 2013
    Messages:
    2,107
    Likes Received:
    235
    Sorry to hear that. I had no problem with it and it has saved me several and I know it has my back. It's only on my front-end. It should of shown a recording that it blocked you and why in the zbblock/vault/killed_log.txt file. Take a look there and see if you can figure it out. Maybe Insta-Banned you. I know it did to me because I was experimenting with the tor browser. This is recent activity on my site that someone tried to use a tor browser on it. Notice the Host show tor. This is just an example and I am guessing something in their INSTA-BANNED you. If you did get INSTA-BANNED then you will have to figure out why and I will try to help out below this on what to do.
    Code:
    #: 790 @: Thu, 20 Oct 2016 20:12:16 -0400 Running: 0.4.10a3 / 76
    Host: tor.idolf.dk
    IP: 80.240.139.111
    Score: 1
    Violation count: 1 INSTA-BANNED
    Why blocked: TOR Not Allowed. INSTA-BAN. You have been instantly banned due to extremely hazardous behavior!
    Query:
    Referer:
    User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.90 Safari/537.36
    Reconstructed URL: http:// MYSITE.com /
    I found this IP that got INSTA-BANNED in these files. If your IP is in these files then remove it from them.
    zbblock/vault/ipddb.csv
    zbblock/vault/ippbdb.csv
    zbblock/vault/ippbdb.txt

    Amazingly, I didn't see it in this file:
    zbblock/vault/bannedips.csv

    If you got banned then there is a place to Whitelist your IP. I wish I had more time on answering this on where to find the location on where to whitelist your IP so, it doesn't get banned. I've seen it before. I will look for the spot and let you know later today where it is.
     
    Last edited: Oct 21, 2016
  4. david62311

    david62311 Well-Known Member

    Joined:
    Aug 29, 2013
    Messages:
    2,107
    Likes Received:
    235
    I've looked up some stuff after looking at my ZB Block files thoroughly. There is no active file added in the ZB Block Script for adding your IP to a whitelist. You have to create a ipwldb.csv file for it as explained below that I got about midway down the page in this link. http://tehnoblog.org/wordpress-security-pro-tips-zb-block-installation-tutorial/

    What I've already mentioned in my post above, it mentions on that page. Look for where it starts this and you will find some answers:
    ZB BLOCK: I HAVE BEEN BANNED !?

    Don’t panic. When ZB Block is first installed, most users simply use default installation and admins typically visit specific website’s URLs that trigger protection wires, such as cron tasks (manual/auto), ajax requests and so on. First, you need to remove yourself from the blocked list, go to the zbblock/vault subdirectory and remove your IP address from these files:

    • ipddb.csv
    • ippbdb.csv
    • ippbdb.txt
    Create a new file called:

    • ipwldb.csv
    and enter your IP address into the whitelist and save. This will prevent your IP from being banned next time (in most cases at least*), but keep in mind that your IP may change over time, if your ISP assigns dynamic IPs instead of static. Additionally, you may consider changing some configuration constants explained above.

    * Remember when we first mentioned white list file? Well, it turns out that this list is not exactly white list, but more of a grey list in its nature. This means that your IP address will have some immunity from ZB Block, but it will still be checked against some harmful signature rules and it will be banned if you trigger them.

    You should definitely inspect the killed_log.txt content, locate your IP address and see the exact reason and matched detection rule code in Why? section. This will essentially tell you the exact reason why the ban happened in the first place (ajax, cron job URL or something else…) and next thing for you would be to decide how will you approach to the solution — either by creating custom signature/bypass rule or changing some .ini config options, if possible.
     
  5. david62311

    david62311 Well-Known Member

    Joined:
    Aug 29, 2013
    Messages:
    2,107
    Likes Received:
    235
    The link I initially put to download ZB Block is inactive now. The new link to get ZB Block is: https://zb-block.net/zbf/showthread.php?t=28

    I knew my ZB Block automatically banned any user using a TorBrowser.

    I just started to use certain service. When I went to both of my sites while my certain service turned on was on, ZB Block detected the the VPN service and blocked it. This was the page I saw when I visited both of my sites:

    ZB Block - VPN Detection.png
    I got nothing against people using a VPN service with all of the ISPs out there spying on them and what they are doing but, having ZB Block pick it up and give the user an option to contact you, is good!

    By the way, it seems blocking IP addresses is kind of useless in today's coding World. I was debating about mentioning it because when a Google search is done, people on the outside can read it. VPN service not a secret. Security coding is getting more and more complicated every day. There is no set and forgot option for security that's going to keep bad things out. You have to keep up with updating security almost all of the time. Merely a suggestion.

    ZB Block has been a good security for me. It could use some updating though. Maybe the version in the link I shared has updated security signatures.
     

Share This Page