How to track cause of false admin abuse block

New Member Joined: Jan 23, 2006 Posts: 9

I have a local user who has complained several times of being blocked from my Sentinel 2.6.01 protected Raven Nuke 2.3.01 site for admin abuse. He has sent me a copy of the block page text - its mine - but his IP never gets added to the blocked list.

Any advice on where to begin to track down the problem would be greatly appreciated. He works for an ISP and is trying to contact the site from his work computer - I've wondered if its his employer's network, but I'm in over my head.

I've asked him repeatedly to try clearing his browser cache - he's using FireFox 3.0.8.

Sign me confused

or just mburp
Michael Burp

Posted: Thu Apr 02, 2009 2:29 pm

What is he doing when he gets blocked?

Posted: Thu Apr 02, 2009 2:34 pm

Look at IP tracking.

Posted: Thu Apr 02, 2009 3:57 pm

"What is he doing when he gets blocked?"

The last time it happened he clicked on a link to the home page in an e-mail I sent him after again clearing all blocked IPs and double checking that the lists in .htaccess and the database were indeed empty.

"Look at IP tracking."

His IP doesn't show up in tracked IPs in NukeSentinel - which I suppose is possible, if he's being treated as blocked without being allowed on a site page first.

I checked the server access log:

First he came in from a Google search:

Code:

216.135.89.138 - - [02/Apr/2009:09:41:04 -0600] "GET / HTTP/1.0" 200 1994 "http://www.google.com/search?q=nabc+brewing&btnG=Search&hl=en&client=firefox-a&rls=com.ubuntu%3Aen-US%3Aunofficial&sa=2" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.10 (intrepid) Firefox/3.0.8"


216.135.89.138 - - [02/Apr/2009:09:41:05 -0600] "GET / HTTP/1.0" 200 1930 "http://www.google.com/search?q=nabc+brewing&btnG=Search&hl=en&client=firefox-a&rls=com.ubuntu%3Aen-US%3Aunofficial&sa=2" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.10 (intrepid) Firefox/3.0.8"


216.135.89.138 - - [02/Apr/2009:09:41:05 -0600] "GET /abuse/logo.png HTTP/1.0" 200 4137 "http://www.newalbanian.com/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.10 (intrepid) Firefox/3.0.8"


216.135.89.138 - - [02/Apr/2009:09:41:05 -0600] "GET /favicon.ico HTTP/1.0" 200 1325 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.10 (intrepid) Firefox/3.0.8"

Two hours later from another Google search:

Code:

216.135.89.138 - - [02/Apr/2009:12:09:18 -0600] "GET / HTTP/1.0" 200 1930 "http://www.google.com/search?q=new+albanian+brewing+company&ie=utf-8&oe=utf-8&aq=t&rls=com.ubuntu:en-US:unofficial&client=firefox-a" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.10 (intrepid) Firefox/3.0.8"


216.135.89.138 - - [02/Apr/2009:12:09:20 -0600] "GET / HTTP/1.0" 200 1930 "http://www.google.com/search?q=new+albanian+brewing+company&ie=utf-8&oe=utf-8&aq=t&rls=com.ubuntu:en-US:unofficial&client=firefox-a" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.10 (intrepid) Firefox/3.0.8"

Then from the e-mail:

Code:

216.135.89.138 - - [02/Apr/2009:14:01:15 -0600] "GET / HTTP/1.0" 200 1930 "http://mail.xxx.xxx.net/zimbra/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.10 (intrepid) Firefox/3.0.8"

That's everything from the access log.

Posted: Thu Apr 02, 2009 7:24 pm

What is the actual message of the block?

Posted: Thu Apr 02, 2009 8:03 pm

"You have attempted to improperly access the admin area of this site."

Which, of course, there's no record of him trying to do. I had a similar exchange last year with a user from Szeged about a Hungarian language site I maintain on another server. Admin abuse then too. Nothing suspicious in the access log. He was an IT professional accessing from his workplace as well - perhaps coincidentally, but there may have been something in common, accessing from a network, using a linux machine, who knows.

Posted: Thu Apr 02, 2009 11:11 pm

He's never attempted to access your admin page.. and you've never given him a link to them (in the email)? Are you using any addons? Any mods that may have an admin section?

Posted: Fri Apr 03, 2009 12:18 am

evaders99 wrote:

He's never attempted to access your admin page.. and you've never given him a link to them (in the email)? Are you using any addons? Any mods that may have an admin section?

I have no knowledge of him ever attempting to access this site's admin pages.

I have never given him a link to the admin pages.

That doesn't really seem relevant to me. This is what I do know:

I had another report of a similar problem on this site from another user - a trusted employee of the company the site was built for - a week or so ago. At that point I cleared the block list and checked to make sure there were no blocked IPs remaining in either the .htaccess file or the database. I also set blocks to last 24 hours - so innocent users accidentally blocked in this way would not have to wait too long before regaining access to the site.

According to the server's access log the user who e-mailed me today about being blocked from the site had followed a Google link to the home page at 9:41 server time and again at 12:09 (see above). The user then e-mailed me saying he could not access the site and had received a block notice.

I checked the blocked IP list - his IP wasn't on it. I cleared the blocked IP list - again checking the .htaccess file and database to make sure there were no blocked IPs remaining.

I sent the user an e-mail containing a link to the site's front page asking him to attempt to visit the site from that link and to inform me - if he was blocked again - what form of block it was.

The server log shows he attempted to visit the site at 2:01 p.m. - following a link from a web-mail account. He sent me an e-mail saying he had been blocked again and included text copied from a block page I had customized for the site stating he had attempted to improperly access the admin pages.

I checked the blocked IP list again and it was still empty.

It seems clear to me he is telling the truth. This is the second user to report this same difficulty in the several years I have been building sites with Nuke and NukeSentinel.

In addition to Nuke modules with admin sections accessible through Nuke admin, there are other scripts running independently of nuke in adjacent sub-directories that have admin sections, however the access log shows no record of any of them being accessed from this user's IP address.

The only thing I can see is that on the first attempt - at 9:41 - the server log shows a call for abuse/logo.png. In the two later visits it does not, so I wonder if it can be a caching problem. But as I said above, I'm in over my head here.

Posted: Fri Apr 03, 2009 12:43 am

Some code is triggering the block page. I'm trying to figure out what. That is basically irrelevant of the whole "not in the blocked IP list"

I cannot seem to duplicate it. Assuming newalbanian.com is your site, I go through that Google search with no bans or anything

Posted: Fri Apr 03, 2009 1:20 am

newalbanian.com is the site.

This reminds me of a few years ago when my anti-virus program first added the function that allowed it to check pages that came up during Google searches so it could tell you whether the links were safe or not before you clicked on them. It seemed that got me blocked on a couple of Sentinel protected sites, until either the anti-virus code changed or Sentinel code caught up with the new development. Unfortunately, this guy's using Ubuntu linux, so I have no idea what new program functions might be involved here.

I could put you in touch with this visitor, if you think that might help.