02 Feb 2007 - 13 May 2022 | |
The Web's premier link spam killer.
Over the past day or so I’ve seen close to 1,000 brute force login attempts at my own WordPress sites originating from botnets. Other sites are being hit even harder.
After analyzing the data I have, I’ve determined that there are two separate and distinct attackers, and Bad Behavior is successfully blocking 100% of attempts from both of them. Continue reading → Bad Behavior 2.2.14 has been released. This is a maintenance release and is recommended for all users.
Changes
The following changes have been made since
2.2.13:
- An additional exploit scanner has been identified and blocked.
- A small change has been made to accommodate a change made by Firefox to its User-Agent format, to ensure that Firefox 25 (which doesn’t yet exist) is not improperly blocked.
Download
Notes
Just as a reminder, if you use CloudFlare on your site, you must enable the Reverse Proxy option in
Bad Behavior’s settings, or many of your visitors and search engines will be blocked.
Work on Bad Behavior 3.0 is making progress; I have some very basic pre-alpha code and a test framework and I hope to have it cleaned up enough to attempt to begin using in the next few days. If you would like to see this work progress more quickly, or you just want to say thank you, consider making a donation today. I had to temporarily block all user registrations on the bug tracker for a short while due, ironically, to spam registrations.
Registration has been reopened for now, and I’m manually dealing with the spammers.
This very bad experience has motivated me to do more about web spammers.
In this case, the bug tracker is Redmine, a web application developed in Ruby on Rails.
My first thought in such a case would have been to throw Bad Behavior at the web app and let it handle the problem. Unfortunately, Bad Behavior is written in PHP, making this impossible. By this point there must be any number of Ruby/Rails apps out there which are now suffering from the spam problems that we all went through and mostly got under control years ago.
It’s therefore my intention, as part of the Bad Behavior 3.0 rewrite, to create a Ruby gem which can be used to help secure such web applications. It may not be a simultaneous release, but something has to be done, and soon.
P.S. It’s also come to my attention that Redmine hasn’t been emailing me when someone enters a new ticket into the system. This should also be fixed. I’ve also taken the time to look at every ticket currently in the system. All bugs and support requests have been responded to, and all features looked at.
It’s come to my attention that Google has once again managed to get FeedBurner blacklisted at Project Honey Pot.
Those of you using Bad Behaavior’s Project Honey Pot support will see that requests from FeedBurner are blocked because the IP address is on the http:BL blacklist.
This is caused by an architectural problem at Google, and will require Google to resolve the issue for the problem to go away permanently. The issue is that, in the case of FeedBurner, Google uses IP addresses which are shared by third parties using Google App Engine, some of which are spammers. The spammers quickly get Google’s IP address blacklisted all over the Internet, and suddenly FeedBurner stops working.
If you are impacted by this issue, you can whitelist the affected IP addresses or the FeedBurner user agent string, or disable Project Honey Pot. Be aware that doing any of these will increase the amount of spam you receive. You should also complain to Google, since this isn’t the first time this has happened, and they seem to have done absolutely nothing about it.
Bad Behavior 2.2.13 has been released. This is a maintenance release and is recommended for all users.
Changes
The following changes have been made since
2.2.12:
Requests from the Baidu search engine now go through screening similar to Google and other major search engines. This will help to prevent illegitimate access from clients which falsely claim to be the Baidu search engine. A logic error which prevented these checks from ever running has been fixed.
Download
Notes
Just as a reminder, if you use CloudFlare on your site, you must enable the Reverse Proxy option in
Bad Behavior’s settings, or many of your visitors and search engines will be blocked.
Work on Bad Behavior 3.0 is finally making progress; I have some very basic almost-functional pre-alpha code and I hope to have it cleaned up enough to attempt to begin using in the next few weeks. Since this is usually the slow season for me, I hope to have some extra time to work on it over the holiday season. If you would like to see this work progress more quickly, or you just want to say thank you, consider making a donation today. Bad Behavior 2.2.12 has been released. This is a maintenance release and is recommended for all users.
Changes
The following changes have been made since
2.2.11:
- Search engine screening by IP address is now more lenient; a failure to match a known IP address range no longer blocks the bot outright. This change is in response to a major search engine which is adding large numbers of IP address ranges faster than they can be tracked and added to Bad Behavior. Requests which don’t match a known IP address range still go through normal screening, while requests which match will be passed immediately.
- Search engine IP address screening is bypassed when the request originates from an IPv6 address, pending the addition of IPv6 subnet matching code.
- Requests from the Baidu search engine now go through screening similar to Google and other major search engines. This will help to prevent illegitimate access from clients which falsely claim to be the Baidu search engine.
- Some URL blacklist strings have been removed due to the possibility of their matching legitimate user input (e.g. in a site search phrase).
Download
Notes
Just as a reminder, if you use CloudFlare on your site, you must enable the Reverse Proxy option in
Bad Behavior’s settings, or many of your visitors and search engines will be blocked.
Work on Bad Behavior 3.0 is finally making progress; I have some very basic almost-functional pre-alpha code and I hope to have it cleaned up enough to attempt to begin using in the next few weeks. Since this is usually the slow season for me, I hope to have some extra time to work on it over the holiday season. If you would like to see this work progress more quickly, or you just want to say thank you, consider making a donation today. Oops! If you attempted to download Bad Behavior 2.2.11 before right now, when the announcement was posted to this site, you received a copy with a syntax error, which generated a PHP fatal error.
I’ve replaced the download with a corrected version. If you are experiencing this issue, you can remove and reinstall Bad Behavior, or edit line 94 of bad-behavior/blacklist.inc.php and add a , (comma) after the second " (quotation mark) so that the beginning of the line reads "Nikto",.
As I’ve noted previously, I’m in the midst of moving away from WordPress subversion and toward git (and github) which will let me put in place processes to prevent this sort of brown paper bag problem again. Please accept my apologies for the inconvenience this may have caused you.
Bad Behavior 2.2.11 and 2.0.49 have been released. This is a maintenance release and is recommended for all users.
NOTE: Support for the 2.0 series is very limited and will end June 30, 2013. Plan to migrate to the 2.2 series as soon as possible.
Changes
The following changes to 2.2 have been made since version 2.2.10:
- Google AdSense has changed their crawler’s User-Agent string to a string that matches a user agent blacklist entry. This would prevent the delivery of targeted ads to a page, and result in generic ads being displayed. The blacklist entry was temporarily removed pending communication with Google.
- A PHP warning would be generated if any whitelist had blank lines in it. Blank lines are now stripped out of whitelist entries.
The following changes to 2.0 have been made since version 2.0.48:
Google AdSense has changed their crawler’s User-Agent string to a string that matches a user agent blacklist entry. This would prevent the delivery of targeted ads to a page, and result in generic ads being displayed. The blacklist entry was temporarily removed pending communication with Google.
Download
Bad Behavior 2.2.10 has been released. This is a maintenance release and is recommended for all users.
Changes
The following changes have been made since version 2.2.9:
Code added in the previous release to support detection of malicious attacks contained an unfortunate typo causing PHP warnings to appear. This has been fixed.
Download
Bad Behavior 2.2.9 has been released. This is a maintenance release and is recommended for all users.
Changes
The following changes have been made since version 2.2.8:
- Several patterns associated with malicious activity such as SQL injection and vulnerability scanning have been identified and blocked.
- WordPress: A code change regarding display of the whitelist in the administrative page was reverted due to unforeseen issues.
Download
Notes
While reviewing the site for the recent disaster recovery, I noted that some ports of Bad Behavior had not been updated in a very long time and do not use the new 2.2 code base, and some which appear to have been abandoned. These have been noted on the
list of ports as “legacy” and “abandoned” respectively. If you are a port maintainer, or you think you may want to be, please check the list for your platform.
I also noted that some current ports were released under the GPL version 2 only. Since Bad Behavior 2.2 uses the LGPL version 3 (or any later version) the license is not compatible with GPLv2 only connectors. I’ll be contacting port maintainers individually about these to attempt to resolve these issues, but if you are one and you are aware of this, please update your license to GPLv3 or later, or LGPLv2.1 or later.
Finally, thank you to all of you who provided kind words, offers of technical assistance and of course donations during this very stressful disaster recovery. If you haven’t contributed lately, or at all, please help me keep Bad Behavior going by donating today. Entries RSS
Comments RSS
Archives
Categories
WordPress
© Bad Behavior / Bad Behaviour