An Old Problem; An Appeal for Help

New Member Joined: Jun 09, 2005 Posts: 12

Firstly, hello to all — and thanks to everyone that takes the time to read this post.

To begin with, I should state that I am using what will seem fairly strange and antiquated collection of scripts, and my website is somewhat of a mechanical behemoth of parts.

I am using Nuke Sentinel 2.1.3 with IPB-Nuke, which is a modified version of PHP-Nuke designed to work with Invisionboard forums. Most of the scripts in use are fairly old now, but with a fix here and there I manage to keep things running.

Some time ago I came to these parts requesting help on one lingering problem that I could not figure out how to fix. That tale is chronicled Only registered users can see links on this board! Get registered or login!.

Basically my forum features a small arcade modification, that Sentinel generally doesn't interfere with, unless one clicks a certain type of link designed to show a member's "arcade profile".

Quote:

forums/index.php?act=Arcade&module=report&user=475

When this happens, an error page appears that reads thus:

Quote:

Warning: blocked(includes/counter.php): failed to open stream: No such file or directory in /<<details removed by admin>>/includes/sentinel.php on line 867

Warning: blocked(includes/counter.php): failed to open stream: No such file or directory in /<<details removed by admin>>/includes/sentinel.php on line 867

Warning: blocked(): Failed opening 'includes/counter.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /<<details removed by admin>>/includes/sentinel.php on line 867

Warning: fopen(abuse/abuse_default.tpl): failed to open stream: No such file or directory in /<<details removed by admin>>/includes/sentinel.php on line 848

Warning: filesize(): Stat failed for abuse/abuse_default.tpl (errno=2 - No such file or directory) in /<<details removed by admin>>/includes/sentinel.php on line 849

Warning: fread(): supplied argument is not a valid stream resource in /<<details removed by admin>>/includes/sentinel.php on line 849

Warning: fclose(): supplied argument is not a valid stream resource in /<<details removed by admin>>/includes/sentinel.php on line 850

This problem really is quite minor. I worked on fixing it after receiving the reply in that thread over a year ago, but couldn't figure it out and eventually gave up. Now, over a year later, I have dedicated myself to trawling through the multitude of random bugs that have cropped up throughout my site and sysematically working to fix them all.

Today, I happened across this bug and set to work to try and fix it, but my attempts lead to only failure after failure. Edits were made and discarded as I struggled to wrap my mind around the problem to no avail. A search eventually turned up my thread here, and the suggestion made to discuss the issue with the IPB-Nuke creators, but unfortunately the IPB-Nuke project has since faded away from existence, and no support is to be found.

Furthermore when I sought out the arcade modification website, all support for versions of the script as old as mine was ended long ago.

It seems, from all the conglomerate pieces of my website, the only part that I might actually be able to get support for is found here.

And so here I am.

I know that it's a longshot, not helped by the fact that I am using a completely unsupported CMS platform, as well as a fairly random arcade modification. But if anyone could venture a guess or two as to where and how I might be able to work towards fixing this problem, I would be eternally grateful.

Posted: Tue Mar 06, 2007 12:13 am

Have you tried running this without Sentinel? With such an odd collection of software, I'm not sure how much protection Sentinel would provide you anyway. Try removing Sentinel (or I should say running without it) and see if it works. Then if that works add Sentinel back in and focus on line 869 and counter.php. First make sure the file is there, then try to work back to why it's being blocked by adding in echoes.

Posted: Tue Mar 06, 2007 12:31 am

Sentinel has actually been a great help to the operation of my site, thanks in part to some minor modifications documented by the (now vanished) IPB-Nuke team to allow it to work.

In any case, when removing the "includes/sentinel.php" file (which, I assume, essentially stops Sentinel from working), the page loads fine. When simply disabling the various protection methods within the Nuke menu, the error persists.

I have tried commenting out the offending lines from the "includes/sentinel.php" file which removes the errors from the page, but still includes the "NukeSentinel™ 2.1.3 by: NukeScripts.net" footer in the bottom right.

The file "counter.php" definitely exists in the includes folder, and is actually called on pretty much every other page on my site as well, without any Sentinel-related errors. Furthermore, the "abuse/abuse_default.tpl" file referenced in the later error lines is also present.

Really, this is my last ditch effort to fix it, and I understand that it might simply be too much of a random request to be realised — but there's no harm in trying.

Thanks for your reply. Smile

registered · Posted: Tue Mar 06, 2007 1:38 am

Let me see if I get the directory structure right

Code:




public_html/forums/index.php


public_html/includes/sentinel.php


public_html/includes/counter.php

Is that correct? There may be a path error when forums/index.php includes includes/sentinel.php -> and that tries to include includes/counter.php

The up-to-date Patched files try to eliminate this error by creating an INCLUDE_PATH that references the proper path structure. However, it only defines

Code:




Three levels deep:


define('INCLUDE_PATH', '../../../');





Two levels deep:


define('INCLUDE_PATH', '../../');





Current depth:


define('INCLUDE_PATH', './');

You'd have to write some code to add a one-level deep functionality and figure out when it is called.

Posted: Tue Mar 06, 2007 2:00 am

Evaders, you seem to be correct in that the paths may be contributing somewhat to this problem. I'm about to eat my dinner so as a quick test I created "includes" and "abuse" folders within the "forums" directory, and included in them the files that my original errors were referencing.

With those files in place, I no longer receive the white page and my originally posted errors, but the default Sentinel "block" page which tells me:

Quote:

You have been blocked from entering this site.

You have attempted to bypass the Filter System on this site.

All of the following information has been gathered to assist the webmaster should this need to be report to local or federal officers.

Obviously this doesn't fix the problem, but it does indicate that the URL calling the function is somehow responsible for tripping one of Sentinel's filters, though I have no idea why, how, or what to do to circumvent these measures.

Also, how would I go about creating a similar INCLUDE_PATH work-around for my version, as I imagine simply having duplicates of those folders probably isn't ideal.

Thanks again for the replies, I've spent all day trying to stare down this code and succeeded only in giving myself a headache.

Smile

registered · Posted: Tue Mar 06, 2007 5:45 am

Interloper, I have removed your full path from your post above. You do NOT want to post that in the future. We only need the relative Nuke path.

Posted: Tue Mar 06, 2007 4:51 pm

montego wrote:

Interloper, I have removed your full path from your post above. You do NOT want to post that in the future. We only need the relative Nuke path.

Ah, thanks for that. Embarassed

After some continuing poking and prodding I've discovered that disabling the Filters blocker allows me to access the link fine, so obviously something in the way the link itself is structured is setting of Sentinel's settings.

I've tracked it down to this area in the code, which I figure I should be able to edit somehow for nuke to ignore the specific string I'm having troubles with, without removing the Filters blocker protection altogether.

Code:

  // Check for Forum attack


  // Copyright 2004(c) GanjaUK & ChatServ


  if (!stristr($querystring,'&file=nickpage') AND stristr($querystring,'&user=') AND ($name==Private_Messages || $name==Forums || $name==Members_List)) {


    block_ip($ip, $banuser, $bantime, $blocker_row);


  }

Any information on how I might be able to edit that code to allow access to the problematic URL without removing the protection completely would be great, since I clearly don't know what I'm doing.

Now, I'm going to prod it some more. Razz

Edit: After searching the forums some more, I came up with this edit to the above posted code:

Code:

  // Check for Forum attack


  // Copyright 2004(c) GanjaUK & ChatServ


  if (!stristr($querystring,'&user') AND stristr($querystring,'&module') AND ($name==Private_Messages || $name==Forums || $name==Members_List)) {


    block_ip($ip, $banuser, $bantime, $blocker_row);


  }

However, since I don't really know what I'm doing, any comments as to whether this can be considered a satisfactory fix or not would still be appreciated.

In any case, thanks again for everyone's help. I've learnt a lot. Very Happy

Posted: Tue Mar 06, 2007 6:43 pm

The problem (or one problem) is that you really have to understand the nature of the attack in order to know if the change is effective without exposing you to risks. If you break the code down what you've done is switch from looking for &nickpage to looking for &module ... as strings within the $querystring. However, what the nature of the attack using &nickpage was is unknown to me.

I can tell you that the &nickpage is in the latest and greatest version of NukeSentinel so it is the "official" string that's looked for (in conjunction with &user).

You might be able to combine searching for &nickpage with a NOT condition for "act=Arcade" since there might not be an attack that uses the Arcade (whatever that is). It might be simplest to just execute the current stristr's if you don't find a stristr that has Arcade in it, for instance. Again, since I don't know the nature of the exploit it's hard to say whether this would expose you to any risks.

Posted: Tue Mar 06, 2007 6:57 pm

Hmm, okay. I've played around with it a bit more and come up with the following:

Code:

  // Check for Forum attack


  // Copyright 2004(c) GanjaUK & ChatServ


  if (!stristr($querystring,'&file=nickpage') AND stristr ($querystring!='&act=Arcade') AND stristr($querystring,'&user=') AND ($name==Private_Messages || $name==Forums || $name==Members_List)) {


    block_ip($ip, $banuser, $bantime, $blocker_row);


  }

Which works in that, it doesn't block access to the page, but does produce the following error, which more than likely has to do with a syntax error on my part in the edits:

Code:

Warning: Wrong parameter count for stristr() in rootremoved/includes/sentinel.php on line 208

Any suggestions? Embarassed

Edit: Just to clarify, the "wrong parameter count" error appears at the top of all pages of my site, not just the problematic ones. Smile

Posted: Tue Mar 06, 2007 8:29 pm

missing a comma before the second stristr.

Posted: Tue Mar 06, 2007 8:48 pm

Where exactly should I put the comma. I first placed one after the second $querystring so that it matched the others, but received this error:

Code:

Parse error: syntax error, unexpected T_IS_NOT_EQUAL in rootremoved/includes/sentinel.php on line 208

And when I tried placing it directly before the second "stristr" I received the similar:

Code:

Parse error: syntax error, unexpected ',' in rootremoved/includes/sentinel.php on line 208

I know the answer is probably staring me in the face, but I can't figure it out. Embarassed

registered · Posted: Tue Mar 06, 2007 9:07 pm

The second stristr() should probably look like this:

stristr($querystring, '&act=Arcade')

I'm not sure what that != was doing in there...?

Posted: Tue Mar 06, 2007 9:11 pm

I don't know why that wouldn't work with the other comma in there. I don't like that space either but it shouldn't affect the code (the space after stristr). The way I'd probably do it, because I like to break things down, is

Code:

// Check for Forum attack


  // Copyright 2004(c) GanjaUK & ChatServ


  if (!stristr($querystring!='&act=Arcade')) {


       if (!stristr($querystring,'&file=nickpage') AND stristr($querystring,'&user=') 


AND ($name==Private_Messages || $name==Forums || $name==Members_List)) {


    block_ip($ip, $banuser, $bantime, $blocker_row); 


}

I can't get the indenting right in here but my intent would be to nest the entire second if inside the not "&act=arcade" test. You might need to count parentheses too, I use an editor to do it for me and any mistakes can result in either syntax or (probably worse) logical errors.

Posted: Tue Mar 06, 2007 9:29 pm

Gremmie wrote:

The second stristr() should probably look like this:

stristr($querystring, '&act=Arcade')

I'm not sure what that != was doing in there...?

I was going for "not equal to", because it made sense in my head to do it that way for whatever reason. In any case your code appears to have worked, Sentinel no longer blocks that arcade page with a minimum of code required to be edited.

fkelly:

I tried inserting your code (with minor fixes to the parenthesis as you mentioned) and it also worked to remove the block, but still returned the "Wrong parameter count for stristr()" error.

In any case, and seemingly against all odds, my problem seems largely to have been resolved, in that the page is no longer blocked without the filters blocker having to be disabled.

I am extremely appreciative for all the help I have been given here and the replies without complaint to my questions.

You all have my sincerest thanks.