Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.6.x
Author Message
dad7732
RavenNuke(tm) Development Team


Joined: Mar 18, 2007
Posts: 1242

PostPosted: Fri Dec 03, 2010 7:36 am Reply with quote

One of my client's users got blocked per:
Quote:
Reason: Abuse-Harvest
String Match: CC
--------------------
Referer: none
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)


How did this happen, I don't see any such "stirng match" for "CC" and in my harvester menu there is no "CC" either. What's up with this one?

Cheers
 
View user's profile Send private message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Fri Dec 03, 2010 11:37 am Reply with quote

So there is nothing in your 'string blocker' settings relating to blocking *CC* ?
 
View user's profile Send private message Send e-mail
dad7732
PostPosted: Fri Dec 03, 2010 1:01 pm Reply with quote

The string blocker menu is blank. There was only one entry in the harvester menu that "may" apply -> CCbot but I doubt that as only CC showed in the blocker message.
 
dad7732
PostPosted: Fri Dec 03, 2010 5:03 pm Reply with quote

Now here is another one from a user trying to register, I have NO idea where this "CC" thing is coming from.

Quote:
Created By: NukeSentinel(tm) 2.6.03
Date & Time: 2010-12-03 15:00:14 CST GMT -0600
Blocked IP: 76.250.69.247
User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: CC
--------------------
Referer: none
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729)


The only "Reason: Abuse-Harvest" is in the Harvester Blocker configuration, nowhere else.
 
dad7732
PostPosted: Fri Dec 03, 2010 5:09 pm Reply with quote

Three entries in the log per this IP being blocked:
Quote:
76.250.69.247 - - [03/Dec/2010:15:00:14 -0600] "GET / HTTP/1.1" 200 1030 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729)"

76.250.69.247 - - [03/Dec/2010:15:00:16 -0600] "GET /abuse/logo.png HTTP/1.1" 200 3707 "http://www.gardenersgumbo.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729)"

76.250.69.247 - - [03/Dec/2010:15:00:17 -0600] "GET /favicon.ico HTTP/1.1" 200 20390 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729)"


Any ideas??? This is getting a bit annoying to my client to say the least.

Thanks
 
Guardian2003
PostPosted: Fri Dec 03, 2010 5:40 pm Reply with quote

I have forced the referring string on a test site to what you have shown here (apart from the IP) and it isn't tripping anything on a default install, so I'm at a loss for the moment. I also double checked string blocker and harvest blocker were active.
Sorry I cannot be more help at the moment.
 
dad7732
PostPosted: Fri Dec 03, 2010 6:22 pm Reply with quote

Since the two registrants have "gmail" addresses and there was some issue with gmail a while back, this may be related. I removed "gmail" from the "limits' in the user-config and we'll see what happens.
 
hicuxunicorniobestbuildpc
Life Cycles Becoming CPU Cycles


Joined: Aug 13, 2009
Posts: 967
Location: Netherland

PostPosted: Sat Dec 04, 2010 5:14 am Reply with quote

Hi dad7732

nukesentinel.php (Test this file in order to test if you get any issues.)

Sorry but I can not post the complete file here. I guess there is mod which doesn't allow so much charaters..


Last edited by hicuxunicorniobestbuildpc on Sat Dec 04, 2010 9:27 am; edited 3 times in total 
View user's profile Send private message Visit poster's website
dad7732
PostPosted: Sat Dec 04, 2010 7:29 am Reply with quote

Doesn't appear to be complete.
 
hicuxunicorniobestbuildpc
PostPosted: Sat Dec 04, 2010 9:30 am Reply with quote

here you have
Only registered users can see links on this board! Get registered or login!
 
dad7732
PostPosted: Sat Dec 04, 2010 10:16 am Reply with quote

I can run it on a test domain, what is it supposed to do that the distro file doesn't?
 
dad7732
PostPosted: Sat Dec 04, 2010 10:24 am Reply with quote

I see the file is quite a bit larger than the distro and produces a blank page besides. Is this file supposed to "replace" the distro file in /admin/modules/nukesentinel.php ? Doesn't look ANYthing like the original.
 
Palbin
Site Admin


Joined: Mar 30, 2006
Posts: 2583
Location: Pittsburgh, Pennsylvania

PostPosted: Sat Dec 04, 2010 10:34 am Reply with quote

unicornio, You have this bit of code floating under the get_ip() function.

Code:


  if(isset($nsnst_const['client_ip']) && !stristr($nsnst_const['client_ip'], "none") && !stristr($nsnst_const['client_ip'], "unknown") AND !is_reserved($nsnst_const['client_ip'])) {
    return $nsnst_const['client_ip'];
  } elseif(isset($nsnst_const['forward_ip']) && !stristr($nsnst_const['forward_ip'], "none") && !stristr($nsnst_const['forward_ip'], "unknown") AND !is_reserved($nsnst_const['forward_ip'])) {
    return $nsnst_const['forward_ip'];
  } elseif(isset($nsnst_const['remote_addr']) && !stristr($nsnst_const['remote_addr'], "none") && !stristr($nsnst_const['remote_addr'], "unknown") AND !is_reserved($nsnst_const['remote_addr'])) {
    return $nsnst_const['remote_addr'];
  } else {
    return "none";
  }


It should not be there.

_________________
"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." — Brian W. Kernighan. 
View user's profile Send private message
hicuxunicorniobestbuildpc
PostPosted: Sat Dec 04, 2010 5:08 pm Reply with quote

Where it should be then Palbin? Thanks for taking a look to the file.


Quote:
dad7732 produces a blank page besides


I don't get any blank page. Shocked

Well, I tried to get rid of deprecated lines and I modified a bit to get a better result with nuke sentinel because sometimes sentinel blocks ips shouldn't bocks but I guess Palbin saw something it shouldn't be there. Let me see where I have to put those codes Palbin mentioned.
 
dad7732
PostPosted: Sun Dec 05, 2010 4:03 pm Reply with quote

Still getting the error/block with other users - same string: CC and same UA and reason: Abuse-Harvest

Band-aid for now is to remove all harvesters from the DB and see what happens.

I have a feeling this is related to blocking an Agent string, where is that info saved in the DB?

Cheers
 
PHrEEkie
Subject Matter Expert


Joined: Feb 23, 2004
Posts: 358

PostPosted: Sun Dec 05, 2010 5:34 pm Reply with quote

Hi dad -

The only way for a visitor to trip the Harvester blocking action is by their user agent, so you are spot on there. The user agent is stored in the field `user_agent` within the {prefix}_nsnst_tracked_ips table, but that table is only populated if you have IP Tracking enabled in Sentinel Administration.

You could rip the string search logic out of sentinel.php and write a small standalone script that would easily tell you what about those user agents it's trapping.

Remember that the IP Tracking configuration in Sentinel Admin has a "number of days" feature, so if that's set to something low, your previous tracked user agents are disappearing from that table every day.

- Keith

_________________
PHP - Breaking your legacy scripts one build at a time. 
View user's profile Send private message
dad7732
PostPosted: Sun Dec 05, 2010 6:18 pm Reply with quote

Getting way out of hand for whatever reason, the latest being:

Code:
Created By: NukeSentinel(tm) 2.6.03

Date & Time: 2010-12-05 17:25:09 CST GMT -0600
Blocked IP: 209.40.209.167
User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: CC
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1;
.NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
.NET4.0C; .NET CLR 1.1.4322; OfficeLiveConnector.1.5; OfficeLivePatch.1.3)


"abuse-harvest" is set to email admin only, no default page OR blocker.

The IP does not show up in tracked_ip or blocked_ip and it's always a "String Match: CC" but there is no such string CC that I can find.
 
PHrEEkie
PostPosted: Sun Dec 05, 2010 6:25 pm Reply with quote

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1;

- Keith
 
dad7732
PostPosted: Sun Dec 05, 2010 6:26 pm Reply with quote

Yes, but there is no CC or SLCC1 in the blocked agent DB. Unless I'm looking in the wrong place(s).
 
PHrEEkie
PostPosted: Sun Dec 05, 2010 7:23 pm Reply with quote

I just did a search of my tracked ip table, and found 159 user agents with SLCC in the string; none of which were blocked or triggered any sort of event.

- Keith
 
PHrEEkie
PostPosted: Sun Dec 05, 2010 10:52 pm Reply with quote

dad,

Toss your /includes/sentinel.php file into a .zip and email it to me, please.

ezcom DOT keith AT REMOVEgmail DOT com

I'll compare it to some different versions I have laying around that are known to work.

- Keith
 
dad7732
PostPosted: Sun Dec 05, 2010 11:14 pm Reply with quote

Just grab the one in the RN 2.4.0.1 distro, that is the one I use on a dozen or so sites .. unchanged.
 
dad7732
PostPosted: Mon Dec 06, 2010 9:22 am Reply with quote

Thinking cap firmly in place ....

You know, the more expert at support we get the more we seem to bypass the obvious and simplest of fixes. This may be the case here after I configured ALL of the blockers except Clike and Union to email admin only, no default page or blocking IP.

This morning, the same user emailed me with the same problem, blocked!!

After twitching the thinking cap, I suggested to remove cookies and clear cache. Awaiting a reply as of this writing.

Rolling Eyes
 
dad7732
PostPosted: Tue Dec 07, 2010 6:56 am Reply with quote

I have the blocker "Harvester" set to "email admin" only. So why am I getting this email:
Code:
Created By: NukeSentinel(tm) 2.6.03

Date & Time: 2010-12-07 03:32:01 CST GMT -0600
Blocked IP: 220.181.108.182
User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: Baiduspider


Says the IP is blocked. And "Baduspider" is NOT in the Harverster menu .. nothing is .. the menu is blank by my choice while experimenting. Blocked_IP is also blank.
 
Guardian2003
PostPosted: Tue Dec 07, 2010 8:25 am Reply with quote

Just to clarify; I presume that because your Harvester menu is empty, the table is also? ( _nsnst_harvesters )
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.6.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©