| Author |
Message |
john_mar
New Member
Joined: Nov 14, 2005
Posts: 15
|
 Posted:
Sat Jan 14, 2006 3:57 pm |
|
Hi just started running a Nuke7.8 + 3.1 patch and last week installed Sentinel 2.4.2. (must do that pl3 patch) as was using the old Protector system before.
2 AOL users have now complained they are being blocked.
Assuming its the "Proxy block" thats stopping them.
Only thing is, I have the "Block Proxies" setting in Sentinel Admin set to off !
So a bit confused! Searched various forums but not found similiar issue posted 9though could have missed soemthing)
Any ideas??
john_mar |
| |
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Wed Jan 18, 2006 6:14 am |
|
|
|
|
|
john_mar
|
| Posted:
Wed Jan 18, 2006 5:28 pm |
|
Errr, thanks Raven... think you are telling me I haven't used an upto date patch...
...and looking at the files....I now have this really horrible sinking feeling I have somehow applied the 3.1 patch for Nuke7.5 over the top of Nuke7.8... 
need to investigate properly 2moro evening as must get to bed ... an early start in the morning
Oh goodness... wot a nightmare. |
| |
|
|
|
|
john_mar
|
| Posted:
Sat Jan 21, 2006 6:38 pm |
|
Well. I've just spent last two long nights on this 
Have downloaded and reinstalled patch3.1
...then reinstalled Sentinel 2.4.2 over the top
...and put the 2.4.2pl3 patch on that.
And removed all traces of Protector (which I'd been using before Sentinel) by stepping backwards through the install.
Commented out the rouge mainfile.php code as per link in Ravens posting above. (code is still in the 7.8 - 3.1 patch)
And after all that.................... I still have users with problems.
*Some* users when, it appears, when they download files. This could be to do with that code that needs commenting out in mainfile.php. Haven't had this prob since I commented out the code... but might just be coincidence.
But AOL users particular problem. It seems all AOL users are getting blocked. (somthing to do with Proxies??)
They get a Sentinel Black screen "Blocked" message saying that
"You have attempted an unknown attack on this site." and they are blocked. Interestingly, these blocks are not registered in the "Blocked IP" logs within Sentinel.
Am really at a loss, any more pointers....
JohnMar |
| |
|
|
|
|
Raven
|
| Posted:
Sun Jan 22, 2006 1:31 am |
|
Go through each of the Blockers in NukeSentinel(tm) admin. Are there any blockers that are activated where the Default Page is set to Default and/or the Activate is set to Default? |
| |
|
|
|
|
john_mar
|
| Posted:
Sun Jan 22, 2006 12:44 pm |
|
Hi Raven - thanks for reply.
Just checked them all. All the Blockers are set to:
Activate = Email, Block and Default.
Default Page = (the matching blocker mode eg Admin for Admin blocker etc) |
| |
|
|
|
|
Raven
|
| Posted:
Sun Jan 22, 2006 2:51 pm |
|
Can you post one of the emails but mask out your real path info? |
| |
|
|
|
|
john_mar
|
| Posted:
Sun Jan 22, 2006 3:21 pm |
|
Thanks for looking at this Raven
Just in case I haven't been clear, I think I have two distinct problems (thou may be linked)
Problem 1. Some users are getting blocked when they click on specific links - I haven't kept every single notification email - but which I think are all related. See the email below for an example.
(Note some bots are also triggering blocks too - a google bot hit the site 230 times yetserday then triggered a similiar error report to below)
Problem 2. Several (three) AOL users are reporting they are getting blocked all the time! They get the black screen but this generates NO emial report - or are they IP tracked. I wouldn't know about it only they are emailing me. After all the updates I performed (see last posts), I have one AOL retesting for me and they are still get blocked. Even have a screen shot!
Here is the email generated by problem 1. above
Code:
-----Original Message-----
From: webmaster@*****.org [mailto:webmaster@***.org]
Sent: 19 January 2006 16:07
To: webmaster@***.org
Subject: Blocked abuse from 82.7.97.33
Date & Time: 2006-01-19 17:06:45 CET GMT +0100
Blocked IP: 82.7.97.33
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ntlworld v2.0; .NET CLR 1.0.3705)
Query String: www.***.org/modules.php?name=Downloads&d_op=viewdownloaddetails&lid=49&ttitle=Antenatal_Class_Booking_Form_(Word)
Get String: www.***.org/modules.php?name=Downloads&d_op=viewdownloaddetails&lid=49&ttitle=Antenatal_Class_Booking_Form_(Word)
Post String: www.***.org/modules.php
Forwarded For: 82.7.97.33
Client IP: none
Remote Address: 62.252.64.33
Remote Port: 15503
Request Method: GET
|
|
| |
|
|
|
|
Raven
|
| Posted:
Sun Jan 22, 2006 4:15 pm |
|
That's what I suspected 
It's the () in the titles. This is well documente in the forums here. Use phpMyAdmin and change all () to [] or whatever, but 86 the (). Also, on your script blocker, just set it to email the admin. That's all you really need. |
| |
|
|
|
|
john_mar
|
| Posted:
Sun Jan 22, 2006 4:33 pm |
|
Thanks for that. Wasn't aware of the () issue  sorry. must surf the forums more generally rather than searching for key words which I think might throw up an answer. But when you don't know what your looking for 
Will do all your suggestions - many thanks 
So will setting the email admin rather than email, block and default solve the AOL visitors problems? Can I ask why - so I can try to understand a little bit more.
johnmar |
| |
|
|
|
|
Raven
|
| Posted:
Sun Jan 22, 2006 4:39 pm |
|
I'm not sure that the 2 are related. Let's peel the onion one skin at a time By email only whoever was receiving a script blocker screen will no longer see that. But, you as admin will get notifications and can determine if it was a script hack attempt or something that you need to fix or just disregard. |
| |
|
|
|
|
john_mar
|
| Posted:
Sun Jan 22, 2006 4:45 pm |
|
Raven - thats cool.
On the AOL users. Just got my (very non-technical but v/friendly) AOL user to try again with two links
Code:
Sue
Time for me to ask for another (yet another) test please...
www.***.org
and try this is above doesn't work
http://www.***.org/modules.php?name=News&file=article&sid=78
|
And she's just replied to say the first gets blocked but the second link
worked! Yes - worked!!!!!
Have just asked her to reload/refresh her screen on the main URL in case there is a cache problem or something. |
| |
|
|
|
|
john_mar
|
| Posted:
Sun Jan 22, 2006 5:27 pm |
|
Well.
When my AOL users clicks on www.***.org It shows a Sentinel "Blocked" screen.
Refresh gets same problem.
But when she clicks on http://www.***.org/index.php - it works fine!
and these links I emailed her worked too!
http://www.***.org/index.php
http://www.***.org/modules.php?name=Downloads
http://www.***.org/modules.php?name=Stories_Archive&sa=show_all
http://www.***.org/modules.php?name=News
So, there you go. I'd like to know why this is. But I don't think I'm going to fret too much more over this.
And have taken the brackets out of all my download titles (which was nearly 20 of them - I had (PDF) or (Word) in every document title.
Raven - thank-you on behalf of the specific UK Childrens Charity this website is for. Solving this was a big deal. They (I as volunteer for the charity ) am rolling out a new pre-registration system (forms and stuff) via the website in 2 days time for their upcoming charity event which gets them most of their donated money. So solving these blocking problem before 100's of people start hitting the site on Weds was really quite important. i might sleep tonight.
many thanks my friend 
johnmar |
| |
|
|
|
|
Raven
|
| Posted:
Sun Jan 22, 2006 11:31 pm |
|
| Quote: | | And she's just replied to say the first gets blocked but the second link |
I need to see the email. Thanks! |
| |
|
|
|
|
john_mar
|
| Posted:
Sun Jan 29, 2006 4:49 pm |
|
Hi Raven
Sorry, been away from town with work stuff
Anyways. Still have problem with AOL users accessing my site as posted above.
If they type www.****.org into their browser - it gets a default blocked message.
But if they type in the full URL http://www.***.org/index.php .... it works ok. And all other pages on the site then works for the AOL visitor.
Here is cut from my raw access logs which shows an AOL user
(1) trying www.***.org, which gives the
(2) second line abuse message.
(3) Then they try the full URL wityh index.php and they get the site ok
[the IP address changes are to do with AOL proxy IP addressing I guess]
Code:
195.93.21.66 - - [29/Jan/2006:21:40:44 +0100] "GET / HTTP/1.0" 200 761 "-" "Mozilla/4.0 (compatible; MSIE 6.0; AOL 9.0; Windows NT 5.1)"
195.93.21.38 - - [29/Jan/2006:21:40:45 +0100] "GET /abuse/logo.png HTTP/1.0" 200 3707 "http://www.******.org/" "Mozilla/4.0 (compatible; MSIE 6.0; AOL 9.0; Windows NT 5.1)"
195.93.21.72 - - [29/Jan/2006:21:41:01 +0100] "GET /index.php HTTP/1.0" 200 8918 "-" "Mozilla/4.0 (compatible; MSIE 6.0; AOL 9.0; Windows NT 5.1)"
|
Looking at the first line above that generates the abuse message, there is nothing after the "GET". I don't undertand what 200 761 means - stretching my IT knowledge here!
As a workaround...I've hacked the /abuse/default.tpl file and added a message to the blocked warning message telling AOL users to try the full link, and that seems to be working. |
| |
|
|
|
|
Raven
|
| Posted:
Sun Jan 29, 2006 6:10 pm |
|
200 means the document was found and 761 is the number of bytes.
I need to see the EMAIL, no the log. |
| |
|
|
|
|
john_mar
|
| Posted:
Mon Jan 30, 2006 3:32 pm |
|
Raven
have sent you a PM with the email.
Johnmar |
| |
|
|
|
|
Raven
|
| Posted:
Mon Jan 30, 2006 6:50 pm |
|
Something isn't jiving. In that email you sent me, it mentions this line:
If you are an AOL user - please try this link to access the site
That line of code is not in the current NukeSentinel(tm) release. Did you upgrade from an older release? I'm wondering if you have some leftover code somewhere or if your FTP is working correctly to overwrite files?
Please delete the Abuse folder completely.
Delete includes/nuksentinel.php and includes/sentinel.php (if it exists).
Delete language/nukesentinel folder and sentinel folder if it exists.
Delete admin/nukesentinel folder and sentinel folder if it exists.
Delete admin/modules/nukesentinel.php and admin/modules/sentinel.php if it exists.
Then reftp the NukeSentinel(tm) v2.4.2. |
| |
|
|
|
|
lilc420
New Member
Joined: Feb 02, 2007
Posts: 24
|
| Posted:
Thu Mar 01, 2007 5:19 pm |
|
I am having the same issue with AOL users.
PS...
| john_mar wrote: | | As a workaround...I've hacked the /abuse/default.tpl file and added a message to the blocked warning message telling AOL users to try the full link, and that seems to be working. |
|
| |
|
|
|
|
lilc420
|
| Posted:
Thu Mar 01, 2007 7:34 pm |
|
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
