Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ Bug Reports
Author Message
foxyfemfem
New Member
New Member


Joined: Dec 07, 2003
Posts: 22
Location: USA

PostPosted: Sun May 30, 2004 4:56 am Reply with quote

Hello,

Not only did sentinal block an IP for no reason, the thought of me using the popups to crash someone computer who didnt deserve it really hurt. I know if I'm hurt from the thought of crashing someone computer I can only imagine how the person felt therefore, I decided to remove sentinal from my website. It's not fair to people to get banned and then torture for nothing.

The person who was banned was not hacking my site, actually they was browsing my forums user groups.

This is the message I received from sentinal....* Notice * the query string used... that's not a hack thats one of my usergroups.

Date & Time: 2004-05-29 21:32:34
Blocked IP: 193.218.115.6
User ID: Anonymous (1)
Reason: Abuse - AGENT
--------------------
User Agent: Szukacz/1.5 (robot; Only registered users can see links on this board! Get registered or login! Only registered users can see links on this board! Get registered or login!)
Query String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 193.218.115.6
Remote Port: 1556
Request Method: GET
--------------------
Who-Is for IP 193.218.115.6




OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL

ReferralServer: Only registered users can see links on this board! Get registered or login!

NetRange: 193.0.0.0 - 193.255.255.255
CIDR: 193.0.0.0/8
NetName: RIPE-CBLK
NetHandle: NET-193-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS2.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH03.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at Only registered users can see links on this board! Get registered or login!
RegDate: 1992-08-12
Updated: 2004-03-16
 
View user's profile Send private message
foxyfemfem
PostPosted: Sun May 30, 2004 6:33 am Reply with quote

Okay, I was told at NC that this was only a bot that I tortured and I could turn the popup of death off via admin cp. <exhale>.. a big relief. The thought of me torturing innocent people pierce my heart. I like the feature but it's not fair to innocent bystanders (surfers) to crash their computer. I know I would hate to have something like that done to me because of a search I did at their website. Oh yeah, now that I brought up the word "search" here's a question.... On my forums we discuss alot of things like marriages, etc. Sometime people use the word "union" or "commitment" when they discuss marriages. If someone does a search on my forum using the keyword "union" will they get banned?
 
foxyfemfem
PostPosted: Sun May 30, 2004 6:56 am Reply with quote

Okay, another question... The script didn't write the ban IP to my htaccess file. I know I have it config right as in the path to the file. Am I suppose to chmod my .htaccess to 666 or 777?
 
Nukeum66
Life Cycles Becoming CPU Cycles


Joined: Jul 30, 2003
Posts: 551
Location: Neurotic, State, USA

PostPosted: Sun May 30, 2004 7:21 am Reply with quote

This is from the README FILE:

(CHMOD 666) Be sure your .htaccess file
has atleast one blank line at
the end of it.

_________________
Scott Johnson MIS Ubuntu/Linux 11.10 
View user's profile Send private message Visit poster's website
GanjaUK
Life Cycles Becoming CPU Cycles


Joined: Feb 14, 2004
Posts: 633
Location: England

PostPosted: Sun May 30, 2004 7:25 am Reply with quote

The path to your htaccess is probably just: .htaccess

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Sun May 30, 2004 7:52 am Reply with quote

foxyfemfem wrote:
Okay, I was told at NC that this was only a bot that I tortured and I could turn the popup of death off via admin cp. <exhale>.. a big relief. The thought of me torturing innocent people pierce my heart. I like the feature but it's not fair to innocent bystanders (surfers) to crash their computer. I know I would hate to have something like that done to me because of a search I did at their website. Oh yeah, now that I brought up the word "search" here's a question.... On my forums we discuss alot of things like marriages, etc. Sometime people use the word "union" or "commitment" when they discuss marriages. If someone does a search on my forum using the keyword "union" will they get banned?
Of course they won't get banned Laughing. That "trap", just as in the other security applications out there, look for specific patterns in the http protocol responses, not the functionality of the cms itself. The best thing to do is just test it on your own site. It's simple enough to unban using phpmyadmin. Then, if you discover false positives, let us know and we will see if we can fix them. BTW, v1.1 will be released shortly and it gives you much more control over each type of hack attempt as to how Sentinel(tm) responds.
 
View user's profile Send private message
BobMarion
Former Admin in Good Standing


Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)

PostPosted: Sun May 30, 2004 12:09 pm Reply with quote

On the banned IP, you notice it lists Abuse - AGENT as the reason. You can edit the Harvester list to as few or as many as you want blocked.

The default list comes from a site that lists known bad bots and web rippers. Some of the listed rippers are email harvesters some are graphics harvesters and some are page harvesters.

We left the default list the way it was to cover as many as possible without creating a list that would slow you site to a crawl.

I hope this help you to understand why that ip was banned and how to adapt the list to suit your needs. Removing from the list is a simple as deleting one of the strings listed and adding to the list is just as simple as adding a new line with a string in it Smile

_________________
Bob Marion
Codito Ergo Sum
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
Captain_Computer
Hangin' Around


Joined: May 30, 2004
Posts: 46

PostPosted: Mon May 31, 2004 9:45 am Reply with quote

Sentinel is banning IP's from all around the globe because the User-Agent is:

Mozilla/4.0 (compatible; Powermarks/3.5; Windows 95/98/2000/NT)

Using Proxomitron I set the same User-Agent and it banned me also. The keyword that Sentinel is looking at is 'Powermarks'. By changing the spelling of Powermarks by taking away letters from the end of the word, Sentinel will ban everything from Powermarks down to Powerma but won't ban "Powerm'.

The puzzeling part is that in the Harvest ban List there isn't anything close to Powermarks that I can find. I've got about 20 IP's that have been banned for that reason.

_________________
Captain Computer Said It !!!! 
View user's profile Send private message Visit poster's website
BobMarion
PostPosted: Mon May 31, 2004 9:56 am Reply with quote

I'm checking into this. Not sure why it's doing that since Powermarks isn't in hte harvest list.
 
Captain_Computer
PostPosted: Mon May 31, 2004 10:12 am Reply with quote

Here are a few of the query strings.
Only registered users can see links on this board! Get registered or login! Only registered users can see links on this board! Get registered or login!

Looking through the logs I've also got these banned User-Agents.

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Cox High Speed Internet Customer)

Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; ONDOWN3.2; Q312461; Cox High Speed Internet Customer)
 
BobMarion
PostPosted: Mon May 31, 2004 10:22 am Reply with quote

Goto Sentinel(tm) Configuration and look thru the Harvest List and remove the line rma. It took a minor code change for me to find what it was matching to but that is the one. I'll remove it from the next releases installer.
 
Captain_Computer
PostPosted: Mon May 31, 2004 10:29 am Reply with quote

Thanks alot. I removed it and will let you know how it goes. Very Happy
 
Captain_Computer
PostPosted: Tue Jun 01, 2004 6:52 am Reply with quote

Removing rma solved the problem. Thanks again for your great support and a great product.
 
BobMarion
PostPosted: Tue Jun 01, 2004 10:23 am Reply with quote

Captain, if your getting Cox Internet Customers banned look for custo in hte harvest list and remove it. Chat had this issue as well so the first harvest list had a couple of strings that need to be removed. I can post a sql query that will reset the list to a list with these two and a couple of others I can't remember removed.
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ Bug Reports

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©