Why was this IP blocked?

Posted: Wed Oct 27, 2010 7:44 pm

I have a user that I can trust who received the following today (NOTE: I replaced the last octet with "xxx"):

Quote:

You have been blocked from entering this site.
You are using a possible Harvester on this site.
All of the following information has been gathered to assist the webmaster should this need to be reported to local or federal law enforcement.
If you think this is a mistake you can contact the site webmaster at admin(at)ti99ers(dot)org.
Be SURE to include the following information in any email!
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB0.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3)
Remote Address: 173.171.235.xxx
Client IP: none
Forwarded For: none
Date Blocked: 2009-04-17 @ 17:43:44 PDT GMT -0700
Block expires: Permanent

The log show ts the following:

Quote:

cpe-173-171-235-xxx.tampabay.res.rr.com - - [27/Oct/2010:17:24:08 -0700] "GET / HTTP/1.0" 200 1449 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3)"

173.171.235.xxx - - [27/Oct/2010:17:24:08 -0700] "GET /abuse/logo.png HTTP/1.0" 200 3707 "http://www.ti99ers.org/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3)"

cpe-173-171-235-xxx.tampabay.res.rr.com - - [27/Oct/2010:17:24:48 -0700] "GET /logon/ HTTP/1.0" 404 833 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3)"

cpe-173-171-235-xxx.tampabay.res.rr.com - - [27/Oct/2010:17:24:48 -0700] "GET /logon/logo.gif HTTP/1.0" 404 833 "http://www.ti99ers.org/logon/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3)"

cpe-173-171-235-xxx.tampabay.res.rr.com - - [27/Oct/2010:17:24:48 -0700] "GET /logon/404.gif HTTP/1.0" 404 833 "http://www.ti99ers.org/logon/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3)"

cpe-173-171-235-xxx.tampabay.res.rr.com - - [27/Oct/2010:17:26:24 -0700] "GET /logon/logo.gif HTTP/1.0" 404 833 "http://www.ti99ers.org/logon/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3)"

cpe-173-171-235-xxx.tampabay.res.rr.com - - [27/Oct/2010:17:26:35 -0700] "GET /logon/404.gif HTTP/1.0" 404 833 "http://www.ti99ers.org/logon/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3)"

I have gone through the .htaccess files, the blocked IP lists, etc. and can't find his IP in any of them. Any idea what has happened here Question

registered · Posted: Thu Oct 28, 2010 9:16 am

azism, this is really a Harvestor block which is looking for the strings found under those settings within NukeSentinel. I am not able to find any of the core Harvestor strings that would cause this to trip, so I wonder if you have added any? I would check those strings against the User Agent string shown.

Posted: Fri Oct 29, 2010 11:03 am

Montego,

I guess it has been too long since I looked at the fields/files that control this information. For the life of me, I just don't remember where to look. Embarassed

Could you please (pretty please) jog my memory? Things have been running so well, I haven't had to think of anything on my system in many months. For that I am grateful. Very Happy

Posted: Fri Oct 29, 2010 11:47 am

Montego,

Okay, I did find it, right after posting the previous message of course. I find nothing that I see listed in the "User Agent" part of the blocking message. The items listed in the Harvester section are as follows:

Quote:

@yahoo.com
alexibot
alligator
anonymiz
asterias
backdoorbot
black hole
blackwidow
blowfish
botalot
builtbottough
bullseye
bunnyslippers
catch
cegbfeieh
charon
cheesebot
cherrypicker
chinaclaw
combine
copyrightcheck
cosmos
crescent
curl
dbrowse
disco
dittospyder
dlman
dnloadmage
download
dreampassport
dts agent
ecatch
eirgrabber
erocrawler
express webpictures
extractorpro
eyenetie
fantombrowser
fantomcrew browser
fileheap
filehound
flashget
foobot
franklin locator
freshdownload
fscrawler
gamespy_arcade
getbot
getright
getweb
go!zilla
go-ahead-got-it
grab
grafula
gsa-crawler
harvest
hloader
hmview
httplib
httpresume
httrack
humanlinks
igetter
image stripper
image sucker
industry program
indy library
infonavirobot
installshield digitalwizard
interget
iria
irvine
iupui research bot
jbh agent
jennybot
jetcar
jobo
joc
kapere
kenjin spider
keyword density
larbin
leechftp
leechget
lexibot
libweb/clshttp
libwww-perl
lightningdownload
lincoln state web browser
linkextractorpro
linkscan/8.1a.unix
linkwalker
lwp-trivial
lwp::simple
mac finder
mata hari
mediasearch
metaproducts
microsoft url control
midown tool
miixpc
missauga locate
missouri college browse
mister pix
moget
mozilla.*newt
mozilla/3.0 (compatible)
mozilla/3.mozilla/2.01
msie 4.0 (win95)
multiblocker browser
mydaemon
mygetright
nabot
navroad
nearsite
net vampire
netants
netmechanic
netpumper
netspider
newsearchengine
nicerspro
ninja
nitro downloader
npbot
octopus
offline explorer
offline navigator
openfind
pagegrabber
papa foto
pavuk
pbrowse
pcbrowser
peval
pompos/
program shareware
propowerbot
prowebwalker
psurf
puf
puxarapido
queryn metasearch
realdownload
reget
repomonkey
rsurf
rumours-agent
sakura
scan4mail
semanticdiscovery
sitesnagger
slysearch
spankbot
spanner
spiderzilla
sq webscanner
stamina
star downloader
steeler
steeler
strip
superbot
superhttp
surfbot
suzuran
swbot
szukacz
takeout
teleport
telesoft
test spider
the intraformant
thenomad
tighttwatbot
titan
tocrawl/urldispatcher
true_robot
tsurf
turing machine
turingos
urlblaze
urlgetfile
urly warning
utilmind
vci
voideye
web image collector
web sucker
webauto
webbandit
webcapture
webcollage
webcopier
webenhancer
webfetch
webgo
webleacher
webmasterworldforumbot
webql
webreaper
website extractor
website quester
webster
webstripper
webwhacker
wep search
wget
whizbang
widow
wildsoft surfer
www-collector-e
www.netwu.com
wwwoffle
xaldon
xenu
zeus
ziggy
zippy

I am assuming all the matches of text when looking if the user is harvesting is a complete match, not a partial match. Or am I completely missing something here?

Posted: Sat Oct 30, 2010 10:43 am

It is a partial match. I ran these strings through a test against that user agent string and also could not find a hit. Now I am a bit puzzled as to what is going on. Not sure I'll have the time to look up the NukeSentinel code, but this doesn't appear to be working the way I thought it should.

Posted: Sat Oct 30, 2010 10:55 am

I was wondering if it wasn't a partial match type of situation. So in the meantime I have set the Harvester setting to just "Email Admin" and Write to .htaccess.

At least that way I will know who may be in reality triggering the alert and which may be a false positive.

BTW, what is the difference between "Email Admin" and "Forward"? Confused

Posted: Sat Oct 30, 2010 11:10 am

If you "Write to .htaccess", you will effectively block them from returning. Are you sure you want to do that?

Email Admin will send an email of the triggered event. Forward will actually take them to a different page you have set up from the base block template. Some have been known to forward to a "PC Killer" script for example. Wink

Posted: Sat Oct 30, 2010 11:49 am

I figure if I get notice of an event (via Email Admin) and a person is blocked, I can delete that IP if I think they are okay. However, I see what you are saying. If they come back, they will be blocked again. Hmmm... something to think about.

I guess may if I get an alert and I can't resolve the IP, then I can implement a block on them myself instead of having it done automatically. Okay, I have made the change. Thanks for the "food for thought." Wink

Posted: Sun Oct 31, 2010 5:59 pm

Things may have changed, but not for the better. The same user is now getting the following:

Quote:

You have been blocked from entering this site.

You have attempted an unknown attack on this site.

All of the following information has been gathered to assist the webmaster should this need to be reported to local or federal law enforcement.

If you think this is a mistake you can contact the site webmaster at admin(at)ti99ers(dot)org.

Be SURE to include the following information in any email!
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3)
Remote Address: 173.171.235.206
Client IP: none
Forwarded For: none
Date Blocked: 2010-10-30 @ 16:29:03 PDT GMT -0700
Block expires: Permanent

He has tried using Firefox 3.6 and IE 8, makes no difference. I have added his IP range to the Protected IP Range and he should not be getting blocked, period, as I understand how it works.

I have spoken with the man and his setup is virtually the same as my setup. Plus I cannot find his IP in any .htaccess file or anyplace else that should be causing him to be blocked.

I am stumped on this one. Smack