Skip to content

Commit 02abb70

Browse files
MaikuolanMaikuolan
committed
Extras module update.
1 parent 0e807b4 commit 02abb70

File tree

2 files changed

+33
-7
lines changed

2 files changed

+33
-7
lines changed

modules/module_extras.php

Lines changed: 31 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
* License: GNU/GPLv2
99
* @see LICENSE.txt
1010
*
11-
* This file: Optional security extras module (last modified: 2025.08.29).
11+
* This file: Optional security extras module (last modified: 2025.09.03).
1212
*
1313
* False positive risk (an approximate, rough estimate only): « [ ]Low [x]Medium [ ]High »
1414
*/
@@ -449,6 +449,30 @@
449449
if ($Trigger(preg_match('~(?:^|[/?])wallet\.dat(?:$|[/?])~', $LCNrURI), 'Probing for exposed Bitcoin wallets')) {
450450
$CIDRAM['Reporter']->report([15], ['Caught probing for exposed Bitcoin wallets.'], $CIDRAM['BlockInfo']['IPAddr']);
451451
} // 2025.08.29
452+
453+
/** Malware spam redirection attempt. */
454+
if ($Trigger(preg_match('~(?:^|[/?])(?:__media__/js|netsoltrademark\.php)(?:$|[/?])~', $LCNrURI), 'Malware spam redirection attempt detected')) {
455+
$CIDRAM['Reporter']->report([10, 20], ['Malware spam redirection attempt detected.'], $CIDRAM['BlockInfo']['IPAddr']);
456+
} // 2025.09.03
457+
458+
/** Probing for exposed etc/passwd file. */
459+
if ($Trigger(preg_match('~(?:^|[/?])etc(?:/|%2f)passwd(?:$|[/?])~', $LCNrURI), 'Probing for exposed etc/passwd file')) {
460+
$CIDRAM['Reporter']->report([15], ['Caught probing for exposed etc/passwd file.'], $CIDRAM['BlockInfo']['IPAddr']);
461+
} // 2025.09.03
462+
463+
/** Probing for exposed etc/hosts file. */
464+
if ($Trigger(preg_match('~(?:^|[/?])etc(?:/|%2f)hosts(?:$|[/?])~', $LCNrURI), 'Probing for exposed etc/hosts file')) {
465+
$CIDRAM['Reporter']->report([15], ['Caught probing for exposed etc/hosts file.'], $CIDRAM['BlockInfo']['IPAddr']);
466+
} // 2025.09.03
467+
468+
/** Probing for exposed etc/shadow file. */
469+
if ($Trigger(preg_match('~(?:^|[/?])etc(?:/|%2f)shadow(?:$|[/?])~', $LCNrURI), 'Probing for exposed etc/shadow file')) {
470+
$CIDRAM['Reporter']->report([15], ['Caught probing for exposed etc/shadow file.'], $CIDRAM['BlockInfo']['IPAddr']);
471+
} // 2025.09.03
472+
473+
if ($Trigger(preg_match('~\?1+1&&|\)%7d%7d%2f~', $LCNrURI), 'SQLi attack')) {
474+
$CIDRAM['Reporter']->report([15, 16], ['SQL injection attack detected.'], $CIDRAM['BlockInfo']['IPAddr']);
475+
} // 2025.09.03
452476
}
453477

454478
/**
@@ -559,8 +583,12 @@
559583
$Trigger(strpos($CIDRAM['BlockInfo']['Query'], ',0x') !== false, 'Bad query'); // 2017.02.25
560584
$Trigger(strpos($CIDRAM['BlockInfo']['Query'], ',\'\',') !== false, 'Bad query'); // 2017.02.25
561585

562-
$Trigger(preg_match('/(?<![a-z])id=.*(?:benchmark\\(|id[xy]=|sleep\\()/', $QueryNoSpace), 'Query SQLi'); // 2017.03.01 mod 2023.11.10
563-
$Trigger(preg_match('~(?:from|union|where).*select|then.*else|(?:o[nr]|where).*isnull|(?:inner|left|outer|right)join~', $QueryNoSpace), 'Query SQLi'); // 2017.03.01 mod 2023.08.30
586+
if ($Trigger(preg_match(
587+
'~(?<![a-z])id=.*(?:benchmark\\(|id[xy]=|sleep\\()|(?:from|union|where).*select|then.*else|(?:o[nr]|where).*isnull|(?:inner|left|outer|right)join~',
588+
$QueryNoSpace
589+
), 'SQLi attack')) {
590+
$CIDRAM['Reporter']->report([15, 16], ['SQL injection attack detected.'], $CIDRAM['BlockInfo']['IPAddr']);
591+
} // 2017.03.01 mod 2025.09.03
564592

565593
$Trigger(preg_match('/cpis_.*i0seclab@intermal\.com/', $QueryNoSpace), 'Hack attempt'); // 2018.02.20
566594
$Trigger(preg_match('/^(?:3x=3x|of=1&a=1)/i', $CIDRAM['BlockInfo']['Query']), 'Hack attempt'); // 2023.07.13 mod 2023.09.02
@@ -679,8 +707,6 @@
679707
$CIDRAM['Reporter']->report([15, 21], ['Plesk hack attempt detected.'], $CIDRAM['BlockInfo']['IPAddr']);
680708
} elseif (strpos($CIDRAM['BlockInfo']['WhyReason'], 'Probe attempt') !== false) {
681709
$CIDRAM['Reporter']->report([19], ['Probe detected.'], $CIDRAM['BlockInfo']['IPAddr']);
682-
} elseif (strpos($CIDRAM['BlockInfo']['WhyReason'], 'Query SQLi') !== false) {
683-
$CIDRAM['Reporter']->report([16], ['SQL injection attempt detected.'], $CIDRAM['BlockInfo']['IPAddr']);
684710
} elseif (strpos($CIDRAM['BlockInfo']['WhyReason'], 'Query command injection') !== false) {
685711
$CIDRAM['Reporter']->report([15], ['Query command injection attempt detected.'], $CIDRAM['BlockInfo']['IPAddr']);
686712
} elseif (strpos($CIDRAM['BlockInfo']['WhyReason'], 'Query global variable hack') !== false) {

modules/modules.dat

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -239,7 +239,7 @@ module_cookies.php:
239239
module_extras.php:
240240
Name: "Optional security extras module"
241241
False Positive Risk: "Medium"
242-
Version: "2025.240.0"
242+
Version: "2025.245.0"
243243
Dependencies:
244244
PHP: "^5.4|^7|^8"
245245
CIDRAM Core: "^1.13.1|^2.0.1"
@@ -254,7 +254,7 @@ module_extras.php:
254254
- "module_extras.php"
255255
- "module_extras.yaml"
256256
Checksum:
257-
- "57e050eaed53c9585604dd54890717db5c2ad77767b602f2f7f855ce9b56072c:51036"
257+
- "20f0da70bbf42da044b2ca702b8a9a3164f1288b6410c1fe53821e9df480a078:52497"
258258
- "7b891d1fa4b1c52c410220bc758e8cb7064bd6040430fb149a5b60e9ae2e0838:890"
259259
Used with: "modules"
260260
Reannotate: "modules.dat"

0 commit comments

Comments
 (0)