Modules update.

Maikuolan · Maikuolan · commit 41a295e5727a · 2025-07-28T22:17:57.000+08:00
diff --git a/modules/module_badhosts.php b/modules/module_badhosts.php
@@ -8,7 +8,7 @@
  * License: GNU/GPLv2
  * @see LICENSE.txt
  *
- * This file: Bad hosts blocker module (last modified: 2025.02.13).
+ * This file: Bad hosts blocker module (last modified: 2025.07.27).
  *
  * False positive risk (an approximate, rough estimate only): « [ ]Low [x]Medium [ ]High »
  */
@@ -63,15 +63,9 @@
     $UA = str_replace('\\', '/', strtolower(urldecode($CIDRAM['BlockInfo']['UA'])));
     $UANoSpace = preg_replace('/\s/', '', $UA);
 
-    $Trigger(preg_match(
-        '/\$(?:globals|_(?:cookie|env|files|get|post|request|server|session))/',
-        $HN
-    ), 'Banned hostname'); // 2017.01.21 mod 2022.11.23
+    $Trigger(preg_match('/\$(?:globals|_(?:cookie|env|files|get|post|request|server|session))/', $HN), 'Banned hostname'); // 2017.01.21 mod 2022.11.23
 
-    $Trigger(preg_match(
-        '/(?:<(\?|body|i?frame|object|script)|(body|i?frame|object|script)>)/',
-        $HN
-    ), 'Hostname script injection'); // 2017.01.21
+    $Trigger(preg_match('/(?:<(\?|body|i?frame|object|script)|(body|i?frame|object|script)>)/', $HN), 'Hostname script injection'); // 2017.01.21
 
     $Trigger(preg_match('~captch|dbcapi\.me~', $HN), 'CAPTCHA cracker host'); // 2017.01.21
 
@@ -97,71 +91,18 @@
     $Trigger(preg_match('~exatt\.net$|unpef\.org$~', $HN), 'Pornobot/Pornhost'); // 2017.02.16
 
     $Trigger(preg_match(
-        '~^(?:damage|moon|test)\.|anahaqq|core\.youtu\.me|hosted-(?:by|in)|n' .
-        'o-(?:data|(?:reverse-)?r?dns)|qeas|spletnahisa|therewill\.be|unassi' .
-        'gned|work\.from|yhost\.name~',
+        '~^(?:damage|moon|test)\.|anahaqq|core\.youtu\.me|fuc' . 'kyou|hoste' .
+        'd-(?:by|in)|no-(?:data|(?:reverse-)?r?dns)|qeas|spletnahisa|therewi' .
+        'll\.be|unassigned|work\.from|yhost\.name~',
         $HN
-    ), 'Questionable Host'); // 2017.01.30 mod 2020.11.09
+    ), 'Questionable Host'); // 2017.01.30 mod 2025.07.27
 
     $Trigger(preg_match('~anchorfree|hotspotsheild|esonicspider\.com$~', $HN), 'Hostile/esonicspider'); // 2018.09.15
 
-    $Trigger(preg_match(
-        '~megacom\.biz$|ideastack\.com$|dotnetdotcom\.org$|controlyourself\.online~',
-        $HN
-    ), 'Hostile/Unauthorised'); // 2017.02.14 mod 2021.06.28
-
     $Trigger(preg_match('~brandaffinity~', $HN), 'Hostile/SLAPP'); // 2018.09.15
 
     if (
-        // Caught attempting to brute-force WordPress logins (2020.11.09).
-        $Trigger(preg_match('~\.domainserver\.ne\.jp$~', $HN), 'Cloud/Webhosting') ||
-
-        // 2022.12.19 mod 2025.02.13
-        $Trigger(preg_match(
-            '~i(?:g|nsite)\.com\.br$|terra\.cl$|acetrophies\.co\.uk$|adsinmedia\.co\.' .
-            'in$|(?:webfusion|xcalibre)\.co\.uk$|(?:\.(?:appian|cloud|ctera|dyn|emc|f' .
-            'orce|fsfreeware|gnip|gridlayer|hosting|icims|panorama|parallels|quest|si' .
-            'teprotect|thegridlayer|voda|vultr|webzilla|workday)|10gen|12designer|3le' .
-            'afsystems|3tera|a(?:cademicedge|ccentrainc|conex|dvologix|gathon|ltornet' .
-            'works|mericanforeclosures|mitive|pp(?:irio|istry|jet|nexus|renda|spot|ze' .
-            'ro)|ptana|ramenet|riasystems|rjuna|rtofdefence|sterdata|syanka|uthenticn' .
-            'etworks|zati)|b(?:alticservers|eam4d|hivesoft|irtondemand|linklogic|lue(' .
-            '?:host|lock|wolf)|oomi|ucketexplorer|ungeeconnect)|c(?:a(?:dinor|msoluti' .
-            'onsinc|spio|ssatt|stiron)|l(?:arioanalytics|ickability|oud(?:42|9analyti' .
-            'cs|computingchina|control|era|foundry|kick|scale|status|switch|works)|us' .
-            'terseven)|o(?:ghead|hesiveft|ldlightsolutions|ncur|ntroltier)|tinets|ybe' .
-            'r-freaks)|d(?:ata(?:line|sisar|synaps)|ailyrazor|edicatedpanel|inaserver' .
-            '|irectlaw|ns-safe|oclanding|ropbox|ynamsoft)|e(?:last(?:ichosts|ra)|n(?:' .
-            'gineyard|omalism|stratus)|telos|ucalyptus|vapt|vionet)|fathomdb|flexisca' .
-            'le|followmeoffice|g(?:emstone|enerositycool|igaspaces|ogrid|othamdating|' .
-            'roupcross)|h(?:eroku|exagrid|olhost|ost(?:acy|cats|ing24)|ubspan|yperic)' .
-            '|i(?:buzytravel|modrive|nfo(?:bright|rmatica)|tricityhosting)|j(?:oyent|' .
-            'umpbox|unglebox|usthost)|k(?:2analytics|aavo|eynote|nowledgetree)|l(?:ay' .
-            'eredtech|inkneo|iveops|oadstorm|ogixml|ongjump|tdomains)|m(?:o(?:derro|j' .
-            'site|rphexchange|sso|zy)|idphase|idnight-monkey|turk|ulesoft)|n(?:asstar' .
-            '|e(?:ointeractiva|t(?:app|documents|suite|topia)|wrelic|wservers)|ionex|' .
-            'irvanix|ovatium|scaled)|o(?:co-inc|nelogin|npathtech|penqrm|psource)|p(?' .
-            ':ara(?:scal|tur)e|hatservers|hishmongers|iemontetv|inqidentity|ivotlink|' .
-            'luraprocessing)|q(?:layer|rimp|uanti(?:vo|x-uk))|r(?:ackspace(?:cloud)?|' .
-            'e(?:di2|ductivelabs|lia(?:blehosting|cloud)|sponsys)|ight(?:now|scale)|o' .
-            'llbase|omania-webhosting|path)|s(?:alesforce|avvis|ertifi|erver306|huili' .
-            'nchi|kytap|martservercontrol|naplogic|oasta|pringcm|tax|treetsmarts|tret' .
-            'choid|uccessmetrics|wifttrim|ymplified|yncplicity)|t(?:aleo|err[ae]mark|' .
-            'h(?:eprocessfactory|inkgos|oughtexpress)|rustsaas)|utilitystatus|v(?:aul' .
-            'tscape|ertica|mware|ordel)|web(?:faction|hosting\.uk|hostinghub|scalesol' .
-            'utions|sitewelcome)|xactlycorp|xlhost|xythos|z(?:embly|imory|manda|oho|u' .
-            'ora))\.com$|server4u\.cz$|(?:(?:\.|kunden)server|clanmoi|fastwebserver|o' .
-            'ptimal|server4you|your-server)\.de$|candycloud\.eu$|cyberresilience\.io$' .
-            '|server\.lu$|starnet\.md$|(?:\.(?:above|akpackaging|bhsrv|box|propagatio' .
-            'n|voxel)|1978th|collab|enkiconsulting|incrediserve|jkserv|recyber|reliab' .
-            'lesite|shared-server|techajans)\.net$|hitech-hosting\.nl$|(?:\.terracott' .
-            'a|beowulf|iboss|opennebula|xen)\.org$|mor\.ph$|(?:ogicom|vampire)\.pl$|(' .
-            '?:serverhub|rivreg|tkvprok|vpsnow|vympelstroy)\.ru$|g\.ho\.st$~',
-            $HN
-        ), 'Cloud/Webhosting') ||
-
-        // 2022.06.22
-        $Trigger(preg_match('~\.google(?:domains|usercontent)\.com$~', $HN), 'Google user content not permitted here')
+        $Trigger(preg_match('~\.google(?:domains|usercontent)\.com$~', $HN), 'Google user content not permitted here') // 2022.06.22
     ) {
         $CIDRAM['AddProfileEntry']('Webhosting');
     }
@@ -170,37 +111,13 @@
         $CIDRAM['AddProfileEntry']('VPNs here');
     } // 2023.08.12
 
-    $Trigger(preg_match(
-        '~(?:(?:criminalip|dimenoc|dumpyourbitch|hostenko|internetserviceteam|ipr' .
-        'edator|krypt|webandnetworksolutions|xcelmg)\.com|mbox\.kz|doctore\.sk|ho' .
-        'stnoc\.net|\.(?:host|spheral)\.ru)$|45ru\.net\.au|p(?:rohibitivestuff|wn)~',
-        $HN
-    ), 'Dangerous Host'); // 2022.06.24 mod 2022.12.19
-
     $Trigger(preg_match('~shadowserver\.org$~', $HN), 'Regular unauthorised proxy tunnel attempts'); // 2023.09.15
 
     $Trigger(preg_match(
         '~(?:iweb|privatedns)\.com$|iweb\.ca$|^(?:www\.)?iweb~',
         $HN
     ), 'Domain Snipers'); // 2017.02.15 mod 2021.06.28
 
-    $Trigger(preg_match('~(?<!ssg-corp\.)zetta\.net$|(?<!\.user\.)veloxzone\.com\.br$|12bot\.com$~', $HN), 'Server farm'); // 2022.12.19
-
-    $Trigger(preg_match(
-        '~(?:starlogic|temka)\.biz$|ethymos\.com\.br$|(?:amplilogic|astranig' .
-        'ht|borderfreehosting|creatoor|dl-hosting|hosting-ie|idknet|ipilum|k' .
-        'uzbass|prommorpg|uxxicom|vdswin|x-svr)\.com$|(?:ahost01|efdns|em-zw' .
-        'o|haebdler-treff|key(account|mars64)|mail\.adc|rootbash|securewebse' .
-        'rver|tagdance|traders-briefing|vilitas|w-4)\.de$|(?:hostrov|kemhost' .
-        '|netorn|power-web34|profithost|volia)\.net$|cssgroup\.lv|(?:nasza-k' .
-        'lasa|softel\.com)\.pl$|(?:corbina|cpms|datapoint|elsv-v|hc|itns|lim' .
-        't|majordomo|mtu-net|netorn|nigma|relan|spb|totalstat)\.ru|(?:(?:cos' .
-        'monova|sovam|utel)\.net|odessa|poltava|rbn\.com|volia)\.ua$|aceleo|' .
-        'dedibox|filmefashion|infobox|key(?:machine|server|web)|kyklo|laycat' .
-        '|oliro~',
-        $HN
-    ), 'RBN'); // 2017.02.06 mod 2021.06.28
-
     $Trigger(preg_match('~amazonaws\.com$~', $HN) && (
         !preg_match(
             '~alexa|postrank|twitt(?:urly|erfeed)|bitlybot|unwindfetchor|met' .
@@ -275,7 +192,7 @@
     ); // 2018.06.24
 
     /** Conjunctive reporting. */
-    if (preg_match('~Spoofed/Fake Hostname|Dangerous Host|Questionable Host|DNS error~i', $CIDRAM['BlockInfo']['WhyReason'])) {
+    if (preg_match('~Spoofed/Fake Hostname|Questionable Host|DNS error~i', $CIDRAM['BlockInfo']['WhyReason'])) {
         $CIDRAM['Reporter']->report([20], [], $CIDRAM['BlockInfo']['IPAddr']);
     }
     if (preg_match('~(?:VPN|Proxy) Host~i', $CIDRAM['BlockInfo']['WhyReason'])) {
diff --git a/modules/module_extras.php b/modules/module_extras.php
@@ -8,7 +8,7 @@
  * License: GNU/GPLv2
  * @see LICENSE.txt
  *
- * This file: Optional security extras module (last modified: 2025.07.27).
+ * This file: Optional security extras module (last modified: 2025.07.28).
  *
  * False positive risk (an approximate, rough estimate only): « [ ]Low [x]Medium [ ]High »
  */
@@ -145,9 +145,9 @@
         ), 'Probing for webshells/backdoors')) { // 2023.08.18 mod 2025.07.10
             $CIDRAM['Reporter']->report([15, 20, 21], ['Caught probing for webshells/backdoors. Host might be compromised.'], $CIDRAM['BlockInfo']['IPAddr']);
         } elseif ($Trigger(preg_match(
-            '~(?:^|[/?])(?:css/dmtixucz/golden-access|fierzashell\.html?|perl.alfa|search/label/php-shells)(?:$|[/?])~',
+            '~(?:^|[/?])(?:brutalshell|css/dmtixucz/golden-access|fierzashell\.html?|perl.alfa|search/label/php-shells)(?:$|[/?])~',
             $LCNrURI
-        ), 'Probing for webshells/backdoors')) { // 2025.05.12 mod 2025.05.20
+        ), 'Probing for webshells/backdoors')) { // 2025.05.12 mod 2025.07.28
             $CIDRAM['Reporter']->report([15, 20, 21], ['Caught probing for webshells/backdoors. Host might be compromised.'], $CIDRAM['BlockInfo']['IPAddr']);
         } elseif ($Trigger(preg_match(
             '~(?:^|[/?])(?:\.well-known(?:new\d*|old\d*)|[1-9cefimnptuwx]{27}\.jsp|alfa_data/alfacgiapi|alfa-?rexhp\d\.p|(?:send-)?ses\.sh)(?:$|[/?])~',
@@ -195,6 +195,14 @@
             $CIDRAM['Reporter']->report([15, 16, 21], ['Caught probing for ' . $Exploit . ' vulnerability.'], $CIDRAM['BlockInfo']['IPAddr']);
         }
 
+        /** Probing for compromised WordPress installations. */
+        if ($Trigger(preg_match(
+            '~/wp-content/plugins/(?:aryabot|cakil|cekidot|dummyyummy|helloapx|ioptimization|masterx|owfsmac|prenota|pwnd|ubh|upspy|uwogh-segs|vwcleanerplugin|wp(?:-d(?:[ao]ftx?|b-ajax-made|iambar)|-freeform|-hps|eazvp)|xichang|xt|yyobang|zaen)/~',
+            $LCNrURI
+        ), 'Probing for compromised WordPress installations')) {
+            $CIDRAM['Reporter']->report([15, 21], ['Caught probing for compromised WordPress installations.'], $CIDRAM['BlockInfo']['IPAddr']);
+        } // 2025.07.28
+
         /** Probing for exposed Git data. */
         if ($Trigger(preg_match('~\.git(?:config)?(?:$|\W)~', $LCNrURI), 'Probing for exposed Git data')) {
             $CIDRAM['Reporter']->report([15, 21], ['Caught probing for exposed Git data.'], $CIDRAM['BlockInfo']['IPAddr']);
diff --git a/modules/modules.dat b/modules/modules.dat
@@ -144,7 +144,7 @@ module_abuseipdb.php:
 module_badhosts.php:
  Name: "Bad hosts blocker module"
  False Positive Risk: "Medium"
- Version: "2025.43.0"
+ Version: "2025.208.0"
  Dependencies:
   PHP: "^5.4|^7|^8"
   CIDRAM Core: "^1.13.1|^2.0.1"
@@ -156,7 +156,7 @@ module_badhosts.php:
   To:
    - "module_badhosts.php"
   Checksum:
-   - "fc1c3be5f179f6feb7320d3de00d58cfb2b1e06c3d86208edf9b4028ee5d2c10:14662"
+   - "cba13c69d7f2b58e617bb85ab0c6d4295481e62081e0eac6457f8a443510bf3d:9295"
  Used with: "modules"
  Reannotate: "modules.dat"
 module_badtlds.php:
@@ -239,7 +239,7 @@ module_cookies.php:
 module_extras.php:
  Name: "Optional security extras module"
  False Positive Risk: "Medium"
- Version: "2025.207.0"
+ Version: "2025.208.0"
  Dependencies:
   PHP: "^5.4|^7|^8"
   CIDRAM Core: "^1.13.1|^2.0.1"
@@ -254,7 +254,7 @@ module_extras.php:
    - "module_extras.php"
    - "module_extras.yaml"
   Checksum:
-   - "3a90191df4328cc170636f18f08cbdc1db936a175f95e1015ed89fa241b6b1a2:38266"
+   - "f8d420e63f58f5d261e6daf95634abd600c64222127f2d33f37806428bf5990d:38879"
    - "7b891d1fa4b1c52c410220bc758e8cb7064bd6040430fb149a5b60e9ae2e0838:890"
  Used with: "modules"
  Reannotate: "modules.dat"
