• Welcome to Simple Machines Community Forum. Please login or sign up.
September 20, 2021, 09:43:42 PM

News:

Check out the SMF Function DB!


Forum Firewall

Started by butchs, January 15, 2011, 11:00:37 AM

Previous topic - Next topic

quiz_modder

I have a few "Invalid ip" entries in the log for the following "ip address" - could you explain what is going on here? Thanks


  • BISB_3.5.1.71
  • Keep-Alive
  • HTTP/1.1

Looking at the corresponding headers some of them look to be mobile devices. Does that mean this cannot handle them?

GET /forum/index.php?topic=536.10;wap2 HTTP/1.0 BlackBerry8520/5.0.0.681 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/142

GET /forum/index.php?action=pm HTTP/1.1 Mozilla/5.0 (SAMSUNG; SAMSUNG-GT-S8500/S8500XXJEE; U; Bada/1.0; en-us) AppleWebKit/533.1 (KHTML, like Gecko) Dolfin/2.0 Mobile WVGA SMM-MMS/1.2.0 OPN-B

GET /forum/index.php HTTP/1.0 Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0; .NET CLR 1.0.2914)

GET /forum/index.php?action=forum HTTP/1.1 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-us) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9

butchs

January 29, 2011, 02:16:29 PM #141 Last Edit: January 29, 2011, 02:20:11 PM by butchs
Good grief.  You see bad IP addresses in your log and your first thought is that there is something wrong with the Mod?   :-X

Allow me to clarify those are not real ip addresses.  What you see is the result of badly written bots trying to spoof a ip address.  The bots are so poorly written that they are putting the wrong stuff in the wrong header location.  For example you will normally see "Keep-Alive" in the connections field of the HTTP header not the ip address.

If you want to learn more about it I suggest you study HTTP headers.  I am sorry but, I have no intension to explain what the mod is doing in detail because doing so will cause more harm than good.

All I can say is that the answer to your question is NO.  The mod can handle all known ip addresses including ipv6 (non admin).  So your forum is safe.
:o
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

quiz_modder

Quote from: butchs on January 29, 2011, 02:16:29 PM
Good grief.  You see bad IP addresses in your log and your first thought is that there is something wrong with the Mod?   :-X

Allow me to clarify those are not real ip addresses.  What you see is the result of badly written bots trying to spoof a ip address.  The bots are so poorly written that they are putting the wrong stuff in the wrong header location.  For example you will normally see "Keep-Alive" in the connections field of the HTTP header not the ip address.

If you want to learn more about it I suggest you study HTTP headers.  I am sorry but, I have no intension to explain what the mod is doing in detail because doing so will cause more harm than good.

All I can say is that the answer to your question is NO.  The mod can handle all known ip addresses including ipv6 (non admin).  So your forum is safe.
:o

I was only asking!  :D

And I have over 30 pages of stuff already  :(

butchs

Not that bad.  I had over 2,000 my first week.  I went nuts testing and retesting...   :o
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

quiz_modder

Apologies, another question if you don't mind. I have an arcade script on the site which is bringing up the following

Request Entity Attack: Repeated!

GET /forum/index.php?action=arcade;sa=play;game=92 HTTP/1.1 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET CLR 3.0.30729)

GET /forum/index.php?action=arcade;sa=highscore;game=92 HTTP/1.1 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET CLR 3.0.30729)

Is there a way I can ignore these ones in the settings?

Thanks again.


butchs

If blocking is turned on they were blocked otherwise they are logged. 

A Request Entity Attack is nothing to sneeze at.  It can do bad things.   :'(

Repeated means that they caused an infraction and returned during the cache period.  I can not tell you if that was a problem or not since you need to give me the "result" from the first offense.   ???

It could be the game or the user.  The game could have nasty stuff inside it or the user could be trying to cause harm.  I would keep an eye on that game if I were you.
8)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

quiz_modder

Yes, I only have logging on at the moment until I understand the implications a little more. So when you say I didn't give the initial results, do you mean this one?

POSTchooseGameEndProcedure: [type Function] g_fSetGameSize: [type Function] t_fLoadGameEnd: [type Function] displayMsg: [type Function] createHelp: [type Function] showHelp: [type Function] presentHelp: [type Function] createKeyboardCommand: [type Function] smoothKeyMovement: [type Function] pressKey: [type Function] generateChangeKeyControls: [type Function] saveAndLoad: [type Function] createSound: [type Function] g_fSetSoundOn: [type Function] g_fSetSoundOff: [type Function] g_fSetMusicOn: [type Function] g_fSetMusicOff: [type Function] runTimer: [type Function] trc: [type Function] g_fGetRandomValue: [type Function] TEAEncrypt: [type Function] TEADecrypt: [type Function] charsToLongs: [type Function] longsToChars: [type Function] charsToHex: [type Function] hexToChars: [type Function] charsToStr: [type Function] strToChars: [type Function] decryptParams: [type Function] tabEnabled: false tabChildren: false startX: 0 startY: 0 gameWidth: 618 gameHeight: 498 frameRate: 30 timer: 0 timeWarningAt: 5 crypto: 0 blnStartGame: false blnGameOver: false blnGameOn: true userVars: [object Object] myVariables: onLoad=%5Btype%20Function%5D puzzle_XML: xmlGameEnd: playAgain: [type Function] helpMessageNames: msgToPresent: blnWaitForKey: false keyboardCommands: smoothKeyboardCommands: waitingCommandName: numSounds: 16 soundOnBln: true musicOnBln: true g_sndGlobalSound: [object Object] soundsArray: [object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object] globalMusic: [object Object] globalSound: [object Object] clockSound: [object Object] g_A: 3423313 g_C: 2435 g_numRandomSeed: 983 globSnd: [object Object] blnFirstGame: false DBorder: [object Object] afterHit: [object Object] airBorder: [object Object] boardFall: [object Object] border: [object Object] rollSnd: [object Object] rollStart: [object Object] digBeepSound: [object Object] hitBallSound: [object Object] alarmSnd: [object Object] clickSound: [object Object] rolloverSound: [object Object] ambientLoop: [object Object] hitSound: [object Object] pulseSound: [object Object] gameoverSound: [object Object] createNewUser: [type Function] saveUserData: [type Function] loadUserData: [type Function] highestPoints: NaN newBall: [type Function] boardInit: [type Function] sqr: [type Function] roundInit: [type Function] tre: [type Function] msgX: 0 msgY: 0 g_numGameWidth: 618 g_numGameHeight: 498 bonusScores: 600 scores: 290 ballsLeft: 0 numBallsTotal: 9 ball******: 9 blnPause: false PI: 3.14159265358979 leftBorder: 109 rightBorder: 509 center: 309 trampY: 272 borderTop: 227 leftBoard: 239 rightBoard: 379 borderAngle: 1.04879579594295 borderProect: 0.501145532644875 bATang: 1.73846153846154 reflectRatio: 0.8 borderTopLeft: 226 borderTopRight: 392 leftGutter: 118 rightGutter: 252 holeRad: 30 holeRadExt: 15.5 holeRadExt2: 240.25 holeHeight: 21 leftHoleX: 249.5 rightHoleX: 368.5 topHoleY: 219.303816078334 midHoleY: 189.037409802142 bottomHoleY: 154.030482061005 circleY: 153.165133789588 circleYT: 136.016500494211 arcY: 136.016500494211 circleRad: 51 circleRad_2: 2601 arcRad: 83 arcRad_2: 6889 borderGapY: 67.4612670011503 circleGapY: 113.04320416409 ballPreviewY: 439 arrXHoles: 249.5,309,368.5,309,309 arrYHoles: 219.303816078334,219.303816078334,219.303816078334,189.037409802142,154.030482061005 arrNameHoles: ,,,,,, arrBackHoleDepths: 100,200,300,800,1000 arrFrontHoleDepths: 400,500,600,900,1100 viewHeight: 270 viewHeight_2: 72900 viewHeightDist: 646.520067800189 ballR: 10 ballR_2: 100 ballDepth: 1150 moveAngle: 1.59627926333118 viewDistStart: 287.923600977759 viewDist: 287.923600977759 dY: -56.5337004649263 dY1: -12.7142010670194 dX: -1.19799857743301 dX1: -0.531746161413689 numCalc: 1 viewCos: 0.505159772372779 distRatio: 0.343721920989708 minDistRatio: 0.28 lastCursorPosX: null lastCursorPosY: null curVelX: -7 curVelY: -113 speedRatio: 8 minVel: -32 maxVel: -70 maxSpeed: 4.4 blnSpeedRestrict: true x1: 309.009650216116 y1: 208.89958476837 z1: -71.0496245921465 vX: -0.00131217667864941 vY: -0.318780813782276 vZ: -3.83373178370822 beta: 0.815398163397448 mg: 0.54 alpha: 0.523598775598299 sinAlpha: 0.5 sinBeta: 0.727998628597419 tanBeta: 1.06187480778988 dRend: 5.27998628597419 circleH: 55.8612086435654 h: 1.0831563982682 hX: 309 hY: 219.303816078334 hObj: holeVel: 5.05329969019498 holeAccel: 1.01 blnToHole: true dPreDepth: 26.2668427778292 strState: wait blnAllowThr: true blnRoll: true maxBlinks: 4 blnRules: false blnCircles: false borderCollision: 0 maxAngle: 0.6 blnRolled: false rollIntervalId: null blnRollInterval: false highHole: -1 toHoleState: 0 blnBonus: false bonusRatio: 1 arrXPreview: undefined,536,516,500,485,471,458,442,429,416 arrScalePreview: undefined,100,91,83,78,73,69,65,62,59 previewTan: 1.5352 firstPreviewY: 472 previewScaleRatio: 1.013 bitPreviewScale: 1.0035 ledFrames: 0 snd1: [object Object] snd2: [object Object] snd3: [object Object] onEnterFrame: [type Function] onMouseDown: [type Function] onMouseUp: [type Function] onReleaseOutside: [type Function] onKeyDown: [type Function] blnRollOver: false blnEmptyThrow: false arrPreviewBalls: i: 5 ballNumber: 9 blnStars: false arrLedText: gameOver arrLedTime: 60 ballPos: [type Function] throwB: [type Function] roll: [type Function] syncAngle: [type Function] air: [type Function] board: [type Function] topCircle: [type Function] bottomCircle: [type Function] checkHoles: [type Function] toHole: [type Function] hit: [type Function] render: [type Function] rollInterval: [type Function] extCollision: [type Function] topBrdCollision: [type Function] circleBorder3D: [type Function] checkBallToHole: [type Function] internalCollision: [type Function] checkDepth: [type Function] toRollState: [type Function] holesExtCollision: [type Function] gameOver: [type Function] removeMovies: [type Function] printScores: [type Function] advancedRemove: [type Function] speedRestrict: [type Function] adRem: 314 boardCollision: 0 r: 220.651502761895 arctan: -0.32784048108803 tmp: 1 sd: 204.911342772483 blinks: 0 gameScore: 290 value1: 2 myVal1: 4 value2: 9 myVal2: 11 value3: 0 myVal3: 2 value4: NaN myVal4: NaN treID: 249 gy: false vel: 2.09514676517766 tmpVel: -3.15225105415903 dd: 6.54092014971986 arrXCoords: 313,318,317,318,318 arrYCoords: 376,429,472,482,482 gname: skeeballMT gscore: 290 /forum/index.php?act=Arcade&do=newscore HTTP/1.1 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6.6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET CLR 3.0.30729)

It comes from a game called skeeballMT.swf

THE BRA1N

I am no expert but from looking at the log it appears to me that the reason some of my members are getting DOS bans is because it is counting requests to load attached avatars on a page as simultaneous page requests.

Thus, one thread click turns into several requests in less than a second as it loads attached avatars in particular threads with multiple members using attached av's and it triggers the DOS ban. At least that is my theory. Any merit to this?

butchs

Quote from: quiz_modder on January 30, 2011, 10:59:17 AM
It comes from a game called skeeballMT.swf

Information overload...   :o

Try the small column on the right.  It will tell you the key word that cause the flag.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Quote from: THE BRA1N on January 30, 2011, 01:29:24 PM
I am no expert but from looking at the log it appears to me that the reason some of my members are getting DOS bans is because it is counting requests to load attached avatars on a page as simultaneous page requests.

I have not been able to duplicate that.   Do not know unless there is a mod doing it or the members are trying to edit avatars all the time.  I know that some of my members had a problem with the feature and I had to whitelist them.  The reason was because of their security software validating every inch of the page.  I guess you will need to set DOS to logging.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

quiz_modder

Quote from: butchs on January 30, 2011, 01:52:50 PM
Quote from: quiz_modder on January 30, 2011, 10:59:17 AM
It comes from a game called skeeballMT.swf

Information overload...   :o

Try the small column on the right.  It will tell you the key word that cause the flag.

Request Entity Attack: %5b!

butchs

January 30, 2011, 03:31:45 PM #151 Last Edit: January 30, 2011, 05:19:02 PM by butchs
That code does not match the rest in the post and does not conform to internet standards.  It could be either a user or a program hack.

If I were you I would try playing the game as a non-admin test member and see if you get the error.  If you do NOT get the error then it was the user.  If you do get the error then find another skeeball game form a reputable source like ipdownloads.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

quiz_modder

Quote from: butchs on January 30, 2011, 03:31:45 PM
That code doe snot match the rest in the post and does not conform to internet standards.  It could be either a user or a program hack.

If I were you I would try playing the game as a non-admin test member and see if you get the error.  If you do NOT get the error then it was the user.  If you do get the error then find another skeeball game form a reputable source like ipdownloads.

Thanks for the advice, I will give it a go.

Pretty sure I got the game from there, but will double check.

butchs

I looked for it there and was not able to find it.   ::)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

January 30, 2011, 07:08:12 PM #154 Last Edit: January 30, 2011, 07:12:24 PM by butchs
I do not think I did.  My Avatar folder is the "attachment directory". But, I used to see many calls for "action=dlattach" from bad bots that scanned for weaknesses.  Most the time they were trying to break the caputua.  They do not visit me anymore.

This mod has some tests that you will not see elsewhere so it will catch some extra activity.  As a matter of fact when I first created this mod  I saw a whole mess of weird things going on.  You are going to see things that you never expected expressly, if you do not have much protection from your host.  Like I said I blocked 3,000+ visits a week for some time.  Bandwidth was over 8gb, now it is much less.  Much of that is gone now that I am off the spam lists.

All is well since google, and etc are visiting.  I tested this mod for over 6 months before it was released.  Now the mod caches one every now and then and I use it as a country blocker and backup for cloudflare burps.

Who knows there may be some weird configuration I did not test?
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

January 30, 2011, 07:25:49 PM #155 Last Edit: January 30, 2011, 07:38:51 PM by butchs
I use the "Avatar_Verification" mod with 100 images which gets a bunch of "action=dlattach" calls .

I consider all input...  You are making a mountain out of a mole hill.  I provided solutions for that post.  Plain and simple, some peoples computer security software will cause DOS errors, in those cases you need to "whitelist" the members and tell them to log in before doing their thing.  If it is an issue in your region then you can turn off the DOS long term ban.  In this case, no security is lost and they will be blocked for the cache duration, then the admin can still look at the log and manually ban for longer time periods.
8)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

mutluokul

January 31, 2011, 04:59:25 PM #156 Last Edit: January 31, 2011, 05:44:43 PM by mutluokul
Quote from: geminisnake on January 18, 2011, 08:50:18 PM
Tried installing the latest version on 1.1.12 and got:

Fatal error: Call to undefined function FFCopyright() in /home/dark/public_html/forum/Sources/Load.php(1733) : eval()'d code on line 373

Haven't been able to work it out yet ...  :)

same problem happened to me. What should I do? What is the solution for this problem? thanks


no problems .. I solve them all


butchs

Quote from: Arantor on January 31, 2011, 06:51:04 AM
Me, I'm doing nothing of the sort, I'm just saying that it might be wise not to jump to conclusions as to how things are being requested, as has been proven here - I did not know you were using the avatar verification mod... though I'm honestly surprised that it's modifying action=dlattach to serve the modified avatar images.

Everything I do is based on facts.

Is your hatred for SMF so great that now you have turned to trolling mod authors?
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

Quote from: mutluokul on January 31, 2011, 04:59:25 PM
no problems .. I solve them all

I am happy you fixed it.   :)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

butchs

January 31, 2011, 07:34:28 PM #159 Last Edit: January 31, 2011, 07:37:30 PM by butchs
No assumptions were made.  I started the mod over a year ago long before RC4.  This mod was programmed with RC3 & 1.1.11 in mind, then adapted.  Older SMF versions were not considered.  So image checking was done another way.  All your points will be considered.  But for now I have other priorities and other mods to update.  I will get back to it when I have time.

It is one thing to give a point of view, it is another thing to purposely taunt someone.  So I called it correctly.   Why not start on another foot and treat others as you wish to be treated.  :o
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Advertisement: