Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.6.x
Author Message
mburp
New Member
New Member


Joined: Jan 23, 2006
Posts: 9

PostPosted: Thu Apr 02, 2009 1:24 pm Reply with quote

I have a local user who has complained several times of being blocked from my Sentinel 2.6.01 protected Raven Nuke 2.3.01 site for admin abuse. He has sent me a copy of the block page text - its mine - but his IP never gets added to the blocked list.

Any advice on where to begin to track down the problem would be greatly appreciated. He works for an ISP and is trying to contact the site from his work computer - I've wondered if its his employer's network, but I'm in over my head.

I've asked him repeatedly to try clearing his browser cache - he's using FireFox 3.0.8.

Sign me confused

or just mburp
Michael Burp

_________________
Menjünk kávézni! 
View user's profile Send private message Visit poster's website
jakec
Site Admin


Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom

PostPosted: Thu Apr 02, 2009 2:29 pm Reply with quote

What is he doing when he gets blocked?
 
View user's profile Send private message
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Thu Apr 02, 2009 2:34 pm Reply with quote

Look at IP tracking.
 
View user's profile Send private message Visit poster's website
mburp
PostPosted: Thu Apr 02, 2009 3:57 pm Reply with quote

"What is he doing when he gets blocked?"

The last time it happened he clicked on a link to the home page in an e-mail I sent him after again clearing all blocked IPs and double checking that the lists in .htaccess and the database were indeed empty.

"Look at IP tracking."

His IP doesn't show up in tracked IPs in NukeSentinel - which I suppose is possible, if he's being treated as blocked without being allowed on a site page first.

I checked the server access log:

First he came in from a Google search:

Code:
216.135.89.138 - - [02/Apr/2009:09:41:04 -0600] "GET / HTTP/1.0" 200 1994 "http://www.google.com/search?q=nabc+brewing&btnG=Search&hl=en&client=firefox-a&rls=com.ubuntu%3Aen-US%3Aunofficial&sa=2" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.10 (intrepid) Firefox/3.0.8"

216.135.89.138 - - [02/Apr/2009:09:41:05 -0600] "GET / HTTP/1.0" 200 1930 "http://www.google.com/search?q=nabc+brewing&btnG=Search&hl=en&client=firefox-a&rls=com.ubuntu%3Aen-US%3Aunofficial&sa=2" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.10 (intrepid) Firefox/3.0.8"
216.135.89.138 - - [02/Apr/2009:09:41:05 -0600] "GET /abuse/logo.png HTTP/1.0" 200 4137 "http://www.newalbanian.com/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.10 (intrepid) Firefox/3.0.8"
216.135.89.138 - - [02/Apr/2009:09:41:05 -0600] "GET /favicon.ico HTTP/1.0" 200 1325 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.10 (intrepid) Firefox/3.0.8"


Two hours later from another Google search:

Code:
216.135.89.138 - - [02/Apr/2009:12:09:18 -0600] "GET / HTTP/1.0" 200 1930 "http://www.google.com/search?q=new+albanian+brewing+company&ie=utf-8&oe=utf-8&aq=t&rls=com.ubuntu:en-US:unofficial&client=firefox-a" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.10 (intrepid) Firefox/3.0.8"

216.135.89.138 - - [02/Apr/2009:12:09:20 -0600] "GET / HTTP/1.0" 200 1930 "http://www.google.com/search?q=new+albanian+brewing+company&ie=utf-8&oe=utf-8&aq=t&rls=com.ubuntu:en-US:unofficial&client=firefox-a" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.10 (intrepid) Firefox/3.0.8"


Then from the e-mail:

Code:
216.135.89.138 - - [02/Apr/2009:14:01:15 -0600] "GET / HTTP/1.0" 200 1930 "http://mail.xxx.xxx.net/zimbra/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.10 (intrepid) Firefox/3.0.8"


That's everything from the access log.
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Thu Apr 02, 2009 7:24 pm Reply with quote

What is the actual message of the block?

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
mburp
PostPosted: Thu Apr 02, 2009 8:03 pm Reply with quote

"You have attempted to improperly access the admin area of this site."

Which, of course, there's no record of him trying to do. I had a similar exchange last year with a user from Szeged about a Hungarian language site I maintain on another server. Admin abuse then too. Nothing suspicious in the access log. He was an IT professional accessing from his workplace as well - perhaps coincidentally, but there may have been something in common, accessing from a network, using a linux machine, who knows.
 
evaders99
PostPosted: Thu Apr 02, 2009 11:11 pm Reply with quote

He's never attempted to access your admin page.. and you've never given him a link to them (in the email)? Are you using any addons? Any mods that may have an admin section?
 
mburp
PostPosted: Fri Apr 03, 2009 12:18 am Reply with quote

evaders99 wrote:
He's never attempted to access your admin page.. and you've never given him a link to them (in the email)? Are you using any addons? Any mods that may have an admin section?


I have no knowledge of him ever attempting to access this site's admin pages.

I have never given him a link to the admin pages.

That doesn't really seem relevant to me. This is what I do know:

I had another report of a similar problem on this site from another user - a trusted employee of the company the site was built for - a week or so ago. At that point I cleared the block list and checked to make sure there were no blocked IPs remaining in either the .htaccess file or the database. I also set blocks to last 24 hours - so innocent users accidentally blocked in this way would not have to wait too long before regaining access to the site.

According to the server's access log the user who e-mailed me today about being blocked from the site had followed a Google link to the home page at 9:41 server time and again at 12:09 (see above). The user then e-mailed me saying he could not access the site and had received a block notice.

I checked the blocked IP list - his IP wasn't on it. I cleared the blocked IP list - again checking the .htaccess file and database to make sure there were no blocked IPs remaining.

I sent the user an e-mail containing a link to the site's front page asking him to attempt to visit the site from that link and to inform me - if he was blocked again - what form of block it was.

The server log shows he attempted to visit the site at 2:01 p.m. - following a link from a web-mail account. He sent me an e-mail saying he had been blocked again and included text copied from a block page I had customized for the site stating he had attempted to improperly access the admin pages.

I checked the blocked IP list again and it was still empty.

It seems clear to me he is telling the truth. This is the second user to report this same difficulty in the several years I have been building sites with Nuke and NukeSentinel.

In addition to Nuke modules with admin sections accessible through Nuke admin, there are other scripts running independently of nuke in adjacent sub-directories that have admin sections, however the access log shows no record of any of them being accessed from this user's IP address.

The only thing I can see is that on the first attempt - at 9:41 - the server log shows a call for abuse/logo.png. In the two later visits it does not, so I wonder if it can be a caching problem. But as I said above, I'm in over my head here.
 
evaders99
PostPosted: Fri Apr 03, 2009 12:43 am Reply with quote

Some code is triggering the block page. I'm trying to figure out what. That is basically irrelevant of the whole "not in the blocked IP list"

I cannot seem to duplicate it. Assuming newalbanian.com is your site, I go through that Google search with no bans or anything
 
mburp
PostPosted: Fri Apr 03, 2009 1:20 am Reply with quote

newalbanian.com is the site.

This reminds me of a few years ago when my anti-virus program first added the function that allowed it to check pages that came up during Google searches so it could tell you whether the links were safe or not before you clicked on them. It seemed that got me blocked on a couple of Sentinel protected sites, until either the anti-virus code changed or Sentinel code caught up with the new development. Unfortunately, this guy's using Ubuntu linux, so I have no idea what new program functions might be involved here.

I could put you in touch with this visitor, if you think that might help.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.6.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©