Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm) v2.5.x
Author Message
paradice
New Member
New Member



Joined: Aug 06, 2004
Posts: 9

PostPosted: Mon Jan 01, 2007 11:22 pm Reply with quote

Sentinel is banning the following user-agent string:

User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)

as a Microsoft URL Control bot but I don't see any sign of it.

Any suggestions?
 
View user's profile Send private message
montego
Site Admin



Joined: Aug 29, 2004
Posts: 9457
Location: Arizona

PostPosted: Tue Jan 02, 2007 5:52 am Reply with quote

You might want to see this:
[ Only registered users can see links on this board! Get registered or login! ]

And this (useful site):
[ Only registered users can see links on this board! Get registered or login! ]

Somewhere in the User Agent field is the string "microsoft.url" so I am wondering if we're not getting the full User Agent shown?

_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... 
View user's profile Send private message Visit poster's website
Doulos
Life Cycles Becoming CPU Cycles



Joined: Jun 06, 2005
Posts: 732

PostPosted: Sun Jul 01, 2007 8:37 pm Reply with quote

I don't really know what I am looking at on those two websites. I have recently begun getting similar messages about (40 all from one user):
Quote:
Reason: Abuse-Harvest
String Match: microsoft url control
--------------------
User Agent: Microsoft URL Control - 6.00.8862
Query String: mysite.com/index.php
Get String: mysite.com/index.php
Post String: mysite.com/index.php
Forwarded For: none
Client IP: none
Remote Address: 6x.1xx.2xx.1xx
Remote Port: 60086
Request Method: GET
Also this one:
Quote:
User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: webster
--------------------
User Agent: Mozilla/4.7 (compatible; OffByOne; Windows 2000) Webster Pro V3.4
Query String: [ Only registered users can see links on this board! Get registered or login! ]
Get String: [ Only registered users can see links on this board! Get registered or login! ]
Post String: [ Only registered users can see links on this board! Get registered or login! ]
Forwarded For: none
Client IP: none
Remote Address: 2xx.1xx.6x.8x
Remote Port: 4821
Request Method: GET


Questions:
1. Are these dangerous and should I be permanently blocking them.
2. Any idea what they are trying to do? Can you tell from this? I tried looking at the log but my log for the past 30 days is 120 Mb. I gave up after 10 minutes of crimson editor trying to load it.
 
View user's profile Send private message
Guardian2003
Site Admin



Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam

PostPosted: Mon Jul 02, 2007 3:56 am Reply with quote

Have you done a lookup for the IP?
 
View user's profile Send private message Send e-mail
Doulos







PostPosted: Mon Jul 02, 2007 2:29 pm Reply with quote

The first case is a legitimate registered user who claims he is just clicking our link in his shortcuts (IE). Clearing cookies, temporary internet files, and typing the url in manually allowed him to access our site normally. Now he is getting blocked again. I told him to try using Firefox, not to import IE favorites and place our site as his homepage and see it that works.

In the second case, Korea. Hmm, thought I had them blocked.
 
Guardian2003







PostPosted: Mon Jul 02, 2007 2:53 pm Reply with quote

For your first case, he is the only one getting blocked by clicking on his bookmarks which leads me to think there MAY more to this than meets the eye. Is he a regular contributor to the site?
In the case of Korea, if you use Sentinel to look up the IP is it listed? It might be one of those oddballs that isnt in the latest IP2Country list.
 
Doulos







PostPosted: Mon Jul 02, 2007 3:57 pm Reply with quote

1. He is a long time member, but hasn't contributed in the past few months. He began getting blocked as soon as he came back. I myself am wondering if he is trying to use a script to copy the website, or some such activity.

2. I used dnsstuff.com, didn't think to check NS. I will.
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm) v2.5.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©