<Weird unicode characters thread issue>
- Andrew Lee
- Posts: 3063
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: <Weird unicode characters thread issue>
Just checked and there are a lot of search queries as follows:
[markb /www.esumsoft.com/products/pop-peeper/ve ... tory/?p=94
[markb /www.esumsoft.com/products/pop-peeper/ve ... x.php?sc=9
etc.
Currently there are 8000+ rows of such search queries, out of a total of 9000+ entries.
I'm not sure what we can do about it. One obvious way is to delete all of them, maybe even filter the queries on "[markb", but it's actually trivial to be a d*ck and bomb the TPFC search box with all kinds of junk.
Am I missing something here? Is there a reason for this junk, and how can we stop it?
[markb /www.esumsoft.com/products/pop-peeper/ve ... tory/?p=94
[markb /www.esumsoft.com/products/pop-peeper/ve ... x.php?sc=9
etc.
Currently there are 8000+ rows of such search queries, out of a total of 9000+ entries.
I'm not sure what we can do about it. One obvious way is to delete all of them, maybe even filter the queries on "[markb", but it's actually trivial to be a d*ck and bomb the TPFC search box with all kinds of junk.
Am I missing something here? Is there a reason for this junk, and how can we stop it?
- Andrew Lee
- Posts: 3063
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: <Weird unicode characters thread issue>
Just checked the web server log. Here's an excerpt:
95.213.143.223 - - [02/Mar/2017:12:00:43 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... tory/&so=p HTTP/1.0" 200 53292 "-" "-"
95.213.143.223 - - [02/Mar/2017:12:00:43 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... tory/&s=10 HTTP/1.0" 200 53244 "-" "-"
95.213.143.223 - - [02/Mar/2017:12:00:44 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... tory/&s=25 HTTP/1.0" 200 53244 "-" "-"
95.213.143.223 - - [02/Mar/2017:12:00:45 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... tory/&s=50 HTTP/1.0" 200 53244 "-" "-"
95.213.143.223 - - [02/Mar/2017:12:00:46 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... ory/&s=100 HTTP/1.0" 200 53267 "-" "-"
It looks like an erroneous bot to me. First there are no OS and agent identifiers eg.
176.126.83.247 - - [02/Mar/2017:07:35:28 +0000] "GET /icons/icordJfrR.gif HTTP/1.1" 200 1752 "https://www.portablefreeware.com/index.php?id=1749" "Mozilla/5.0 (Linux; U; Android 5.0.1; en-US; GT-I9505 Build/LRX22C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/10.9.8.770 U3/0.8.0 Mobile Safari/534.30"
Second, it uses HTTP/1.0, which is odd if it's a real browser, or even a more sophisticated bot eg.
68.180.229.49 - - [02/Mar/2017:07:35:15 +0000] "GET /changelog.php?id=805 HTTP/1.1" 200 5311 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/y
search/slurp)"
Anyway it looks like the IP address is fixed i.e. "95.213.143.223". So I'm going to try filtering that out first and see how it goes. I'm also going to remove all "[markb" entries from the search queries db.
95.213.143.223 - - [02/Mar/2017:12:00:43 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... tory/&so=p HTTP/1.0" 200 53292 "-" "-"
95.213.143.223 - - [02/Mar/2017:12:00:43 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... tory/&s=10 HTTP/1.0" 200 53244 "-" "-"
95.213.143.223 - - [02/Mar/2017:12:00:44 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... tory/&s=25 HTTP/1.0" 200 53244 "-" "-"
95.213.143.223 - - [02/Mar/2017:12:00:45 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... tory/&s=50 HTTP/1.0" 200 53244 "-" "-"
95.213.143.223 - - [02/Mar/2017:12:00:46 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... ory/&s=100 HTTP/1.0" 200 53267 "-" "-"
It looks like an erroneous bot to me. First there are no OS and agent identifiers eg.
176.126.83.247 - - [02/Mar/2017:07:35:28 +0000] "GET /icons/icordJfrR.gif HTTP/1.1" 200 1752 "https://www.portablefreeware.com/index.php?id=1749" "Mozilla/5.0 (Linux; U; Android 5.0.1; en-US; GT-I9505 Build/LRX22C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/10.9.8.770 U3/0.8.0 Mobile Safari/534.30"
Second, it uses HTTP/1.0, which is odd if it's a real browser, or even a more sophisticated bot eg.
68.180.229.49 - - [02/Mar/2017:07:35:15 +0000] "GET /changelog.php?id=805 HTTP/1.1" 200 5311 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/y
search/slurp)"
Anyway it looks like the IP address is fixed i.e. "95.213.143.223". So I'm going to try filtering that out first and see how it goes. I'm also going to remove all "[markb" entries from the search queries db.
- __philippe
- Posts: 687
- Joined: Wed Jun 26, 2013 2:09 am
Russia Connections...;-)
The Spy Who Came in from the Cold ? ...Andrew Lee wrote:Just checked the web server log...Anyway it looks like the IP address is fixed i.e. "95.213.143.223"...
Code: Select all
C:\mytools\Nirsoft>w 95.213.143.223
WHOIS Source: RIPE NCC
IP Address: 95.213.143.223
Country: Russian Federation
Network Name: SELECTEL-NET
Owner Name: Selectel SPb
CIDR: 95.213.143.0/24
From IP: 95.213.143.0
To IP: 95.213.143.255
Allocated: Yes
Contact Name: Cyrill Malevanov
Address: Selectel Ltd, Cvetochnaya st. 21, 190000, Saint-Petersburg, Russia
Email: malevanov@selectel.ru
Abuse Email:
Phone: +78126778036
Fax: +78126778036
Code: Select all
C:\mytools\Nirsoft>whoiscl selectel.ru
WHOIS Server: whois.tcinet.ru
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).
domain: SELECTEL.RU
nserver: ns1.selectel.org.
nserver: ns2.selectel.org.
nserver: ns3.selectel.org.
nserver: ns4.selectel.org.
state: REGISTERED, DELEGATED, VERIFIED
org: Limited Liability Company "Selectel"
registrar: REGRU-RU
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2008-04-10T20:00:00Z
paid-till: 2017-04-10T21:00:00Z
free-date: 2017-05-12
source: TCI
Last updated on 2017-03-03T08:11:31Z
Re: Russia Connections...;-)
Note that Selectel is a hosting provider: https://en.wikipedia.org/wiki/Selectel__philippe wrote:The Spy Who Came in from the Cold ? ...Andrew Lee wrote:Just checked the web server log...Anyway it looks like the IP address is fixed i.e. "95.213.143.223"...
We merely know that the author of that bot is a Selectel customer. (Also, chances are that it's merely a buggy bot rather than an attempt to inject rogue top searches.)
My YouTube channel | Release date of my 13th playlist: August 24, 2020
- __philippe
- Posts: 687
- Joined: Wed Jun 26, 2013 2:09 am
Suspicious entries in Popular Searches box
Popular Searches:
Someone's poking around our.../etc/passwd/
/../../../../etc/passwd../../../../../etc/passwd../../../../etc/passwdlibreoffice../../../../../etc/passwd../../../../../../../etc/passwd.
Someone's poking around our.../etc/passwd/
/../../../../etc/passwd../../../../../etc/passwd../../../../etc/passwdlibreoffice../../../../../etc/passwd../../../../../../../etc/passwd.
- Andrew Lee
- Posts: 3063
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: Suspicious entries in Popular Searches box
I got your email on this as well. Some bot probing for security vulnerability? This is crazy? Should I filter them out?__philippe wrote:Popular Searches:
Someone's poking around our.../etc/passwd/
/../../../../etc/passwd../../../../../etc/passwd../../../../etc/passwdlibreoffice../../../../../etc/passwd../../../../../../../etc/passwd.
- __philippe
- Posts: 687
- Joined: Wed Jun 26, 2013 2:09 am
Re: <Weird unicode characters thread issue>
@Andrew
Might not be a bad idea to filter out the nosy bugger, if you'll pardon my french...
Might not be a bad idea to filter out the nosy bugger, if you'll pardon my french...
- Andrew Lee
- Posts: 3063
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: <Weird unicode characters thread issue>
Done! I hope the bots have left and will continue to leave us alone...__philippe wrote:@Andrew
Might not be a bad idea to filter out the nosy bugger, if you'll pardon my french...
- __philippe
- Posts: 687
- Joined: Wed Jun 26, 2013 2:09 am
Suspicious entries in Popular Searches box
In connection to the recent security concern,
cheers to Andrew who also shrewdly tightened pertinent SSL configuration parameters on the TPFC server.
I'm glad to report that TPFC now rates an A+ overall score on SSLlabs security checker.
(Pre-tightening, the score was a less than ideal C)
For anyone interested, SSLlabs is a well-regarded (my word) Web security checking service
which performs free "deep analysis of the configuration of any SSL web server on the public Internet" (their word)
TPFC current score:
cheers to Andrew who also shrewdly tightened pertinent SSL configuration parameters on the TPFC server.
I'm glad to report that TPFC now rates an A+ overall score on SSLlabs security checker.
(Pre-tightening, the score was a less than ideal C)
For anyone interested, SSLlabs is a well-regarded (my word) Web security checking service
which performs free "deep analysis of the configuration of any SSL web server on the public Internet" (their word)
TPFC current score:
- Andrew Lee
- Posts: 3063
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: <Weird unicode characters thread issue>
For the technically inclined, here's the guide I followed:
https://scaron.info/blog/improve-your-n ... ation.html
I don't pretend to understand everything that's in there, but I can follow step-by-step instructions.
https://scaron.info/blog/improve-your-n ... ation.html
I don't pretend to understand everything that's in there, but I can follow step-by-step instructions.
- __philippe
- Posts: 687
- Joined: Wed Jun 26, 2013 2:09 am
Popular Searches box suspicious entries
Curious Cyrillic characters string currently winding its way into the "popular search" box :
"Аналоги пиратских windows-программ для офиса"
"Аналоги пиратских windows-программ для офиса"
Re: Popular Searches box suspicious entries
According to Google Translate, it's Russian and means "Analogues of pirated windows-programs for the office"__philippe wrote:Curious Cyrillic characters string currently winding its way into the "popular search" box :
"Аналоги пиратских windows-программ для офиса"
My YouTube channel | Release date of my 13th playlist: August 24, 2020
- __philippe
- Posts: 687
- Joined: Wed Jun 26, 2013 2:09 am
Popular Searches box suspicious entries
@SYSTEM
Thanks for the translation.
Still puzzling over why phpBB should flag this oddly 'unorthodox' Cyrillic character string as an (improbable) "Popular Search" ?
Thanks for the translation.
Still puzzling over why phpBB should flag this oddly 'unorthodox' Cyrillic character string as an (improbable) "Popular Search" ?
Re: Popular Searches box suspicious entries
I'll admit I was curious.SYSTEM wrote:...means "Analogues of pirated windows-programs for the office"
Thanks, will pass that along.__philippe wrote:Curious Cyrillic characters string currently winding its way into the "popular search" box
- Andrew Lee
- Posts: 3063
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: <Weird unicode characters thread issue>
I just checked the web logs, and they are legit searches. Some characteristics I have discerned:
1) They are mostly from different IP addresses with no discernible pattern.
2) They have different web browser IDs, from AppleWebKit to Firefox Gecko.
3) They are mostly not clustered in time.
I'm not sure what we can do about them. Suggestions?
1) They are mostly from different IP addresses with no discernible pattern.
2) They have different web browser IDs, from AppleWebKit to Firefox Gecko.
3) They are mostly not clustered in time.
I'm not sure what we can do about them. Suggestions?