[WikiEN-l] Re: Why am I blocked ?
Tim Starling
ts4294967296 at hotmail.com
Fri Apr 2 02:00:57 UTC 2004
Eric Demolli wrote:
> Thanks Jimmy.
> You know I'm blocked again. As of today I considered my proxy as secure. I
> just like to know what kind of security hole was discovered. If a proxy
> blocker as been implemented I think it would be fair to say exactly why an
> address is blocked.
> Eric Demolli
Your computer has two ports open which are on the proxy checker's port
list: 80 and 3128. Both seem to be correctly configured. I manually
triggered the proxy blocker to attempt to block those two ports, and
nothing happened. You have Apache running on 80, and it didn't
understand the proxy request. You have squid on port 3128, and it gives
an access denied error.
Nonetheless, the server logs show your computer asking for itself to be
blocked, at April 1, 16:15.
62.212.103.37 - - [01/Apr/2004:16:15:35 +0000] "GET
http://en.wikipedia.org/w/wiki.phtml?title=Special:Blockme&ip=62.212.103.37
HTTP/1.0" 200 4143 "-" "-"
The proxy blocker works by attempting to send a proxied request for
Special:Blockme via the target computer. Special:Blockme will block the
address if the originating IP matches the IP in the query string.
The logs also show a matching request for the edit page, which triggered
the scan:
62.212.103.37 - - [01/Apr/2004:16:15:33 +0000] "GET
http://en.wikipedia.org/w/wiki.phtml?title=Image_talk:Hindenburg.jpg&action=edit
HTTP/1.1" 200 3550 "http://en.wikipedia.org/wiki/Image:Hindenburg.jpg"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
Was that you clicking on that edit link? Is MSIE 6.0 your browser?
It's possible for a malicious person to trick your browser into
requesting the Special:Blockme address, e.g. with an image with its
source set to Special:Blockme, a misleading link or a java applet. The
fact that there is also a request for an edit page makes this seem
pretty unlikely, although not impossible.
Possible explanations range from the mundane to the extraordinary. You
could have reconfigured your proxy after 16:15 and forgotten to tell us.
There may have been an elaborate script embedded in Wikipedia or another
web page you were surfing at the time. Your computer might have been
hacked.
If this happens again, can you please contact me privately, immediately
after the event? By IRC, user talk page, or email (t.starling at
ph.unimelb.edu.au).
Tomos at Wikipedia wrote:
> Hello.
>
> It seems that one of our trusted users was blocked by proxy blocker even
> though his is IPs are not open proxies. IPs I was informed of by the
> user were as follows:
>
> 220.146.24.126
> 220.146.22.87
> 220.146.22.10
>
> I will unblock these addresses, but is it really effective if I do that?
> I am afraid that the blocker will re-block those addresses as soon as he
> start editing. Can I do anything? Or is there anything the user should
> do? I would appreciate any suggestion.
This user appears to be on a dynamic IP address, so it's a bit hard for
me to scan it and check for security. Can you have this person contact
me when s/he is online? Perhaps by IRC? I found one relevant log entry:
220.146.22.87 - - [01/Apr/2004:00:56:55 +0000] "GET
http://meta.wikipedia.org/w/wiki.phtml?title=Special:Blockme&ip=220.146.22.87
HTTP/1.0" 200 4017 "-" "-"
And a matching edit request:
220.146.22.87 - - [01/Apr/2004:00:56:55 +0000] "GET
http://meta.wikipedia.org/w/wiki.phtml?title=MediaWiki_feature_request_and_bug_report_discussion&action=edit
HTTP/1.1" 200 89899 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; .NET CLR 1.1.4322)"
This user may have an open proxy on his/her computer without knowing it.
The thing about the proxy blocker is that it's not particularly prone to
false positives. If you get blocked, it means either you have an open
proxy, or something fishy is going on. If people are being blocked by a
malicious user, we will need to enhance the security in Special:Blockme,
adding some sort of authentication to ensure the requests are genuine.
-- Tim Starling
More information about the WikiEN-l
mailing list