How Was This Blocked?

dad7732 · Posted: Fri Dec 03, 2010 7:36 am

One of my client's users got blocked per:

Quote:

Reason: Abuse-Harvest
String Match: CC
--------------------
Referer: none
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

How did this happen, I don't see any such "stirng match" for "CC" and in my harvester menu there is no "CC" either. What's up with this one?

Cheers

Guardian2003 · Posted: Fri Dec 03, 2010 11:37 am

So there is nothing in your 'string blocker' settings relating to blocking *CC* ?

dad7732 · Posted: Fri Dec 03, 2010 1:01 pm

The string blocker menu is blank. There was only one entry in the harvester menu that "may" apply -> CCbot but I doubt that as only CC showed in the blocker message.

dad7732 · Posted: Fri Dec 03, 2010 5:03 pm

Now here is another one from a user trying to register, I have NO idea where this "CC" thing is coming from.

Quote:

Created By: NukeSentinel(tm) 2.6.03
Date & Time: 2010-12-03 15:00:14 CST GMT -0600
Blocked IP: 76.250.69.247
User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: CC
--------------------
Referer: none
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729)

The only "Reason: Abuse-Harvest" is in the Harvester Blocker configuration, nowhere else.

dad7732 · Posted: Fri Dec 03, 2010 5:09 pm

Three entries in the log per this IP being blocked:

Quote:

76.250.69.247 - - [03/Dec/2010:15:00:14 -0600] "GET / HTTP/1.1" 200 1030 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729)"

76.250.69.247 - - [03/Dec/2010:15:00:16 -0600] "GET /abuse/logo.png HTTP/1.1" 200 3707 "http://www.gardenersgumbo.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729)"

76.250.69.247 - - [03/Dec/2010:15:00:17 -0600] "GET /favicon.ico HTTP/1.1" 200 20390 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729)"

Any ideas??? This is getting a bit annoying to my client to say the least.

Thanks

Guardian2003 · Posted: Fri Dec 03, 2010 5:40 pm

I have forced the referring string on a test site to what you have shown here (apart from the IP) and it isn't tripping anything on a default install, so I'm at a loss for the moment. I also double checked string blocker and harvest blocker were active.
Sorry I cannot be more help at the moment.

dad7732 · Posted: Fri Dec 03, 2010 6:22 pm

Since the two registrants have "gmail" addresses and there was some issue with gmail a while back, this may be related. I removed "gmail" from the "limits' in the user-config and we'll see what happens.

unicornio · Involved Joined: Aug 13, 2009 Posts: 432

Hi dad7732

nukesentinel.php (Test this file in order to test if you get any issues.)

Sorry but I can not post the complete file here. I guess there is mod which doesn't allow so much charaters..

dad7732 · Posted: Sat Dec 04, 2010 7:29 am

Doesn't appear to be complete.

unicornio · Involved Joined: Aug 13, 2009 Posts: 432

here you have

Only registered users can see links on this board!
Get registered or login to the forums!

dad7732 · Posted: Sat Dec 04, 2010 10:16 am

I can run it on a test domain, what is it supposed to do that the distro file doesn't?

dad7732 · Posted: Sat Dec 04, 2010 10:24 am

I see the file is quite a bit larger than the distro and produces a blank page besides. Is this file supposed to "replace" the distro file in /admin/modules/nukesentinel.php ? Doesn't look ANYthing like the original.

Palbin · Posted: Sat Dec 04, 2010 10:34 am

unicornio, You have this bit of code floating under the get_ip() function.

Code:

if(isset($nsnst_const['client_ip']) && !stristr($nsnst_const['client_ip'], "none") && !stristr($nsnst_const['client_ip'], "unknown") AND !is_reserved($nsnst_const['client_ip'])) {
return $nsnst_const['client_ip'];
} elseif(isset($nsnst_const['forward_ip']) && !stristr($nsnst_const['forward_ip'], "none") && !stristr($nsnst_const['forward_ip'], "unknown") AND !is_reserved($nsnst_const['forward_ip'])) {
return $nsnst_const['forward_ip'];
} elseif(isset($nsnst_const['remote_addr']) && !stristr($nsnst_const['remote_addr'], "none") && !stristr($nsnst_const['remote_addr'], "unknown") AND !is_reserved($nsnst_const['remote_addr'])) {
return $nsnst_const['remote_addr'];
} else {
return "none";
}

It should not be there.

unicornio · Involved Joined: Aug 13, 2009 Posts: 432

Where it should be then Palbin? Thanks for taking a look to the file.

Quote:

dad7732 produces a blank page besides

I don't get any blank page. Shocked

Well, I tried to get rid of deprecated lines and I modified a bit to get a better result with nuke sentinel because sometimes sentinel blocks ips shouldn't bocks but I guess Palbin saw something it shouldn't be there. Let me see where I have to put those codes Palbin mentioned.

dad7732 · Posted: Sun Dec 05, 2010 4:03 pm

Still getting the error/block with other users - same string: CC and same UA and reason: Abuse-Harvest

Band-aid for now is to remove all harvesters from the DB and see what happens.

I have a feeling this is related to blocking an Agent string, where is that info saved in the DB?

Cheers

PHrEEkie · Subject Matter Expert Joined: Feb 23, 2004 Posts: 358

Hi dad -

The only way for a visitor to trip the Harvester blocking action is by their user agent, so you are spot on there. The user agent is stored in the field `user_agent` within the {prefix}_nsnst_tracked_ips table, but that table is only populated if you have IP Tracking enabled in Sentinel Administration.

You could rip the string search logic out of sentinel.php and write a small standalone script that would easily tell you what about those user agents it's trapping.

Remember that the IP Tracking configuration in Sentinel Admin has a "number of days" feature, so if that's set to something low, your previous tracked user agents are disappearing from that table every day.

- Keith

dad7732 · Posted: Sun Dec 05, 2010 6:18 pm

Getting way out of hand for whatever reason, the latest being:

Code:

Created By: NukeSentinel(tm) 2.6.03
Date & Time: 2010-12-05 17:25:09 CST GMT -0600
Blocked IP: 209.40.209.167
User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: CC
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1;
.NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
.NET4.0C; .NET CLR 1.1.4322; OfficeLiveConnector.1.5; OfficeLivePatch.1.3)

"abuse-harvest" is set to email admin only, no default page OR blocker.

The IP does not show up in tracked_ip or blocked_ip and it's always a "String Match: CC" but there is no such string CC that I can find.

PHrEEkie · Subject Matter Expert Joined: Feb 23, 2004 Posts: 358

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1;

- Keith

dad7732 · Posted: Sun Dec 05, 2010 6:26 pm

Yes, but there is no CC or SLCC1 in the blocked agent DB. Unless I'm looking in the wrong place(s).

PHrEEkie · Subject Matter Expert Joined: Feb 23, 2004 Posts: 358

I just did a search of my tracked ip table, and found 159 user agents with SLCC in the string; none of which were blocked or triggered any sort of event.

- Keith

PHrEEkie · Subject Matter Expert Joined: Feb 23, 2004 Posts: 358

dad,

Toss your /includes/sentinel.php file into a .zip and email it to me, please.

ezcom DOT keith AT REMOVEgmail DOT com

I'll compare it to some different versions I have laying around that are known to work.

- Keith

dad7732 · Posted: Sun Dec 05, 2010 11:14 pm

Just grab the one in the RN 2.4.0.1 distro, that is the one I use on a dozen or so sites .. unchanged.

dad7732 · Posted: Mon Dec 06, 2010 9:22 am

Thinking cap firmly in place ....

You know, the more expert at support we get the more we seem to bypass the obvious and simplest of fixes. This may be the case here after I configured ALL of the blockers except Clike and Union to email admin only, no default page or blocking IP.

This morning, the same user emailed me with the same problem, blocked!!

After twitching the thinking cap, I suggested to remove cookies and clear cache. Awaiting a reply as of this writing.

Rolling Eyes

dad7732 · Posted: Tue Dec 07, 2010 6:56 am

I have the blocker "Harvester" set to "email admin" only. So why am I getting this email:

Code:

Created By: NukeSentinel(tm) 2.6.03
Date & Time: 2010-12-07 03:32:01 CST GMT -0600
Blocked IP: 220.181.108.182
User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: Baiduspider

Says the IP is blocked. And "Baduspider" is NOT in the Harverster menu .. nothing is .. the menu is blank by my choice while experimenting. Blocked_IP is also blank.

Guardian2003 · Posted: Tue Dec 07, 2010 8:25 am

Just to clarify; I presume that because your Harvester menu is empty, the table is also? ( _nsnst_harvesters )