IP Unmasker

All new MODs released in our MOD Database will be announced in here. All support for released MODs needs to take place in here. No new MODs will be accepted into the MOD Database for phpBB2
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

On February 1, 2009 this forum will be set to read only as part of retiring of phpBB2.

Rating:

Excellent!
14
61%
Very Good
5
22%
Good
0
No votes
Fair
2
9%
Poor
2
9%
 
Total votes: 23

azw
Registered User
Posts: 246
Joined: Mon Feb 24, 2003 12:41 am
Contact:

Re: IP Unmasker

Post by azw »

I'm reporting back a few hours later. It seems to be catching people:

Code: Select all

65.54.155.47  	X-Forwarded-For  	4.184.48.160
189.146.50.204 	X-Forwarded-For 	172.35.20.102
205.188.117.69 	XSS 	205.188.116.137
205.188.116.199 	XSS 	205.188.117.67
205.188.117.17 	XSS 	205.188.117.79
205.188.116.196 	XSS 	205.188.117.17
205.188.116.79 	XSS 	205.188.117.5
38.98.19.66 	XSS 	38.98.19.68
217.12.16.48 	X-Forwarded-For 	10.239.214.134, 10.239.216.2
89.171.104.226 	X-Forwarded-For 	192.168.0.57
156.35.192.4 	X-Forwarded-For 	156.35.156.91
First, one of my visitors is this one:
156.35.192.4 X-Forwarded-For 156.35.156.91
He's a person who accesses the forum from a university. The university uses a proxy, as you can see in this data from this web page: http://whatismyipaddress.com/staticpage ... IP-address

Code: Select all

Proxy Server Detected!
Proxy Server IP address: 156.35.192.4
Proxy Server Details: 1.1 cachewww3.uniovi.es:8888 (squid)
Proxy Reports IP as: 156.35.156.91
That visitor reported this morning that he was allowed into the forum. Does that mean that even though visitors are listed they aren't blocked?

Second, there are a bunch of others that look similar to his, including these:

Code: Select all

205.188.116.79 	XSS 	205.188.117.5
38.98.19.66 	XSS 	38.98.19.68
There's a good chance that they're not doing anything nasty because their IP addresses are similar to each other. Does the mod allow for differences like that?

And last, I'm not listed there. How I should test the mod?
Multilingual & bilingual websites for businesses and nonprofits

TerraFrost
Former Team Member
Posts: 5957
Joined: Sun Dec 26, 2004 3:40 am
Location: Austin, TX

Re: IP Unmasker

Post by TerraFrost »

This MOD doesn't block people detected via X-Forwarded-For headers, by default. This behavior can be changed via the ACP, but I'd recommend against it. Some ISPs may add X-Forwarded-For headers, even though the originating IP address isn't an open proxy (ie. maybe it's a closed proxy).

As for the XSS stuff... I've never personally experienced that, but... none-the-less, try this:

Code: Select all

#
#-----[ OPEN ]------------------------------------------
#
probe.php
#
#-----[ FIND ]------------------------------------------
#
	if ( $mode != JAVA_INTERNAL )
	{
#
#-----[ AFTER, ADD ]------------------------------------
#
		// sessions.php only checks the first 24-bits of an IP address and so to shall we.
		// do a search for vHiker, in sessions.php, to see the specific code it uses.
		if ((ip2long($info) & 0xFFFFFF00) == (ip2long($ip_address) & 0xFFFFFF00))
		{
			continue;
		}
Finally, to test the MOD, you can find a CGI proxy to test it out on (for example, do a google search for nph-proxy.cgi and use one of those) or you can use an HTTP proxy.

azw
Registered User
Posts: 246
Joined: Mon Feb 24, 2003 12:41 am
Contact:

Re: IP Unmasker

Post by azw »

Thanks for your help. You're up among the very best on this board, Terrafrost!

I've instituted that patch. But I'm still not being logged or blocked when I use sites like this:
sgqhz.w26.100dns.com/mamproxy
proxymask.com
proxieview.info/cgiproxy/nph-proxy.pl
ghostproxy2.com/cgi/nph-ghost.cgi

Maybe I'm doing it wrong. I just go to the proxy URL, enter my forum, and then surf to a couple of pages. Nothing remarkable happens.


I've got a member of the forum (who I'm pretty sure is legitimate) who appears as the second listing below. What would cause her IP to be listed as 0.0.0.0?

Code: Select all

0.0.0.0 	XSS 	74.173.14.82
0.0.0.0 	XSS 	85.152.89.136
Does it look like I've made a mistake in the installation?
Multilingual & bilingual websites for businesses and nonprofits

TerraFrost
Former Team Member
Posts: 5957
Joined: Sun Dec 26, 2004 3:40 am
Location: Austin, TX

Re: IP Unmasker

Post by TerraFrost »

The patch I gave you is supposed to make it so that 205.188.117.17 doesn't get blocked because the XSS detection method detected 205.188.117.79. phpBB's own sessions system ignores the last 8-bits, so it doesn't seem unreasonable that this MOD ignore them, as well.

As for CGI proxies being blocked... without knowing the URL to your board, it's tough to make a diagnosis.

A few possibilities that come to mind, however... maybe you have a MOD installed that conflicts with this one. MODs that remove the sid from guests don't work with this MOD, for example. That's because this MOD blocks on a per-session basis. If no session is even created, blocking on a per-session basis doesn't really work.

Another possibility - if you click on a link before the page has finished loading, you'll prematurely abort the detection process and may go undetected as a CGI proxy. Unfortunately, there's not much that can be done about that. I could create a splash screen, and may do so in a later version of this MOD, but that's not exactly search-engine friendly.

Or maybe there's something else at play. A while ago, I helped someone out whose problem wasn't due to this MOD, but rather, due to a bug in (1) the CGI proxy he was using and (2) a bug in keep unread flags. More information can be found here.

As for why someone is showing up with an IP address of 0.0.0.0... no clue.

For the first problem, giving me FTP access would be prudent. For the second, having your friend visit the following URL and telling me the output they get would be helpful:

http://www.frostjedi.com/terra/scripts/ip_unmasker.php

If they could do it for UTF-7 and UTF-16 (this MOD does both, but the above URL does not).

azw
Registered User
Posts: 246
Joined: Mon Feb 24, 2003 12:41 am
Contact:

Re: IP Unmasker

Post by azw »

TerraFrost wrote:As for CGI proxies being blocked... without knowing the URL to your board, it's tough to make a diagnosis.

A few possibilities that come to mind, however... maybe you have a MOD installed that conflicts with this one. MODs that remove the sid from guests don't work with this MOD, for example. That's because this MOD blocks on a per-session basis. If no session is even created, blocking on a per-session basis doesn't really work.
I don't think I have any mods that affect SID, except one that supposedly targets Google: enhance-google-indexing. It looks for $HTTP_SERVER_VARS['HTTP_USER_AGENT'] strings containing "Googlebot".

Just to test, I've tried several proxy services while logged in, so I have a session, but didn't get any logging or blocking.
TerraFrost wrote:Another possibility - if you click on a link before the page has finished loading, you'll prematurely abort the detection process and may go undetected as a CGI proxy. Unfortunately, there's not much that can be done about that. I could create a splash screen, and may do so in a later version of this MOD, but that's not exactly search-engine friendly.
Yeah, that wouldn't be very good.
TerraFrost wrote:Or maybe there's something else at play. A while ago, I helped someone out whose problem wasn't due to this MOD, but rather, due to a bug in (1) the CGI proxy he was using and (2) a bug in keep unread flags. More information can be found here.
Hmm. I don't think that applies here.
TerraFrost wrote:As for why someone is showing up with an IP address of 0.0.0.0... no clue.

For the first problem, giving me FTP access would be prudent. For the second, having your friend visit the following URL and telling me the output they get would be helpful:

http://www.frostjedi.com/terra/scripts/ip_unmasker.php

If they could do it for UTF-7 and UTF-16 (this MOD does both, but the above URL does not).
I've asked them to do that. We'll see....

If this doesn't work out, I'll send you a link, etc.
Multilingual & bilingual websites for businesses and nonprofits

wee_helen
Registered User
Posts: 11
Joined: Mon Aug 20, 2007 10:55 pm

Re: IP Unmasker

Post by wee_helen »

Hi,

I was wondering if this MOD is going to be made to work for phpBB3?

Helen

TerraFrost
Former Team Member
Posts: 5957
Joined: Sun Dec 26, 2004 3:40 am
Location: Austin, TX

Re: IP Unmasker

Post by TerraFrost »

wee_helen wrote:Hi,

I was wondering if this MOD is going to be made to work for phpBB3?

Helen
I have no plans to do so, at present. That may or may not change in the future, however.

wee_helen
Registered User
Posts: 11
Joined: Mon Aug 20, 2007 10:55 pm

Re: IP Unmasker

Post by wee_helen »

Awwww pretty please???? :lol:

There are a few requests for similar on the phpBB3 forums

H xox

hungrywolf
Registered User
Posts: 11
Joined: Mon Oct 01, 2007 5:18 am

Re: IP Unmasker

Post by hungrywolf »

Hi,

I installed your Mod using EasyMod.

I am using FireFox 2.0.0.7. The problem is when I now access my Forum, a part of the Forum goes blank. Then Firefox freezes (in the Windows Task manager Firefox shows running). When I shut Firefox down it is still running in the process and I have to then manually stop the process.

This doesn't happen using Internet Explorer.

Any ideas?

Thanks for a great mod !

Regards,
Derek

TerraFrost
Former Team Member
Posts: 5957
Joined: Sun Dec 26, 2004 3:40 am
Location: Austin, TX

Re: IP Unmasker

Post by TerraFrost »

hungrywolf wrote:Hi,

I installed your Mod using EasyMod.

I am using FireFox 2.0.0.7. The problem is when I now access my Forum, a part of the Forum goes blank. Then Firefox freezes (in the Windows Task manager Firefox shows running). When I shut Firefox down it is still running in the process and I have to then manually stop the process.

This doesn't happen using Internet Explorer.

Any ideas?

Thanks for a great mod !

Regards,
Derek
Seems like Java would probably be the problem. Maybe FF interfaces with it differently than IE.

Anyway, did you upload the *.class file in BIN mode? Doing it in ASCII mode (as EasyMOD does it) will result in an applet that can't be ran.

hungrywolf
Registered User
Posts: 11
Joined: Mon Oct 01, 2007 5:18 am

Re: IP Unmasker

Post by hungrywolf »

TerraFrost wrote: Seems like Java would probably be the problem. Maybe FF interfaces with it differently than IE.

Anyway, did you upload the *.class file in BIN mode? Doing it in ASCII mode (as EasyMOD does it) will result in an applet that can't be ran.
Hi,

Yes I did upload the *.class file in BIN mode. But I got around the problem, I put my IP in the "IP not to be scanned list" and it seems to have solved the problem. Though, maybe some visitors using FireFox would face the same problem?

BTW, a great mod ! I have given it an Excellent rating. Well done.

Regards,
Derek

TerraFrost
Former Team Member
Posts: 5957
Joined: Sun Dec 26, 2004 3:40 am
Location: Austin, TX

Re: IP Unmasker

Post by TerraFrost »

hungrywolf wrote:Yes I did upload the *.class file in BIN mode. But I got around the problem, I put my IP in the "IP not to be scanned list" and it seems to have solved the problem. Though, maybe some visitors using FireFox would face the same problem?
It's quite possible. Sadly, I think it's just a cost of doing business with Java :(

If you want, you can disable Java, all-together, by doing this:

http://www.phpbb.com/community/viewtopi ... 0#p3020707
BTW, a great mod ! I have given it an Excellent rating. Well done.
Thanks! :D

hungrywolf
Registered User
Posts: 11
Joined: Mon Oct 01, 2007 5:18 am

Re: IP Unmasker

Post by hungrywolf »

Hi,

Is it possible to log the time/date of the intrusions?

Thanks.

BTW, an awesome mod !

TerraFrost
Former Team Member
Posts: 5957
Joined: Sun Dec 26, 2004 3:40 am
Location: Austin, TX

Re: IP Unmasker

Post by TerraFrost »

hungrywolf wrote:Hi,

Is it possible to log the time/date of the intrusions?
Nope, although adding the ability shouldn't be too difficult.

Unfortunately, I'm really busy, irl, with work and all :(, so it's not something I'll be able to do immediately...

hungrywolf
Registered User
Posts: 11
Joined: Mon Oct 01, 2007 5:18 am

Re: IP Unmasker

Post by hungrywolf »

TerraFrost wrote:[
Unfortunately, I'm really busy, irl, with work and all :(, so it's not something I'll be able to do immediately...
Thanks. It will be helpful if you do it.

Regards,

Post Reply

Return to “[2.0.x] MOD Database Releases”