Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm)
Author Message
dar63
Hangin' Around



Joined: May 14, 2004
Posts: 28
Location: Plymouth UK

PostPosted: Fri Jun 11, 2004 7:41 pm Reply with quote

I had a user who was blocked just posting in the forum.

sentinel version 1.2

User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; (R1 1.3))
Query String: phpnuke-uk.net/modules.php?name=Forums&file=posting&sid=05ad72b1aa8a89e87ed2b932d8870b8e
Forwarded For: none
Client IP: none
Remote Address: 213.202.141.75
Remote Port: 10687
Request Method: POST

Presumably this is to do with post in posting??

Very strange, can this be avioded?
 
View user's profile Send private message Visit poster's website
stephen2417
Worker
Worker



Joined: Jan 18, 2004
Posts: 244
Location: Bristolville, OH

PostPosted: Fri Jun 11, 2004 8:48 pm Reply with quote

Couldnt tell you why but heres some more info.. [ Only registered users can see links on this board! Get registered or login! ]
 
View user's profile Send private message Visit poster's website
SmackDaddy
Involved
Involved



Joined: Jun 02, 2004
Posts: 268
Location: Englewood, OH

PostPosted: Fri Jun 11, 2004 9:40 pm Reply with quote

I had something similar happen to *ME* yesterday although I didn't end up banned, I was hit with unlimited pop-ups!!!! I had posted on my forums, and when I hit backspace, in the address bar, I saw a link which was formatted similar to the one above..... but was something like: "http://www.mydomain.com/modules.php?name=Forums&file=posting" (it didn't have a SID in it tho)

And I thought "awww crap, I am banned, but for what?!?!?!"

Once I stopped all the pop-ups, I went directly to my .htaccess file to delete my IP, but it wasn't there. I opened my browser and funnily enough, I wasn't banned. I tried to get it to do it again, but I couldn't......was definitely wierd..... Confused
 
View user's profile Send private message Send e-mail Visit poster's website
sixonetonoffun
Spouse Contemplates Divorce



Joined: Jan 02, 2003
Posts: 2496

PostPosted: Sat Jun 12, 2004 9:36 am Reply with quote

dar63
What reason was given?
Reason: Abuse -
That will help because then we'll know what filter was reacting.

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
dar63







PostPosted: Sat Jun 12, 2004 11:51 am Reply with quote

Date & Time: 2004-06-11 20:21:46
Blocked IP: 213.202.141.75
User ID: sounds (738)
Reason: Abuse - SCRIPT
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; (R1 1.3))
Query String: phpnuke-uk.net/modules.php?name=Forums&file=posting&sid=05ad72b1aa8a89e87ed2b932d8870b8e
Forwarded For: none
Client IP: none
Remote Address: 213.202.141.75
Remote Port: 10687
Request Method: POST
 
sixonetonoffun







PostPosted: Sat Jun 12, 2004 12:31 pm Reply with quote

I don't see anything wrong with the url at all so I'd have to say there was something in the actual post that triggered the response.

It was most likely a script or style tag in the post if you get a lot of raw html postings like that it would probably be best to set the script detections to Block and Email only not ban.

There is room for improvements in the script filter and I'm sure it will evolve as time and testing goes on.
 
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Sat Jun 12, 2004 12:33 pm Reply with quote

If you copy and paste that string into your browser, does it trip an alarm? Or is it that user? If it's that user, does your user name have parentheses in it like his does?
 
View user's profile Send private message
sixonetonoffun







PostPosted: Sat Jun 12, 2004 12:45 pm Reply with quote

Good catch I just created that user and I can't even log on with that name without triggering an alert! I completely missed the username!
 
Raven







PostPosted: Sat Jun 12, 2004 12:52 pm Reply with quote

I got looking at the code and was quickly reminded that all _GET and _POST vars are looked at Smile
 
dar63







PostPosted: Sat Jun 12, 2004 3:07 pm Reply with quote

Right, firstly the post he was trying to post was just a simple thank you, no code.

Secondly can I take the username which is just sounds, nothing else, is to blame?

The (738) is his userid
 
Raven







PostPosted: Sat Jun 12, 2004 3:14 pm Reply with quote

Try what I recommended and see if a name without the () gets blocked.
 
dar63







PostPosted: Sat Jun 12, 2004 3:16 pm Reply with quote

Raven wrote:
Try what I recommended and see if a name without the () gets blocked.


As posted above, his username is just sounds, nothing else.
 
Raven







PostPosted: Sat Jun 12, 2004 3:18 pm Reply with quote

Fine. Do YOU get blocked when YOU try it?
 
dar63







PostPosted: Sat Jun 12, 2004 3:21 pm Reply with quote

Raven wrote:
Fine. Do YOU get blocked when YOU try it?


Nope, no probs when I copy/paste the string.
 
Raven







PostPosted: Sat Jun 12, 2004 3:22 pm Reply with quote

Then that kind of leads me to suspect something else, like maybe the agent
 
dar63







PostPosted: Sat Jun 12, 2004 3:25 pm Reply with quote

It's definately a little strange Shocked

Bar this little prob, top work by bob, yourself and the rest. Very Happy

Keep it up. Smile
 
sixonetonoffun







PostPosted: Sat Jun 12, 2004 3:31 pm Reply with quote

Sorry dar63 for some reason I took the username with uid and tried it as username. Honestly even with all the information you have so patiently provided I can't duplicate the error with a user named
sounds posting here at all. I in my rush to think we resolved the issue took the username as sounds (738) which of course gave an alert right away.

I still have to think there was something in the actual post or title that set off the alert. If you come up with any more clues let us know please this ones driving nutso! Oh yeah its too late for that I already was.
 
dar63







PostPosted: Sat Jun 12, 2004 3:37 pm Reply with quote

No worries sixonetonoffun

I rarely post questions on support sites just thought it may've turned out to be a known issue.

Thanks once again anyway. Smile
 
SmackDaddy







PostPosted: Tue Jun 15, 2004 11:24 pm Reply with quote

SmackDaddy wrote:
I had something similar happen to *ME* yesterday although I didn't end up banned, I was hit with unlimited pop-ups!!!! I had posted on my forums, and when I hit backspace, in the address bar, I saw a link which was formatted similar to the one above..... but was something like: "http://www.mydomain.com/modules.php?name=Forums&file=posting" (it didn't have a SID in it tho)

And I thought "awww crap, I am banned, but for what?!?!?!"

Once I stopped all the pop-ups, I went directly to my .htaccess file to delete my IP, but it wasn't there. I opened my browser and funnily enough, I wasn't banned. I tried to get it to do it again, but I couldn't......was definitely wierd..... Confused


And update on this........since it happened again tonight, but I was reading a different thread on my forums.....

I was reading this thread:
[ Only registered users can see links on this board! Get registered or login! ] (it's in my moderator's forum so you won't be able to read it)

But anyway, when I closed out the window (BTW, I surf with multiple windows open -- I use a browser tool called Netcaptor which allows for tabbed browsing).....so anyway, I closed out that window/tab, and when I did, I got pop-ups GALORE out of the blue and seemingly for no reason at all! I was able to get the URL that was in the pop-up windows seeing as my PC at work is a slow P.O.S.....

The URL in the pop-ups were all the same:
[ Only registered users can see links on this board! Get registered or login! ]

It doesn't make sense, however, this never happened before the installation of Sentinel.....and the unlimited pop-ups are indicative of the PC Killer.....and now, I do not have any spyware, malware or trojans on my system as it's scanned daily in my corporate environment, nor is my PC infected with a virus.

I'm at a loss as I cannot consistently reproduce this issue.
 
Raven







PostPosted: Wed Jun 16, 2004 5:05 am Reply with quote

Can you reproduce this 100% of the time with that url?
 
SmackDaddy







PostPosted: Wed Jun 16, 2004 5:21 am Reply with quote

Raven wrote:
Can you reproduce this 100% of the time with that url?


SmackDaddy wrote:
I'm at a loss as I cannot consistently reproduce this issue.
 
dar63







PostPosted: Thu Jun 24, 2004 4:08 pm Reply with quote

Another innocent user blocked, on 2 occasions.

Quote:
Date & Time: 2004-06-24 15:58:01
Blocked IP: 213.116.42.136
User ID: secureoffice
Reason: Abuse - AGENT
--------------------
User Agent: Microsoft Data Access Internet Publishing Provider Protocol Discovery
Query String: phpnukies.org/index.php
Forwarded For: none
Client IP: none
Remote Address: 213.116.42.136
Remote Port: 2214
Request Method: OPTIONS


Any ideas fellas?
 
Raven







PostPosted: Thu Jun 24, 2004 4:24 pm Reply with quote

[ Only registered users can see links on this board! Get registered or login! ]
 
dar63







PostPosted: Thu Jun 24, 2004 4:30 pm Reply with quote

Thank you kind sir. Smile
 
drmike
Worker
Worker



Joined: Jul 15, 2004
Posts: 108
Location: Charlotte, NC

PostPosted: Thu Jul 15, 2004 1:37 pm Reply with quote

ok, I'm a bit lost here on this one. I'm researching why a user of mine keeps getting blocked for having the string:

Microsoft Data Access Internet Publishing Provider Protocol Discovery

the link you sent dar63 to is for the word customer. Um, I'm missing something here. Care to clue me in?

-drmike
 
View user's profile Send private message Visit poster's website ICQ Number
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm)

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©