Utility to help explain AGENT traps by Sentinel™

Posted: Wed Jul 07, 2004 2:35 pm

Go to Sentinel™ Configuration, scroll down to harvest list. Find ''custo'' and remove it for the time being.

Posted: Wed Jul 07, 2004 2:38 pm

How do I delete this post?

New Member Joined: Oct 18, 2002 Posts: 21

Thanks, sharlein!

Regular Joined: Jun 08, 2004 Posts: 64

I got these three today.

Quote:

Blocked IP: 209.237.238.180
User ID: Anonymous (1)
Reason: Abuse - AGENT
--------------------
User Agent: ia_archiver

Quote:

Blocked IP: 200.64.54.223
User ID: Anonymous (1)
Reason: Abuse - AGENT
--------------------
User Agent: Microsoft Data Access Internet Publishing Provider Protocol Discovery

Quote:

Blocked IP: 212.200.53.61
User ID: Anonymous (1)
Reason: Abuse - AGENT
--------------------
User Agent: WebReaper [info@webreaper.net]

I ran them thru the Agent Inspector but all that says is what Harvester block in the list is blocking it. It does not necessarily tell us if it is OK to let these harvesters thru or not, so what do we do?

Posted: Fri Jul 16, 2004 12:23 pm

The 'disco' part has been well discussed on this forum. The recommendation is to delete the 'disco' from the Harvester list. It is totally up to you to allow or disallow the others. The programmers of Sentinal™ are the most trusted and respected that I know. I will go with their judgement and allow those to be banned. Steve

New Member Joined: Dec 03, 2004 Posts: 3

This is obviously a call of the abuse-other template, but I have no clue why this visitor was blocked:

----
You have been blocked from entering this site.

You have attempted an unknown attack on this site.

All of the following information has been gathered to assist the
webmaster should this need to be report to local or federal officers.

User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2)
Gecko/20040804 Netscape/7.2 (ax)
Remote Address: 69.43.20.28
Client IP: none
Forwarded For: none
Date Blocked: 2004-11-30 12:36:33
Block expires: Permanent
NukeSentinel™ 2.1.0 by: NukeScripts.net
-----

When the links are clicked directly, the visitor can see the pages. When called by a link from another site, some users get this message.

registered · Posted: Fri Dec 03, 2004 4:30 pm

9 times out of 10 it is hows the link is written on those other sites. One of the main things that get trapped is when another site links to your site with ( and ) in the link url which is considered a scripting hack attempt. Look at your blocked ip list and see what the query string was and email it to me at webmaster(at)nukescripts(dot)net . Then I can tell more about why the person was blocked. DO NOT try to post the query string here as you will most likely get blocked due to it.

Posted: Fri Dec 03, 2004 4:33 pm

Nothing was logged in the blocked IP table!
And also, the link didn't have anything special.

Thanks for answering this fast!

Posted: Sat Dec 04, 2004 4:04 pm

I checked the webserver log and found this cuty as a referer:

"XXXX:+++++++++++++++++++++++++++++"

when she enters the portal using the link on her other website.. Seems that some kind of program she uses tries to hide the referer and Sentinel does not like this?

Involved Joined: Dec 28, 2003 Posts: 276 Location: Israel

In the last 3 days I'm getting dozens of LWP attacks.
The exact agent name is: LWP::Simple/5.43 (with different versions number each time).

The attacks are coming from variuos IPs.
Your utility does not explain what this attack is all about.

Could any one shed some light on this please??

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

It's the Santy Worm http://www.ravenphpscripts.com/postt4113.html