| Author |
Message |
dar63
Hangin' Around
Joined: May 14, 2004
Posts: 28
Location: Plymouth UK
|
 Posted:
Fri Jun 11, 2004 7:41 pm |
 
|
I had a user who was blocked just posting in the forum.
sentinel version 1.2
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; (R1 1.3))
Query String: phpnuke-uk.net/modules.php?name=Forums&file=posting&sid=05ad72b1aa8a89e87ed2b932d8870b8e
Forwarded For: none
Client IP: none
Remote Address: 213.202.141.75
Remote Port: 10687
Request Method: POST
Presumably this is to do with post in posting??
Very strange, can this be avioded? |
|
|
 
|
|
stephen2417
Worker
Joined: Jan 18, 2004
Posts: 244
Location: Bristolville, OH
|
| Posted:
Fri Jun 11, 2004 8:48 pm |
|
Couldnt tell you why but heres some more info..
|
|
|
|
|
|
SmackDaddy
Involved
Joined: Jun 02, 2004
Posts: 268
Location: Englewood, OH
|
| Posted:
Fri Jun 11, 2004 9:40 pm |
|
I had something similar happen to *ME* yesterday although I didn't end up banned, I was hit with unlimited pop-ups!!!! I had posted on my forums, and when I hit backspace, in the address bar, I saw a link which was formatted similar to the one above..... but was something like: "http://www.mydomain.com/modules.php?name=Forums&file=posting" (it didn't have a SID in it tho)
And I thought "awww crap, I am banned, but for what?!?!?!"
Once I stopped all the pop-ups, I went directly to my .htaccess file to delete my IP, but it wasn't there. I opened my browser and funnily enough, I wasn't banned. I tried to get it to do it again, but I couldn't......was definitely wierd.....  |
|
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2363
|
| Posted:
Sat Jun 12, 2004 9:36 am |
|
dar63
What reason was given?
Reason: Abuse -
That will help because then we'll know what filter was reacting. |
|
|
|
|
|
dar63
Hangin' Around
Joined: May 14, 2004
Posts: 28
Location: Plymouth UK
|
| Posted:
Sat Jun 12, 2004 11:51 am |
|
Date & Time: 2004-06-11 20:21:46
Blocked IP: 213.202.141.75
User ID: sounds (738)
Reason: Abuse - SCRIPT
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; (R1 1.3))
Query String: phpnuke-uk.net/modules.php?name=Forums&file=posting&sid=05ad72b1aa8a89e87ed2b932d8870b8e
Forwarded For: none
Client IP: none
Remote Address: 213.202.141.75
Remote Port: 10687
Request Method: POST |
|
|
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2363
|
| Posted:
Sat Jun 12, 2004 12:31 pm |
|
I don't see anything wrong with the url at all so I'd have to say there was something in the actual post that triggered the response.
It was most likely a script or style tag in the post if you get a lot of raw html postings like that it would probably be best to set the script detections to Block and Email only not ban.
There is room for improvements in the script filter and I'm sure it will evolve as time and testing goes on. |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 15315
Location: Kansas
|
| Posted:
Sat Jun 12, 2004 12:33 pm |
|
If you copy and paste that string into your browser, does it trip an alarm? Or is it that user? If it's that user, does your user name have parentheses in it like his does? |
|
|
 
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2363
|
| Posted:
Sat Jun 12, 2004 12:45 pm |
|
Good catch I just created that user and I can't even log on with that name without triggering an alert! I completely missed the username! |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 15315
Location: Kansas
|
| Posted:
Sat Jun 12, 2004 12:52 pm |
|
I got looking at the code and was quickly reminded that all _GET and _POST vars are looked at  |
|
|
|
|
|
dar63
Hangin' Around
Joined: May 14, 2004
Posts: 28
Location: Plymouth UK
|
| Posted:
Sat Jun 12, 2004 3:07 pm |
|
Right, firstly the post he was trying to post was just a simple thank you, no code.
Secondly can I take the username which is just sounds, nothing else, is to blame?
The (738) is his userid |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 15315
Location: Kansas
|
| Posted:
Sat Jun 12, 2004 3:14 pm |
|
Try what I recommended and see if a name without the () gets blocked. |
|
|
|
|
|
dar63
Hangin' Around
Joined: May 14, 2004
Posts: 28
Location: Plymouth UK
|
| Posted:
Sat Jun 12, 2004 3:16 pm |
|
| Raven wrote: | | Try what I recommended and see if a name without the () gets blocked. |
As posted above, his username is just sounds, nothing else. |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 15315
Location: Kansas
|
| Posted:
Sat Jun 12, 2004 3:18 pm |
|
Fine. Do YOU get blocked when YOU try it? |
|
|
|
|
|
dar63
Hangin' Around
Joined: May 14, 2004
Posts: 28
Location: Plymouth UK
|
| Posted:
Sat Jun 12, 2004 3:21 pm |
|
| Raven wrote: | | Fine. Do YOU get blocked when YOU try it? |
Nope, no probs when I copy/paste the string. |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 15315
Location: Kansas
|
| Posted:
Sat Jun 12, 2004 3:22 pm |
|
Then that kind of leads me to suspect something else, like maybe the agent |
|
|
|
|
|
dar63
Hangin' Around
Joined: May 14, 2004
Posts: 28
Location: Plymouth UK
|
| Posted:
Sat Jun 12, 2004 3:25 pm |
|
It's definately a little strange 
Bar this little prob, top work by bob, yourself and the rest. 
Keep it up. |
|
|
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2363
|
| Posted:
Sat Jun 12, 2004 3:31 pm |
|
Sorry dar63 for some reason I took the username with uid and tried it as username. Honestly even with all the information you have so patiently provided I can't duplicate the error with a user named
sounds posting here at all. I in my rush to think we resolved the issue took the username as sounds (738) which of course gave an alert right away.
I still have to think there was something in the actual post or title that set off the alert. If you come up with any more clues let us know please this ones driving nutso! Oh yeah its too late for that I already was. |
|
|
|
|
|
dar63
Hangin' Around
Joined: May 14, 2004
Posts: 28
Location: Plymouth UK
|
| Posted:
Sat Jun 12, 2004 3:37 pm |
|
No worries sixonetonoffun
I rarely post questions on support sites just thought it may've turned out to be a known issue.
Thanks once again anyway. |
|
|
|
|
|
SmackDaddy
Involved
Joined: Jun 02, 2004
Posts: 268
Location: Englewood, OH
|
| Posted:
Tue Jun 15, 2004 11:24 pm |
|
| SmackDaddy wrote: | I had something similar happen to *ME* yesterday although I didn't end up banned, I was hit with unlimited pop-ups!!!! I had posted on my forums, and when I hit backspace, in the address bar, I saw a link which was formatted similar to the one above..... but was something like: "http://www.mydomain.com/modules.php?name=Forums&file=posting" (it didn't have a SID in it tho)
And I thought "awww crap, I am banned, but for what?!?!?!"
Once I stopped all the pop-ups, I went directly to my .htaccess file to delete my IP, but it wasn't there. I opened my browser and funnily enough, I wasn't banned. I tried to get it to do it again, but I couldn't......was definitely wierd..... |
And update on this........since it happened again tonight, but I was reading a different thread on my forums.....
I was reading this thread:
(it's in my moderator's forum so you won't be able to read it)
But anyway, when I closed out the window (BTW, I surf with multiple windows open -- I use a browser tool called Netcaptor which allows for tabbed browsing).....so anyway, I closed out that window/tab, and when I did, I got pop-ups GALORE out of the blue and seemingly for no reason at all! I was able to get the URL that was in the pop-up windows seeing as my PC at work is a slow P.O.S.....
The URL in the pop-ups were all the same:
It doesn't make sense, however, this never happened before the installation of Sentinel.....and the unlimited pop-ups are indicative of the PC Killer.....and now, I do not have any spyware, malware or trojans on my system as it's scanned daily in my corporate environment, nor is my PC infected with a virus.
I'm at a loss as I cannot consistently reproduce this issue. |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 15315
Location: Kansas
|
| Posted:
Wed Jun 16, 2004 5:05 am |
|
Can you reproduce this 100% of the time with that url? |
|
|
|
|
|
SmackDaddy
Involved
Joined: Jun 02, 2004
Posts: 268
Location: Englewood, OH
|
| Posted:
Wed Jun 16, 2004 5:21 am |
|
| Raven wrote: | | Can you reproduce this 100% of the time with that url? |
| SmackDaddy wrote: | | I'm at a loss as I cannot consistently reproduce this issue. |
|
|
|
|
|
|
dar63
Hangin' Around
Joined: May 14, 2004
Posts: 28
Location: Plymouth UK
|
| Posted:
Thu Jun 24, 2004 4:08 pm |
|
Another innocent user blocked, on 2 occasions.
| Quote: | Date & Time: 2004-06-24 15:58:01
Blocked IP: 213.116.42.136
User ID: secureoffice
Reason: Abuse - AGENT
--------------------
User Agent: Microsoft Data Access Internet Publishing Provider Protocol Discovery
Query String: phpnukies.org/index.php
Forwarded For: none
Client IP: none
Remote Address: 213.116.42.136
Remote Port: 2214
Request Method: OPTIONS
|
Any ideas fellas? |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 15315
Location: Kansas
|
| Posted:
Thu Jun 24, 2004 4:24 pm |
|
|
|
|
|
dar63
Hangin' Around
Joined: May 14, 2004
Posts: 28
Location: Plymouth UK
|
| Posted:
Thu Jun 24, 2004 4:30 pm |
|
Thank you kind sir. |
|
|
|
|
|
drmike
Worker
Joined: Jul 15, 2004
Posts: 108
Location: Charlotte, NC
|
| Posted:
Thu Jul 15, 2004 1:37 pm |
|
ok, I'm a bit lost here on this one. I'm researching why a user of mine keeps getting blocked for having the string:
Microsoft Data Access Internet Publishing Provider Protocol Discovery
the link you sent dar63 to is for the word customer. Um, I'm missing something here. Care to clue me in?
-drmike |
|
|
 |
|
|
|
|
|
