Too many blocked IPs

New Member Joined: Jan 09, 2010 Posts: 6

In the last 7 days Sentinel seems to have gone crazy. I am running Platinum Nuke 7.6.b4 with Sentinel 2.6.0.1 and suddenly in the last few days it has tsrated blocking a LOT of my regular members simply as they switch pages from one downlod to another. What could be causing this?

Posted: Fri May 28, 2010 6:46 am

Seriously you can't ask for help and expect to get any without supplying the info sentinel gives you and/or your members. The filter blocking ect... it will usually say what request triggered the block and we can work the issue back from there.

Posted: Fri May 28, 2010 6:55 am

Side note its more important then ever to keep it active as my sites only been up since the 11th and its stopped 8 verified exploits.

Posted: Fri May 28, 2010 9:23 am

It keeps claiming script attacks when a user completes a download and then tries to go to a new download. Here's a sample:

User Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; en)
AppleWebKit/531.22.7 (KHTML, like Gecko) Version/4.0.5 Safari/531.22.7 Query String: name=Downloads GET String: name=Downloads POST String:
Remote Address: 122.106.149.23
Client IP: none
Forwarded For: none
Date Blocked: 2010-05-26 @ 13:17:18 MST GMT -0700 Block expires: Permanent

Another:

You have been blocked from entering this site.
You have attempted a Scripting attack on this site.
All of the following information has been gathered to assist the webmaster should this need to be reported to local or federal law enforcement.
If you think this is a mistake you can contact the site webmaster at bc(at)bcracingdesigns(dot)com.
Be SURE to include the following information in any email!
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .NET CLR 3.5.21022; .NET CLR 3.0.30729; OfficeLiveConnector.1.4; OfficeLivePatch.1.3; .NET CLR 3.5.30729; Creative AutoUpdate v1.40.01)
Query String: name=Downloads&d_op=viewdownloaddetails&cid=87&lid=402&ttitle=24_Jeff_Gordon_-_National_Guard_FaceBook
GET String: name=Downloads&d_op=viewdownloaddetails&cid=87&lid=402&ttitle=24_Jeff_Gordon_-_National_Guard_FaceBook
POST String:
Remote Address: 72.218.207.116
Client IP: none
Forwarded For: none
Date Blocked: 2010-05-25 @ 09:02:07 MST GMT -0700
Block expires: Permanent
________________________________________
PLEASE: bear in mind that even if you have done nothing wrong, you may be getting this page due to someone's misuse of the site in your ip range

I re-uploaded all my Sentinel files last night, and haven't gotten any new complaints yet today.

Posted: Fri May 28, 2010 9:44 am

Just a quick guess but is this only on files with dashes in the name? -name
Also in Sentinel if you look at the blocked IP menu there is a pop up with the name of the blocker thats been triggered.

Posted: Fri May 28, 2010 10:01 am

I'll check the files for dashes, that may very well be it. I have also noticed little things mesing up over time after a few hundred blocks where I may have to reupload the code for certain modules and this may be one of those cases - it seems to have cleared up at least partially since I reuploaded.

I'll talk to my other admins about removing the dashes...should we remove the underscores as well, or are those safe?

Posted: Fri May 28, 2010 7:29 pm

If I remember underscores should be ok.

Posted: Sat May 29, 2010 12:16 pm

It all seems to be that one download involving the number 33. We're going to completely remove it and do it over from scatch.