False Positive

Dawg · Posted: Fri Jun 04, 2004 3:04 am

Greetings Raven and all,
I installed Senitinal Last night. This morning I went to upload some new pictures to my site BOOM....I got the FULL effect. It does work!

I have the report it generated and info on excatly what I was doing hen it kicked in....I assume you would be interested in seeing it.

Where would you like the details sent to?

Dawg

stephen2417 · Posted: Fri Jun 04, 2004 3:07 am

You may just post the info here.. Leaving the site name and other personal info out..

Dawg · Posted: Fri Jun 04, 2004 3:45 am

I have had 3 so far...It seems every time I touch "Gallery" to do "Admin" type funstions it fires off....

Here is 1....

Date & Time: 2004-06-04 01:44:40
Blocked IP:
User ID: ME (9 Cool

Reason: Abuse - OTHER
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Query String:

Only registered users can see links on this board!
Get registered or login to the forums!

Forwarded For: none
Client IP: none
Remote Address:
Remote Port: 1780
Request Method: GET

#2........

Date & Time: 2004-06-04 01:54:33
Blocked IP:
User ID: ME (9 Cool

Reason: Abuse - OTHER
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Query String:

Only registered users can see links on this board!
Get registered or login to the forums!

Forwarded For: none
Client IP: none
Remote Address:
Remote Port: 1222
Request Method: GET

#3
Date & Time: 2004-06-04 02:10:40
Blocked IP:
User ID: ME (9 Cool

Reason: Abuse - OTHER
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Query String:

Only registered users can see links on this board!
Get registered or login to the forums!

Forwarded For: none
Client IP: none
Remote Address:
Remote Port: 1985
Request Method: GET

#4....
Date & Time: 2004-06-04 02:10:55
Blocked IP:
User ID: ME (9 Cool

Reason: Abuse - OTHER
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Query String:

Only registered users can see links on this board!
Get registered or login to the forums!

Forwarded For: none
Client IP: none
Remote Address:
Remote Port: 2038
Request Method: GET

There are the 4 so far. Like I said It seems to fire off anytime I use the admin fuctions in Gallery.

I am using ver 1.1 BTW.

Raven · Posted: Fri Jun 04, 2004 5:02 am

It's the &cmd value that is setting it off. We'll have to look into it. Thanks!

redville · New Member Joined: Jan 22, 2004 Posts: 9

After seeing this I checked gallery also and got banned when I tried to rebuild the thumbnails.

I had Sentinel 1.10 installed and then seen 1.20 was out so I installed it and got banned again.

I had not tried the ban function, but I see what it does now. Its great, even though as some have warned it did not crash my computer. I shut off my pop up blocker and was able to hit Alt&Ctrl&Delete and close it out, of course I was expecting it.

Can you tell me which function would control this so I can disable it for now, since I don't want a member to get accidently banned.

Thanks

Raven · Posted: Fri Jun 04, 2004 7:02 am

Rather than turn it completely off which could leave you vulnerable, try this first. Find this code on or about line 109 in includes/sentinel.php

Code:

if (eregi("http\:\/\/", $name) OR eregi("cmd",$querystring) OR eregi("exec",$querystring) OR eregi("concat",$querystring)) {

and modify it to

Code:

if (eregi("http\:\/\/", $name) OR (eregi("cmd",$querystring) AND !eregi("&cmd",$querystring)) OR eregi("exec",$querystring) OR eregi("concat",$querystring)) {

redville · New Member Joined: Jan 22, 2004 Posts: 9

Figured it out, its the string query that is setting it off.

I shut it off and was able to admin gallery.

redville · New Member Joined: Jan 22, 2004 Posts: 9

Of course this is what is causing it in the sentinel.php "OR eregi("cmd",$querystring)" because I removed it, enabled the query string again, and was able to admin the gallery without being banned.

Is it possible to rewrite it so admin's or approved members can use the gallery functions but anyone else it would set off the ban.

Thanks

redville · New Member Joined: Jan 22, 2004 Posts: 9

Sorry Raven, you must have been posting while I was.

Thanks

redville · New Member Joined: Jan 22, 2004 Posts: 9

That fix did it, I didn't get banned for rebuilding the thumbs this time.

Dawg · Posted: Fri Jun 04, 2004 7:25 pm

Raven,
Will this work for anyone with "Photo" access or just an admin?

I give Photo Galleries to my registered members. (I run a Sport Fishing Site) and The members that use this feature have control over their own gallery. Will this work? or will they be banned?

Dawg

Raven · Posted: Fri Jun 04, 2004 7:28 pm

It should work for any uri request_stirng containing &cmd

NovemberRain · Posted: Sat Jun 05, 2004 1:12 pm

Code:

Date & Time: 2004-06-05 19:14:44
Blocked IP: ********
User ID: executer (992)
Reason: Abuse - OTHER
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Query String:

Only registered users can see links on this board!
Get registered or login to the forums!

Forwarded For: *******
Client IP: none
Remote Address: *********
Remote Port: 26215
Request Method: GET

sixonetonoffun · Posted: Sat Jun 05, 2004 4:29 pm

Its the username exec is a substring of executer
You'll have to decide either to remove the exec code or set the filter to email only for now.

sixonetonoffun · Posted: Sat Jun 05, 2004 5:34 pm

Building on what Raven did with cmd above NovemberRain try this its working ok for me but I only tested it briefly.
Around line 112 in includes/sentinel.php
change this line
if (eregi("http\:\/\/", $name) OR eregi("cmd",$querystring) OR eregi("exec",$querystring) OR eregi("concat",$querystring)) {
To this:

Code:

if (eregi("http\:\/\/", $name) OR (eregi("cmd",$querystring) AND !eregi("&cmd",$querystring)) OR eregi("exec",$querystring) AND !eregi("execu",$querystring) OR eregi("concat",$querystring)) {

ballymuntrev · Hangin' Around Joined: Mar 22, 2004 Posts: 49

I got this one today...

Code:

X-Mailer: Sentinel(tm)
Date: Sat, 05 Jun 2004 18:02:03 +0100

Date & Time: 2004-06-05 18:02:03
Blocked IP: 81.0.234.209
User ID: Anonymous (1)
Reason: Abuse - OTHER
--------------------
User Agent: Python-urllib/1.15
Query String:

Only registered users can see links on this board!
Get registered or login to the forums!

Forwarded For: none
Client IP: none
Remote Address: 81.0.234.209
Remote Port: 56335
Request Method: GET
--------------------
Who-Is for IP
81.0.234.209

Is that the same as what others said above ? Or was it really a hack/exploit attempt ?

Ta,

Trev.

sixonetonoffun · Posted: Sat Jun 05, 2004 5:59 pm

Trev,
That was a legit attack.

ballymuntrev · Hangin' Around Joined: Mar 22, 2004 Posts: 49

Thanks six Smile

sixonetonoffun · Posted: Sat Jun 05, 2004 6:05 pm

Grr and your attacker while stupid enough to leave indexing on encoded his variable names lol!!!!!

twelves · Regular Joined: Aug 22, 2003 Posts: 84

A valid user got this:

Reason: Abuse - SCRIPT

Query String: www.blah.com/modules.php?name=Web_Links&l_op=viewlinkdetails&lid=96&ttitle=Cube-Tec_(formerly_Spectral_Design)
Forwarded For: none
Client IP: none
Remote Address: 213.217.**.*
Remote Port: 56473
Request Method: GET

Embarassed

sixonetonoffun · Posted: Sun Jun 06, 2004 11:46 am

Yep thats the () in the title. This has been reported we're looking into options to qualify the filter but there are so many potential mis uses its hard to create something that is going to still catch all the evil. Yet allow the good ones through while maintaining an acceptable level of performance.

Its best to just not allow them.

Raven · Posted: Sun Jun 06, 2004 12:56 pm

I agree with Six. You could also just set the setting to E-Mail only and that way you can look at each occurrence and respond accordingly. I'd just avoid the () in my titles Smile

NovemberRain · Posted: Tue Jun 15, 2004 9:54 am

Code:

Date & Time: 2004-06-15 13:57:31
Blocked IP: **.***.****
User ID: Joe_Sadriabi (102)
Reason: Abuse - SCRIPT
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Query String:

Only registered users can see links on this board!
Get registered or login to the forums!

Forwarded For:xxxxx
Client IP: none
Remote Address: xxxxxx
Remote Port: 41499
Request Method: POST
--------------------
Who-Is for IP
xxxxxxxxx

Code:

Date & Time: 2004-06-15 14:12:10
Blocked IP: xxxxxxxxx
User ID: Joe_Sadriabi (102)
Reason: Abuse - SCRIPT
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Query String:

Only registered users can see links on this board!
Get registered or login to the forums!

Forwarded For: xxxxxxxxxxx
Client IP: none
Remote Address: xxxxxxxxxx
Remote Port: 50165
Request Method: POST
--------------------
Who-Is for IP
xxxxxx

Code:

Date & Time: 2004-06-15 14:13:05
Blocked IP: xxxxxxxx
User ID: Joe_Sadriabi (102)
Reason: Abuse - SCRIPT
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Query String:

Only registered users can see links on this board!
Get registered or login to the forums!

Forwarded For: xxxxxxx
Client IP: none
Remote Address: xxxxxxxx
Remote Port: 57845
Request Method: POST
--------------------
Who-Is for IP
xxxxxxxxx

NovemberRain · Posted: Tue Jun 15, 2004 3:01 pm

Code:

Date & Time: 2004-06-15 23:40:15
Blocked IP: xxxxxxxx
User ID: cmdmrr (4368)
Reason: Abuse - OTHER
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) Query String:

Only registered users can see links on this board!
Get registered or login to the forums!

Forwarded For: none
Client IP: none
Remote Address: xxxxxxxxxxx
Remote Port: 1408
Request Method: GET
--------------------
Who-Is for IP
xxxxxxx

Raven · Posted: Tue Jun 15, 2004 3:11 pm

This last one is answered in this very thread on this very page, up above.