Extras module update.

Maikuolan · Maikuolan · commit f1cd41c50154 · 2025-03-03T21:43:40.000+08:00
diff --git a/modules/module_extras.php b/modules/module_extras.php
@@ -8,7 +8,7 @@
  * License: GNU/GPLv2
  * @see LICENSE.txt
  *
- * This file: Optional security extras module (last modified: 2025.02.13).
+ * This file: Optional security extras module (last modified: 2025.03.03).
  *
  * False positive risk (an approximate, rough estimate only): « [ ]Low [x]Medium [ ]High »
  */
@@ -57,8 +57,8 @@
             $Trigger(preg_match('~%5[cf]\.%5[cf]|%5[cf]{3,}|[\x00-\x1f\x7f]~', $LCNrURI), 'Bad request'); // 2017.01.13 mod 2024.02.08
         } // 2017.01.13 mod 2024.02.08
 
-        /** WordPress user enumeration (modified 2022.11.07). */
-        if ($Trigger(preg_match('~\?author=\d+~i', $LCNrURI), 'WordPress user enumeration not allowed')) {
+        /** WordPress user enumeration (modified 2025.03.03). */
+        if ($Trigger(preg_match('~\?author=\d+~', $LCNrURI), 'WordPress user enumeration not allowed')) {
             $Bypass(
                 strpos($LCNrURI, 'administrator/') !== false,
                 'Joomla image inserting tool bypass (WordPress user enumeration conflict)'
@@ -77,11 +77,11 @@
 
         /** Probing for unsecured backup files. */
         if ($Trigger(preg_match(
-            '~(?:/backup|(?:backup|docroot|htdocs|public_html|site|www)\.(?:gz|rar|tar(?:\.gz)?|zip)|d(?:atabase|b|ump)\.sql)(?:$|[/?])~',
+            '~(?:/backup|(?:archive|backup|docroot|htdocs|public_html|site|www)\.(?:gz|rar|tar(?:\.gz)?|zip)|d(?:atabase|b|ump)\.sql)(?:$|[/?])~',
             $LCNrURI
         ), 'Probing for unsecured backup files not allowed')) {
             $CIDRAM['Reporter']->report([15], ['Caught probing for unsecured backup files.'], $CIDRAM['BlockInfo']['IPAddr']);
-        } // 2023.08.13 mod 2023.08.21
+        } // 2023.08.13 mod 2025.03.03
 
         /** Probing for unsecured SQL dumps. */
         if ($Trigger(preg_match(
@@ -107,13 +107,13 @@
             '\.w(?:ell-known|p-cli)/.*(?:a(?:bout|dmin)[\da-z]*|fierza[\da-z]*|install[\da-z]*|moon[\da-z]*|shell[\da-z]*|wp-login[\da-z]*|x)|' .
             '\.?rxr(?:_[\da-z]+)?|' .
             '\d{3,5}[a-z]{3,5}|\d+-?backdoor|0byte|0[xz]|10+|1337|4price|85022df0ed31|991176|' .
-            'a(?:b1ux1ft|dmin-heade\d*|dminfuns|hhygskn|lexus|lfa(?:-rex|_data|a?cgiapi|ioxi|new)?\d*|njas|pismtp|xx)|' .
+            'a(?:b1ux1ft|dmin-heade\d*|hhygskn|lexus|lfa(?:-rex|_data|a?cgiapi|ioxi|new)?\d*|njas|pismtp|xx)|' .
             'b(?:0|3d2acc621a0|ak|ala|ibil_0day)|' .
-            'c(?:(?:9|10)\d+|adastro-2|asper[\da-z]+|d(?:.*tmp.*rm-rf|chmod.*\d{3,})|fom[-_]files|(?:gi-bin|ss)/(?:luci/;|moon|newgolden|radio|sgd|stok=/|uploader|well-known|wp-login)|jfuns|lasssmtps|olors/blue/uploader|ong|ontentloader1|ss/colors/coffee/index)|' .
-            'd(?:7|eadcode\d*|epotcv|isagraep|kiz|ummyyummy/wp-signup)|' .
-            'ee|' .
-            'f(?:ddqradz|ilefuns?)|' .
-            'g(?:el4y|etid3-core|h[0o]st|lab-rare|zismexv)|' .
+            'c(?:(?:9|10)\d+|adastro-2|asper[\da-z]+|d(?:.*tmp.*rm-rf|chmod.*\d{3,})|fom[-_]files|(?:gi-bin|ss)/(?:luci/;|moon|newgolden|radio|sgd|stok=/|uploader|well-known|wp-login)|lass(?:smtps|withtostring)|olors/blue/uploader|omfunctions|ong|ontentloader1|opypaths|ss/colors/coffee/index)|' .
+            'd(?:7|eadcode\d*|elpaths|epotcv|isagraep|kiz|oiconvs|ummyyummy/wp-signup)|' .
+            'e(?:e|pinyins)|' .
+            'f(?:ddqradz|ilefun)|' .
+            'g(?:dftps|el4y|etid3-core|h[0o]st|lab-rare|zismexv)|' .
             'h(?:[4a]x+[0o]r|6ss|anna1337|ehehe|sfpdcd|tmlawedtest)|' .
             'i(?:\d{3,}[a-z]{2,}|cesword|ndoxploit|optimize|oxi/alfa-ioxi|r7szrsouep|itsec|xr/(?:allez|wp-login))|' .
             'kvkjguw|' .
@@ -124,23 +124,24 @@
             'p(?:erl\.alfa|hp(?:1|_niu_\d+)|oison|riv8|wnd|zaiihfi)|' .
             'rendixd|' .
             's(?:ession91|h[3e]llx?\d*|hrift|idwso|ilic|kipper(?:shell)?|onarxleetxd|pammervip|rc/util/php/(?:eval(?:-stdin)?|kill))|' .
-            't(?:62|enda\.sh.*tenda\.sh|emplates/beez/index|hemes/(?:finley/min|pridmag/db|universal-news/www)|hreefox(?:_exploit/index)?|inymce/(?:langs/about|plugins/compat3x/css/index)|k_dencode_\d+|mp/vuln|opxoh/(?:drsx|wdr))|' .
+            't(?:62|enda\.sh.*tenda\.sh|emplates/beez/index|hemes/(?:finley/min|pridmag/db|universal-news/www)|ermps|homs|hreefox(?:_exploit/index)?|inymce/(?:langs/about|plugins/compat3x/css/index)|k_dencode_\d+|mp/vuln|opxoh/(?:drsx|wdr))|' .
             'u(?:bh/up|nisibfu|pfile(?:_\\(\d\\))?|ploader_by_cloud7_agath|tchiha(?:_uploader)?)|' .
             'v(?:endor/bin/loader|zlateam)|' .
-            'w(?:[0o]rm\d+|0rdpr3ssnew|alker-nva|ebshell-[a-z\d]+|idgets-nva|idwsisw|loymzuk)|' .
-            'wp[-_](?:2019|22|(?:admin(?:/images)?|content|css(?:/colors)?|includes(?:/ixr|/customize|/pomo)?|js(?:/widgets)?|network)/(?:dropdown|fgertreyersd|(?:images|widgets)/include|install|js/privacy-tools\.min|(?:random_compat/|requests/)?class(?:_api|-wp-page-[\da-z]{5,})|repeater|simple|text/about|themes/hello-element/footer|uploads/error_log|vuln|wp-login)|conflg|content/plugins/(?:backup-backup/includes/hro|cache/dropdown|contact-form-7/.+styles-rtl|contus-hd-flv-player/uploadvideo|(?:core-plugin/|wordpresscore/)?include|dzs-zoomsounds/savepng|fix/up|(?:view-more/)?ioxi|wp-file-manager/lib/php/connector\.minimal)|filemanager|setups|sigunq|sts|p)|' .
+            'w(?:[0o]rm\d+|0rdpr3ssnew|alker-nva|ebshell-[a-z\d]+|idgets-nva|idwsisw|loymzuk|orksec)|' .
+            'wp[-_](?:2019|22|(?:admin(?:/images)?|content|css(?:/colors)?|includes(?:/ixr|/customize|/pomo)?|js(?:/widgets)?|network)/(?:aaa|dropdown|fgertreyersd|(?:images|widgets)/include|includes/lint-branch|install|js/privacy-tools\.min|maint/(?:aaa|fie|lint-branch)|(?:random_compat/|requests/)?class(?:_api|-wp-page-[\da-z]{5,})|repeater|simple|text/about|themes/hello-element/footer|uploads/error_log|vuln|wp-login)|conflg|content/plugins/(?:backup-backup/includes/hro|cache/dropdown|contact-form-7/.+styles-rtl|contus-hd-flv-player/uploadvideo|(?:core-plugin/|wordpresscore/)?include|dzs-zoomsounds/savepng|fix/up|(?:view-more/)?ioxi|wp-file-manager/lib/php/connector\.minimal)|filemanager|setups|sigunq|sts|p)|' .
             'wp-(?:configs|l0gins?)|' .
             'ws[ou](?:yanz)?(?:[\d.]*|[\da-z]{4,})|wwdv|' .
             'x{3,}|xiaom|xichang/x|x+l(?:\d+|eet(?:mailer|-shell)?x?)|xm(?:lrpcs|lrpz|rlpc)|xw|' .
             'ya?nz|yyobang/mar|' .
             'zone_hackbar(?:_beutify_other)?|' .
             '(?:plugins|themes)/(?:ccx|ioptimization|yyobang)|' .
             '版iisspy|大马|一句话(?:木马|扫描脚本程序)?' .
-            ')\.php[57]?(?:$|[/?])~',
+            ')\.php[57]?(?:$|[/?])|' .
+            'funs\.php[57]?(?:$|[/?])~',
             $LCNrURI
         ), 'Probing for webshells/backdoors')) {
             $CIDRAM['Reporter']->report([15, 20, 21], ['Caught probing for webshells/backdoors. Host might be compromised.'], $CIDRAM['BlockInfo']['IPAddr']);
-        } // 2023.08.18 mod 2025.02.13
+        } // 2023.08.18 mod 2025.03.03
 
         /** Probing for vulnerable plugins or webapps. */
         if (
@@ -184,14 +185,17 @@
         } // 2022.06.05
 
         /** Probing for vulnerable webapps. */
-        if ($Trigger(preg_match('~cgi-bin/(?:get_status|(?:web)?login)\.cgi(?:$|\?)|manager/text/list~i', $LCNrURI), 'Probing for vulnerable webapps')) {
+        if ($Trigger(preg_match('~cgi-bin/(?:get_status|(?:web)?login)\.cgi(?:$|\?)|manager/text/list~', $LCNrURI), 'Probing for vulnerable webapps')) {
             $CIDRAM['Reporter']->report([15, 21], ['Caught probing for vulnerable webapps.'], $CIDRAM['BlockInfo']['IPAddr']);
-        } // 2022.06.05 mod 2023.09.15
+        } // 2022.06.05 mod 2025.03.03
 
         /** Probing for sendgrid env file. */
-        if ($Trigger(preg_match('~/sendgrid\.env(?:$|[/?])~i', $LCNrURI), 'Probing for sendgrid env file')) {
+        if ($Trigger(preg_match('~/sendgrid\.env(?:$|[/?])~', $LCNrURI), 'Probing for sendgrid env file')) {
             $CIDRAM['Reporter']->report([15, 21], ['Caught probing for sendgrid env file.'], $CIDRAM['BlockInfo']['IPAddr']);
-        } // 2024.05.02
+        } // 2024.05.02 mod 2025.03.03
+
+        /** Attempts by broken bot to incorrectly access ReCaptcha files (treating reference to remote resource as local). */
+        $Trigger(preg_match('~/www\.google\.com/recaptcha/api\.js(?:$|[/?])~', $LCNrURI), 'Bad request'); // 2025.03.03
     }
 
     /**
diff --git a/modules/modules.dat b/modules/modules.dat
@@ -239,7 +239,7 @@ module_cookies.php:
 module_extras.php:
  Name: "Optional security extras module"
  False Positive Risk: "Medium"
- Version: "2025.43.0"
+ Version: "2025.61.0"
  Dependencies:
   PHP: "^5.4|^7|^8"
   CIDRAM Core: "^1.13.1|^2.0.1"
@@ -254,7 +254,7 @@ module_extras.php:
    - "module_extras.php"
    - "module_extras.yaml"
   Checksum:
-   - "c9111df6d0aff6f93bccfb9b25bfdfc3e468c0b8afc22d480df3f4963f1e0950:29013"
+   - "f8d1678868951f39e255c24af7952f30543f8f3bd97b4e315e3d893e16aa5b7d:29450"
    - "7b891d1fa4b1c52c410220bc758e8cb7064bd6040430fb149a5b60e9ae2e0838:890"
  Used with: "modules"
  Reannotate: "modules.dat"
