IssViews Forum

In this release:

1. Signature fix for vBulletin... IMPERATIVE THAT vB USERS UPDATE. (kudos to apleschu)
2. One signature removal.
3. One Robot Probe identifier added.
4. One network removed due to cleaning up their act.
5. 211 Cloud Computing Environments blocked. (These are notorious bot, and scraper hosts. Only one of the beta blocks was removed)
6. One referer block adjusted.
7. 8 more POST bot detections.

In this issue:

1. If you have been getting a nesting attack kill while admining your site, this is now fixed, if you are whitelisted. The nesting attack is not that critical of a detection, since in the nest there are always other violations, and the skiddies have pretty much abandoned it as a method.
2. A block of detections for a now patched for 3+ months IIS hack, have finally been removed.
3. 2 new Directory Traversal attacks have been added to detections. These use a triple-dot-slash ".../" or "...\" that I have never seen in ANY URL before. So if your script balks due to them, what the heck are 3 dots and a slash for? (It's so damn alien that when typing them out, I only put 2 dots down... TWICE.)
4. "mama cyber" MaMa CaSpEr's next door neighbor is now persona non grata.
5. 36 new scrape/'sploit bot UAs banned.

And oh yeah...

6. Since this was such a good problem solving update, I broke the rules and slipstreamed them into the main script release, and incremental update files. But you don't need to tell a soul.

In this issue:

1. 6 new (and somewhat questionable) query execution and rfi blocks.
2. VanOppen.biz network banned (was scraping me, hard, and has a history of it.)
3. 3 New POST execution attempt detections.
4. ".../" becomes "..../" a slightly larger, but still a subset of a well researched attack pattern.
5. A post detection that needed a whitelist bypass. Uses a very easy to add bit of code. Find it at line 1112.
6. Split one rule for an Austrian ISP that recently bought 1024 addresses from the Ruskies.
7. "= [ p h p ]" (remove spaces) banned in any POST (bbcode php execution segment, no board should allow these).
8. "= [ \" and "\ ]" (remove spaces) banned in any POST (bbcode backslash escaping anti-spam measure)

This would normally not be a good reason for a new version, but it has far reaching implications.

Most of you, meaning those running 0.4.7 will be able to use the incremental update, and even at that, all that will be needed is an overwrite with the new signatures.inc, and zbblock.php, and drop a fresh bannedips.csv in your /zbblock/vault/ . Your zbblock.ini and other files will not need changing.

From the changelog:

Bugfix: Now compresses spaces and other garbage characters to avoid obfuscation of command detections.

The fix is through the use of 6 new variables in the script and in the signatures these variables are: $querydecsws, $fromhostsws, $lcuseragentsws, $lcrequesturisws, $rawpostsws, and $lcpostsws. These variables are exactly the same as their non "sws" extended counterparts, except these strip all whitespace, and non-normal ASCII out.

Why do this, because in php "echo('something');" , is equivalent to "echo ('something');" , or even "echo ( 'something' );"! The old system, if it was looking for "echo(" would have only triggered on the first instance. Now, thanks to the new "sws" variables, this gross oversight has been remedied. "sws" by the way means "Strip WhiteSpace".

Sorry about this, hope everyone gets updated OK.

Will be paying special attention to my board for help requests.

This release is commensurate with the update to 0.4.8 "Cougar". You must update the main script to use this signature.