User blocked

Posted: Fri Jun 11, 2004 7:41 pm

I had a user who was blocked just posting in the forum.

sentinel version 1.2

User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; (R1 1.3))
Query String: phpnuke-uk.net/modules.php?name=Forums&file=posting&sid=05ad72b1aa8a89e87ed2b932d8870b8e
Forwarded For: none
Client IP: none
Remote Address: 213.202.141.75
Remote Port: 10687
Request Method: POST

Presumably this is to do with post in posting??

Very strange, can this be avioded?

Posted: Fri Jun 11, 2004 8:48 pm

Couldnt tell you why but heres some more info..
http://whois.sc/213.202.141.75

Posted: Fri Jun 11, 2004 9:40 pm

I had something similar happen to *ME* yesterday although I didn't end up banned, I was hit with unlimited pop-ups!!!! I had posted on my forums, and when I hit backspace, in the address bar, I saw a link which was formatted similar to the one above..... but was something like: "http://www.mydomain.com/modules.php?name=Forums&file=posting" (it didn't have a SID in it tho)

And I thought "awww crap, I am banned, but for what?!?!?!"

Once I stopped all the pop-ups, I went directly to my .htaccess file to delete my IP, but it wasn't there. I opened my browser and funnily enough, I wasn't banned. I tried to get it to do it again, but I couldn't......was definitely wierd..... Confused

Posted: Sat Jun 12, 2004 9:36 am

dar63
What reason was given?
Reason: Abuse -
That will help because then we'll know what filter was reacting.

Posted: Sat Jun 12, 2004 11:51 am

Date & Time: 2004-06-11 20:21:46
Blocked IP: 213.202.141.75
User ID: sounds (738)
Reason: Abuse - SCRIPT
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; (R1 1.3))
Query String: phpnuke-uk.net/modules.php?name=Forums&file=posting&sid=05ad72b1aa8a89e87ed2b932d8870b8e
Forwarded For: none
Client IP: none
Remote Address: 213.202.141.75
Remote Port: 10687
Request Method: POST

Posted: Sat Jun 12, 2004 12:31 pm

I don't see anything wrong with the url at all so I'd have to say there was something in the actual post that triggered the response.

It was most likely a script or style tag in the post if you get a lot of raw html postings like that it would probably be best to set the script detections to Block and Email only not ban.

There is room for improvements in the script filter and I'm sure it will evolve as time and testing goes on.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

If you copy and paste that string into your browser, does it trip an alarm? Or is it that user? If it's that user, does your user name have parentheses in it like his does?

Posted: Sat Jun 12, 2004 12:45 pm

Good catch I just created that user and I can't even log on with that name without triggering an alert! I completely missed the username!

Posted: Sat Jun 12, 2004 12:52 pm

I got looking at the code and was quickly reminded that all _GET and _POST vars are looked at Smile

Posted: Sat Jun 12, 2004 3:07 pm

Right, firstly the post he was trying to post was just a simple thank you, no code.

Secondly can I take the username which is just sounds, nothing else, is to blame?

The (738) is his userid

Posted: Sat Jun 12, 2004 3:14 pm

Try what I recommended and see if a name without the () gets blocked.

Posted: Sat Jun 12, 2004 3:16 pm

Raven wrote:

Try what I recommended and see if a name without the () gets blocked.

As posted above, his username is just sounds, nothing else.

Posted: Sat Jun 12, 2004 3:18 pm

Fine. Do YOU get blocked when YOU try it?

Posted: Sat Jun 12, 2004 3:21 pm

Raven wrote:

Fine. Do YOU get blocked when YOU try it?

Nope, no probs when I copy/paste the string.

Posted: Sat Jun 12, 2004 3:22 pm

Then that kind of leads me to suspect something else, like maybe the agent

Posted: Sat Jun 12, 2004 3:25 pm

It's definately a little strange Shocked

Bar this little prob, top work by bob, yourself and the rest. Very Happy

Keep it up. Smile

Posted: Sat Jun 12, 2004 3:31 pm

Sorry dar63 for some reason I took the username with uid and tried it as username. Honestly even with all the information you have so patiently provided I can't duplicate the error with a user named
sounds posting here at all. I in my rush to think we resolved the issue took the username as sounds (738) which of course gave an alert right away.

I still have to think there was something in the actual post or title that set off the alert. If you come up with any more clues let us know please this ones driving nutso! Oh yeah its too late for that I already was.

Posted: Sat Jun 12, 2004 3:37 pm

No worries sixonetonoffun

I rarely post questions on support sites just thought it may've turned out to be a known issue.

Thanks once again anyway. Smile

Posted: Tue Jun 15, 2004 11:24 pm

SmackDaddy wrote:

I had something similar happen to *ME* yesterday although I didn't end up banned, I was hit with unlimited pop-ups!!!! I had posted on my forums, and when I hit backspace, in the address bar, I saw a link which was formatted similar to the one above..... but was something like: "http://www.mydomain.com/modules.php?name=Forums&file=posting" (it didn't have a SID in it tho)

And I thought "awww crap, I am banned, but for what?!?!?!"

Once I stopped all the pop-ups, I went directly to my .htaccess file to delete my IP, but it wasn't there. I opened my browser and funnily enough, I wasn't banned. I tried to get it to do it again, but I couldn't......was definitely wierd..... Confused

And update on this........since it happened again tonight, but I was reading a different thread on my forums.....

I was reading this thread:

http://www.pctoolbin.com/modules.php?name=Forums&file=viewtopic&t=1678&highlight= (it's in my moderator's forum so you won't be able to read it)

But anyway, when I closed out the window (BTW, I surf with multiple windows open -- I use a browser tool called Netcaptor which allows for tabbed browsing).....so anyway, I closed out that window/tab, and when I did, I got pop-ups GALORE out of the blue and seemingly for no reason at all! I was able to get the URL that was in the pop-up windows seeing as my PC at work is a slow P.O.S.....

The URL in the pop-ups were all the same:

http://www.pctoolbin.com/modules.php?name=Forums&file=posting#11278

It doesn't make sense, however, this never happened before the installation of Sentinel.....and the unlimited pop-ups are indicative of the PC Killer.....and now, I do not have any spyware, malware or trojans on my system as it's scanned daily in my corporate environment, nor is my PC infected with a virus.

I'm at a loss as I cannot consistently reproduce this issue.

Posted: Wed Jun 16, 2004 5:05 am

Can you reproduce this 100% of the time with that url?

Posted: Wed Jun 16, 2004 5:21 am

Raven wrote:

Can you reproduce this 100% of the time with that url?

SmackDaddy wrote:

I'm at a loss as I cannot consistently reproduce this issue.

Posted: Thu Jun 24, 2004 4:08 pm

Another innocent user blocked, on 2 occasions.

Quote:

Date & Time: 2004-06-24 15:58:01
Blocked IP: 213.116.42.136
User ID: secureoffice
Reason: Abuse - AGENT
--------------------
User Agent: Microsoft Data Access Internet Publishing Provider Protocol Discovery
Query String: phpnukies.org/index.php
Forwarded For: none
Client IP: none
Remote Address: 213.116.42.136
Remote Port: 2214
Request Method: OPTIONS

Any ideas fellas?

Posted: Thu Jun 24, 2004 4:24 pm

http://www.ravenphpscripts.com/posts2043-highlight.html

Posted: Thu Jun 24, 2004 4:30 pm

Thank you kind sir. Smile

Posted: Thu Jul 15, 2004 1:37 pm

ok, I'm a bit lost here on this one. I'm researching why a user of mine keeps getting blocked for having the string:

Microsoft Data Access Internet Publishing Provider Protocol Discovery

the link you sent dar63 to is for the word customer. Um, I'm missing something here. Care to clue me in?

-drmike