Modules update.

Maikuolan · Maikuolan · commit 9053d77d34a6 · 2025-11-13T20:47:04.000+08:00
diff --git a/modules/module_botua.php b/modules/module_botua.php
@@ -8,7 +8,7 @@
  * License: GNU/GPLv2
  * @see LICENSE.txt
  *
- * This file: Bot user agents module (last modified: 2025.11.06).
+ * This file: Bot user agents module (last modified: 2025.11.13).
  *
  * False positive risk (an approximate, rough estimate only): « [ ]Low [x]Medium [ ]High »
  */
@@ -349,6 +349,7 @@
     } // 2023.11.17 mod 2025.11.06
 
     $Trigger(preg_match('~ct‑git‑scanner/~i', $CIDRAM['BlockInfo']['UA']), 'Unauthorised Git scanner'); // 2025.07.05
+    $Trigger(preg_match('~4\.066686748~', $UANoSpace), 'Hack UA (pretending to be Netscape)'); // 2025.11.13
 
     /** These signatures can set extended tracking options. */
     if (
diff --git a/modules/module_extras.php b/modules/module_extras.php
@@ -8,7 +8,7 @@
  * License: GNU/GPLv2
  * @see LICENSE.txt
  *
- * This file: Optional security extras module (last modified: 2025.11.06).
+ * This file: Optional security extras module (last modified: 2025.11.13).
  *
  * False positive risk (an approximate, rough estimate only): « [ ]Low [x]Medium [ ]High »
  */
@@ -102,7 +102,7 @@
         /** Probing for webshells/backdoors. */
         if (
             $Trigger(preg_match(
-                '~^/{3,}wp-|(?:^|[/?])(?:mt-xmlrpc\.cgi|shell\?cd|wp-includes/wlwmanifest\.xml)(?:$|[/?])|(?:^|[/?])(?:' .
+                '~^/{3,}wp-|(?:^|[/?])(?:mt-xmlrpc\.cgi|shell\?cd\+?|wp-includes/wlwmanifest\.xml)(?:$|[/?])|(?:^|[/?])(?:' .
                 '\+theme\+/(?:error|index)|' .
                 '\.bak/.*|' .
                 '\.w(?:ell-known(?:new\d*|old\d*)?|p-cli)/(?:.*(?:(?:a(?:bout|dmin|pap)|c(?:aches?|ihjbmjk|lasswithtostring|ong)|fi(?:erza|le)|l(?:itespeed|ofmebwd)|install|moon|shell|wp-login)[\da-z]*|/x)|go|radio|x)|' .
@@ -140,7 +140,7 @@
                 ')\.php[578]?(?:$|[/?])|' .
                 'funs\.php[578]?(?:$|[/?])~',
                 $LCNrURI
-            ), 'Probing for webshells/backdoors') || // 2023.08.18 mod 2025.08.29
+            ), 'Probing for webshells/backdoors') || // 2023.08.18 mod 2025.11.13
             $Trigger(preg_match('~(?:^|[/?])(?:brutalshell|css/dmtixucz/golden-access|fierzashell\.html?|perl.alfa|search/label/php-shells|wp-ksv1i\.ph)(?:$|[/?])~', $LCNrURI), 'Probing for webshells/backdoors') || // 2025.05.12 mod 2025.08.07
             $Trigger(preg_match('~(?:^|[/?])(?:moon\.php|ss\.php)\?(?:f_c|p)=~', $LCNrURI), 'Probing for webshells/backdoors') // 2025.08.07
         ) {
@@ -161,7 +161,8 @@
             $Trigger(preg_match('~(?:^|[/?])library/openflashchart/php-ofc-library/ofc_upload_image\.php[57]?(?:$|[/?])~', $LCNrURI), $Exploit = 'ZSL-2013-5126') || // 2025.07.10 mod 2025.08.07
             $Trigger(preg_match('~(?:^|[/?])includes/openflashchart/php-ofc-library/ofc_upload_image\.php[57]?(?:$|[/?])~', $LCNrURI), $Exploit = 'SA53428') || // 2025.07.10 mod 2025.08.07
             $Trigger(preg_match('~(?:^|[/?])dup-installer/main\.installer\.php[57]?(?:$|[/?])~', $LCNrURI), $Exploit = 'CVE-2022-2551') || // 2024.09.05 mod 2025.08.07
-            $Trigger(preg_match('~(?:^|[/?])Telerik\.Web\.UI\.WebResource\.axd(?:$|[/?])~i', $LCNrURI), $Exploit = 'CVE-2019-18935') // 2024.10.30 mod 2025.08.07
+            $Trigger(preg_match('~(?:^|[/?])Telerik\.Web\.UI\.WebResource\.axd(?:$|[/?])~i', $LCNrURI), $Exploit = 'CVE-2019-18935') || // 2024.10.30 mod 2025.08.07
+            $Trigger(preg_match('~(?:^|[/?])ipfs/bafkreicyqcbhpicbos7ev4mrxofwqx6hvvge7pahpta6xuspr44crai5by(?:$|[/?])~i', $LCNrURI), $Exploit = 'CVE-2016-10563') // 2025.11.13
         ) {
             $CIDRAM['Reporter']->report([15, 21], ['Caught probing for ' . $Exploit . ' vulnerability.'], $CIDRAM['BlockInfo']['IPAddr']);
         }
@@ -494,6 +495,11 @@
         if ($Trigger(preg_match('~(?:^|[/?])elmah\.axd(?:$|[/?])~', $LCNrURI), 'Probing for exposed ELMAH security file')) {
             $CIDRAM['Reporter']->report([15, 21], ['Caught probing for exposed ELMAH security file.'], $CIDRAM['BlockInfo']['IPAddr']);
         } // 2025.09.22
+
+        /** Mozi botnet requests. */
+        if ($Trigger(preg_match('~/mozi.a[;+]~', $LCNrURI), 'Mozi botnet detected')) {
+            $CIDRAM['Reporter']->report([15, 20], ['Mozi botnet detected. Host is likely compromised.'], $CIDRAM['BlockInfo']['IPAddr']);
+        }
     }
 
     /**
@@ -629,7 +635,7 @@
         if (
             $Trigger(strpos($QueryNoSpace, '$_' . '[$' . '__') !== false, 'Shell upload attempt') || // 2017.03.01
             $Trigger(strpos($QueryNoSpace, '@$' . '_[' . ']=' . '@!' . '+_') !== false, 'Shell upload attempt') || // 2017.03.01
-            $Trigger(strpos($Query, 'rm ' . '-rf') !== false, 'Hack attempt') || // 2017.01.02
+            $Trigger(preg_match('~rm +-rf~', $Query), 'Hack attempt') || // 2017.01.02 mod 2025.11.13
             $Trigger(strpos($QueryNoSpace, ';c' . 'hmod7' . '77') !== false, 'Hack attempt') || // 2017.01.05
             $Trigger(substr($QueryNoSpace, 0, 2) === '()', 'Bash/Shellshock') || // 2017.01.05
             $Trigger(strpos($QueryNoSpace, '0x31303235343830303536') !== false, 'Probe attempt') || // 2017.02.25
diff --git a/modules/modules.dat b/modules/modules.dat
@@ -184,7 +184,7 @@ module_bgpview.php:
 module_botua.php:
  Name: "Bot user agents module"
  False Positive Risk: "Medium"
- Version: "2025.309.0"
+ Version: "2025.316.0"
  Dependencies:
   PHP: "^5.4|^7|^8"
   CIDRAM Core: "^1.13.1|^2.0.1"
@@ -196,7 +196,7 @@ module_botua.php:
   To:
    - "module_botua.php"
   Checksum:
-   - "2d264e4ec2f91c56b9289d79d92844ddd46df8b761a3d9b24d1e50c9ad9b6eb3:27651"
+   - "479f77971a55d0b08eddbfcf2209884c54caefc26a4f0da4eadf7817d646477b:27760"
  Used with: "modules"
  Reannotate: "modules.dat"
 module_cookies.php:
@@ -220,7 +220,7 @@ module_cookies.php:
 module_extras.php:
  Name: "Optional security extras module"
  False Positive Risk: "Medium"
- Version: "2025.309.0"
+ Version: "2025.316.0"
  Dependencies:
   PHP: "^5.4|^7|^8"
   CIDRAM Core: "^1.13.1|^2.0.1"
@@ -235,7 +235,7 @@ module_extras.php:
    - "module_extras.php"
    - "module_extras.yaml"
   Checksum:
-   - "9845128add9806bea517f63bf6a5df57f430be3c890e3f14385009fff47acd37:54008"
+   - "05bd465f1ac7f79ffb6269842d8af4107029374a57d62d9a1f6bcb3a38179cae:54471"
    - "7b891d1fa4b1c52c410220bc758e8cb7064bd6040430fb149a5b60e9ae2e0838:890"
  Used with: "modules"
  Reannotate: "modules.dat"

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`	`* License: GNU/GPLv2`
`9`	`9`	`* @see LICENSE.txt`
`10`	`10`	`*`
`11`		`- * This file: Bot user agents module (last modified: 2025.11.06).`
	`11`	`+ * This file: Bot user agents module (last modified: 2025.11.13).`
`12`	`12`	`*`
`13`	`13`	`* False positive risk (an approximate, rough estimate only): « [ ]Low [x]Medium [ ]High »`
`14`	`14`	`*/`
`@@ -349,6 +349,7 @@`
`349`	`349`	`} // 2023.11.17 mod 2025.11.06`
`350`	`350`
`351`	`351`	`$Trigger(preg_match('~ct‑git‑scanner/~i', $CIDRAM['BlockInfo']['UA']), 'Unauthorised Git scanner'); // 2025.07.05`
	`352`	`+ $Trigger(preg_match('~4\.066686748~', $UANoSpace), 'Hack UA (pretending to be Netscape)'); // 2025.11.13`
`352`	`353`
`353`	`354`	`/** These signatures can set extended tracking options. */`
`354`	`355`	`if (`