Download ZB Block

MAIN SCRIPT 0.3.1b 04/07/09

• ZB Block .zip
• ZB Block .tar.gz

*You need this file to install the script.

• changelog

SIGNATURE UPDATE #0037a 06/21/09
Compatible with 0.3.0b+

• Signatures.inc .zip
• Signatures.inc .tar.gz

*You should update to the latest signatures.inc as soon as your install is working.

Optional Custom Signature Plug-ins

• China and North Korea Blocks .zip
• China and North Korea Blocks .tar.gz

*These files are optional blocks that are too potent for some users. (For instance: Blocking whole countries.)

Site Menu

• Home
• ZB Block
• PHP Poison Pill X-treme
• C.A.S.P.E.R.
• Backscatter
  C.A.P.T.C.H.A.
• P2P Blocklist
• About Us
• Forum
• Blog

Security Advice

• Forum and Blog
  Operation Safety
• More Server Protections
• Anti-Virus
• Firewall
• Anti-Spyware
• Maintenance
• Info on Security Advice

Bookmarking and
Social Networking

• Link To Us
• Links Page
• Twitter, Digg, Stumble and More.
  

Please donate to the projects
this site supports.

Contributors:
Mrwilson	$10.00

ZB BLOCK

Don't let the robots in the door!
A GPL V2 PHP Protection Script for your site.

Known Worms/Probes Defeated by ZB Block: FeeLCoMz Probe Santy A.K.A. NeverEverNoSanity WebWorm PHPInclude Perl.PhpInclude.Worm Linux/Lupper.worm

ZB Block adds resistance to remote injection of these shell scripts: Ajax Shell Backdoor php Shell C99 Shell / C100 Shell Crystal Shell October73 Shell DxShell R57 Shell Safe0ver Shell RWWW A.K.A. Reverse WWW Tunnel Backdoor PHP/IrcBot

ZB Block helps protect these php web applications: Joomla, Mambo, phpBB2, phpBB3, Invision Power Board (IPB), punBB, Simple Machines Forum (SMF), Drupal, blog cms, MODx, PHP-Nuke, WordPress, and many more!

This php security script is designed to detect certain behaviors detrimental to websites, or known bad addresses attempting to access your site. It then will send the bad robot (usually) or hacker an authentic 403 FORBIDDEN with a description of what the problem was.

What ZB Block is Excellent at:

• Strengthing your site against defacement.
• Preventing PHP script exploitation.
• Ending Remote File Include (RFI) exploits.
• Protecting against directory traversal attacks.
• Stopping MySQL database injection and tampering.
• Removing access from known bad addresses and domain names.
• Blocking access from top level domains, like .cn (China) and .kp (North Korea).

What ZB Block is Good at:

• Avoiding website scraping/content theft.
• Deterring bad user agents.
• Halting referrer spam.
• Impeding some Cross Site Scripting (XSS) attacks.

What ZB Block will not do:

• Protect non-PHP pages.
• Stop access to non-exploitable resource files like .gif, .jpg, or .swf .

ZB Block is also fast, not only does ZB Block check for over 100 million bad IPs/Hostnames and many thousands of bots, but standard execution times are around 1/10th of a second on an aged PIII 930, which is unnoticable to the web surfer. This anti-exploit / anti-'sploit / anti-hacking / anti-injection script should find many uses around the web as it's good at detecting, and stopping exploitation probes from many of the worst known skript kiddie tools.

 

Why ZB Block is BETTER than .htaccess methods...

1. Under certiain tasks, it is FASTER than htaccess due to only polling the server for data once per execution. An example of this is domain blocking.
2. It will run on webservers that do not support the full gamut of .htaccess commands (And there are quite a few).
3. It allows for intelligent detection of problem clients without previous knowledge of their address.
4. It can sniff query strings to find attack sequences from all IPs, while allowing legitimate requests to go through.
5. Through proper signature use, it can automatically remove some blocks that have met a condition. (such as registration of domain)
6. It can ban whole whole ranges of IPs written in classic decimal quadot notation. You can put your own custom ones in the signatures like 193.189.126.5 through 193.189.127.252 . (.htaccess gets a big FAIL! on dealing with IPs as it uses tricky to maintain CIDR ranges that only work in a most signifigant bit (MSB) method, sometimes requiring multiple entries for oddball ranges. 'Did I really include all the IPs? Did I accidentally go to far?')
7. Some hosts don't like custom 403s, so they don't allow you to use your own .htaccess. ZB Block doesn't care if the .htaccess is emplaced.
8. It logs banned accesses for later review in plain, easy to read english, with a description as to why said session was blocked.
9. It's simple and easy to use, and requires no authorization beyond the ability to upload files to your php equipped web-server.
10. Most importantly, it slows down evil robot machines to a crawl (sometimes) and helps alleviate (we hope) your fellow hosts/webmasters from some of the unwanted traffic!

Theory of operation...

This is generally how ZB Block works...

1. Capture the execution of the page, as close as possible to the beginning of it, definitely before MySQL operations.
2. Poll all connection details: QUERY, POST, IP, Hostname, Referer, and User Agent. Treat all polled data as hostile and do not attempt to load as distinct variables.
3. Check for problems in the polled data through the standard signature file.
4. Check again through the custom signature file.
5. If no problems are found return execution to the main part of the page and add 0 bytes to connection. Elsewise...
6. Log connection details to killed_log.txt (Can be very important if you suspect accidental "catches", or wish to inspect the "catch" for more ways to detect the problem).
7. Handle attack by dumping the connection to a "You Are Banned / 403 Forbidden" page.
8. Do not return execution to the original file and send DIE command to the php interpereter.

At no time does ZB Block actually perform processing with the data in the connection, nor does it try to correct it. It simply scans the information for known problems. It also does not use MySQL or any other Server Query Language, as that in itself could open up your site to an attack (We don't want some of this data even getting NEAR your database).

• At no time should ZB Block effect any hostile actions towards the connecting client, so it is safe for the most serious business website.
• At no time should ZB Block affect the output of data to a non-hostile connection, thus, it is safe for the most complex websites.

Caveat: ZB Block IS a GPL V.2 script, so responsibilities for problems are the user's, not the authors. In otherwords, I, or the team, in part or total take no responsibility for loss, damage, or harm, whether real or imagined, if you use this script. That said, we code it very carefully to avoid errors, so we think you can use it with confidence. (This site is currently using it, and protected by it.)

This script is © Copyright 2008,2009, under the LGPL License Version 2 by Mike H. . This means if you modify it, you still must give me credit, and leave the copyright notices intact, but of course it is free to use forever!

P.S. Nothing is gained without a LITTLE work, so read the documentation in the .zip . And remember, your pages must be .php for this to work. :)

CURRENT WALL OF SHAME
These are sessions that have run afoul of ZB BLOCK

This month, also below
02/09 & 03/09 04/09 05/09 06/09