<Weird unicode characters thread issue>

All suggestions about TPFC should be posted here. Discussions about changes to TPFC will also be carried out here.
Message
Author
User avatar
Andrew Lee
Posts: 2207
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: <Weird unicode characters thread issue>

#16 Post by Andrew Lee » Thu Mar 02, 2017 8:03 pm

Just checked and there are a lot of search queries as follows:

[markb /www.esumsoft.com/products/pop-peeper/ve ... tory/?p=94
[markb /www.esumsoft.com/products/pop-peeper/ve ... x.php?sc=9
etc.


Currently there are 8000+ rows of such search queries, out of a total of 9000+ entries.

I'm not sure what we can do about it. One obvious way is to delete all of them, maybe even filter the queries on "[markb", but it's actually trivial to be a d*ck and bomb the TPFC search box with all kinds of junk.

Am I missing something here? Is there a reason for this junk, and how can we stop it?

User avatar
Andrew Lee
Posts: 2207
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: <Weird unicode characters thread issue>

#17 Post by Andrew Lee » Thu Mar 02, 2017 8:36 pm

Just checked the web server log. Here's an excerpt:

95.213.143.223 - - [02/Mar/2017:12:00:43 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... tory/&so=p HTTP/1.0" 200 53292 "-" "-"
95.213.143.223 - - [02/Mar/2017:12:00:43 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... tory/&s=10 HTTP/1.0" 200 53244 "-" "-"
95.213.143.223 - - [02/Mar/2017:12:00:44 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... tory/&s=25 HTTP/1.0" 200 53244 "-" "-"
95.213.143.223 - - [02/Mar/2017:12:00:45 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... tory/&s=50 HTTP/1.0" 200 53244 "-" "-"
95.213.143.223 - - [02/Mar/2017:12:00:46 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... ory/&s=100 HTTP/1.0" 200 53267 "-" "-"


It looks like an erroneous bot to me. First there are no OS and agent identifiers eg.

176.126.83.247 - - [02/Mar/2017:07:35:28 +0000] "GET /icons/icordJfrR.gif HTTP/1.1" 200 1752 "https://www.portablefreeware.com/index.php?id=1749" "Mozilla/5.0 (Linux; U; Android 5.0.1; en-US; GT-I9505 Build/LRX22C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/10.9.8.770 U3/0.8.0 Mobile Safari/534.30"

Second, it uses HTTP/1.0, which is odd if it's a real browser, or even a more sophisticated bot eg.

68.180.229.49 - - [02/Mar/2017:07:35:15 +0000] "GET /changelog.php?id=805 HTTP/1.1" 200 5311 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/y
search/slurp)"


Anyway it looks like the IP address is fixed i.e. "95.213.143.223". So I'm going to try filtering that out first and see how it goes. I'm also going to remove all "[markb" entries from the search queries db.

__philippe
Posts: 470
Joined: Wed Jun 26, 2013 2:09 am

Russia Connections...;-)

#18 Post by __philippe » Fri Mar 03, 2017 1:21 am

Andrew Lee wrote:Just checked the web server log...Anyway it looks like the IP address is fixed i.e. "95.213.143.223"...
The Spy Who Came in from the Cold ? ... :wink:

Code: Select all

C:\mytools\Nirsoft>w 95.213.143.223
WHOIS Source: RIPE NCC
IP Address:   95.213.143.223
Country:      Russian Federation
Network Name: SELECTEL-NET
Owner Name:   Selectel SPb
CIDR:         95.213.143.0/24
From IP:      95.213.143.0
To IP:        95.213.143.255
Allocated:    Yes
Contact Name: Cyrill Malevanov
Address:      Selectel Ltd, Cvetochnaya st. 21, 190000, Saint-Petersburg, Russia
Email:        malevanov@selectel.ru
Abuse Email:
Phone:        +78126778036
Fax:          +78126778036

Code: Select all

C:\mytools\Nirsoft>whoiscl selectel.ru

WHOIS Server: whois.tcinet.ru

% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain:        SELECTEL.RU
nserver:       ns1.selectel.org.
nserver:       ns2.selectel.org.
nserver:       ns3.selectel.org.
nserver:       ns4.selectel.org.
state:         REGISTERED, DELEGATED, VERIFIED
org:           Limited Liability Company "Selectel"
registrar:     REGRU-RU
admin-contact: http://www.reg.ru/whois/admin_contact
created:       2008-04-10T20:00:00Z
paid-till:     2017-04-10T21:00:00Z
free-date:     2017-05-12
source:        TCI

Last updated on 2017-03-03T08:11:31Z

User avatar
SYSTEM
Posts: 1757
Joined: Sat Jul 31, 2010 1:19 am
Location: Helsinki, Finland

Re: Russia Connections...;-)

#19 Post by SYSTEM » Fri Mar 03, 2017 2:44 am

__philippe wrote:
Andrew Lee wrote:Just checked the web server log...Anyway it looks like the IP address is fixed i.e. "95.213.143.223"...
The Spy Who Came in from the Cold ? ... :wink:
Note that Selectel is a hosting provider: https://en.wikipedia.org/wiki/Selectel

We merely know that the author of that bot is a Selectel customer. (Also, chances are that it's merely a buggy bot rather than an attempt to inject rogue top searches.)
My YouTube channel | Release date of my 11th playlist: January 26, 2018

__philippe
Posts: 470
Joined: Wed Jun 26, 2013 2:09 am

Suspicious entries in Popular Searches box

#20 Post by __philippe » Wed Mar 22, 2017 2:03 am

Popular Searches:
Someone's poking around our.../etc/passwd/ :?:

/../../../../etc/passwd../../../../../etc/passwd../../../../etc/passwdlibreoffice../../../../../etc/passwd../../../../../../../etc/passwd.

User avatar
Andrew Lee
Posts: 2207
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: Suspicious entries in Popular Searches box

#21 Post by Andrew Lee » Wed Mar 22, 2017 3:02 am

__philippe wrote:Popular Searches:
Someone's poking around our.../etc/passwd/ :?:

/../../../../etc/passwd../../../../../etc/passwd../../../../etc/passwdlibreoffice../../../../../etc/passwd../../../../../../../etc/passwd.
I got your email on this as well. Some bot probing for security vulnerability? This is crazy? Should I filter them out? :o

__philippe
Posts: 470
Joined: Wed Jun 26, 2013 2:09 am

Re: <Weird unicode characters thread issue>

#22 Post by __philippe » Wed Mar 22, 2017 3:09 am

@Andrew

Might not be a bad idea to filter out the nosy bugger, if you'll pardon my french... :roll:

User avatar
Andrew Lee
Posts: 2207
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: <Weird unicode characters thread issue>

#23 Post by Andrew Lee » Wed Mar 22, 2017 7:59 pm

__philippe wrote:@Andrew

Might not be a bad idea to filter out the nosy bugger, if you'll pardon my french... :roll:
Done! I hope the bots have left and will continue to leave us alone...

__philippe
Posts: 470
Joined: Wed Jun 26, 2013 2:09 am

Suspicious entries in Popular Searches box

#24 Post by __philippe » Thu Mar 23, 2017 4:02 am

In connection to the recent security concern,
cheers to Andrew who also shrewdly tightened pertinent SSL configuration parameters on the TPFC server.

I'm glad to report that TPFC now rates an A+ overall score on SSLlabs security checker.
(Pre-tightening, the score was a less than ideal C)

For anyone interested, SSLlabs is a well-regarded (my word) Web security checking service
which performs free "deep analysis of the configuration of any SSL web server on the public Internet" (their word)

TPFC current score:
Image

User avatar
Andrew Lee
Posts: 2207
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: <Weird unicode characters thread issue>

#25 Post by Andrew Lee » Thu Mar 23, 2017 5:24 pm

For the technically inclined, here's the guide I followed:

https://scaron.info/blog/improve-your-n ... ation.html

I don't pretend to understand everything that's in there, but I can follow step-by-step instructions. :D

__philippe
Posts: 470
Joined: Wed Jun 26, 2013 2:09 am

Popular Searches box suspicious entries

#26 Post by __philippe » Tue Oct 31, 2017 2:29 am

Curious Cyrillic characters string currently winding its way into the "popular search" box :

"Аналоги пиратских windows-программ для офиса"

User avatar
SYSTEM
Posts: 1757
Joined: Sat Jul 31, 2010 1:19 am
Location: Helsinki, Finland

Re: Popular Searches box suspicious entries

#27 Post by SYSTEM » Tue Oct 31, 2017 2:35 am

__philippe wrote:Curious Cyrillic characters string currently winding its way into the "popular search" box :

"Аналоги пиратских windows-программ для офиса"
According to Google Translate, it's Russian and means "Analogues of pirated windows-programs for the office"
My YouTube channel | Release date of my 11th playlist: January 26, 2018

__philippe
Posts: 470
Joined: Wed Jun 26, 2013 2:09 am

Popular Searches box suspicious entries

#28 Post by __philippe » Tue Oct 31, 2017 2:58 am

@SYSTEM
Thanks for the translation.

Still puzzling over why phpBB should flag this oddly 'unorthodox' Cyrillic character string as an (improbable) "Popular Search" ? :roll:

User avatar
webfork
Posts: 7693
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Popular Searches box suspicious entries

#29 Post by webfork » Tue Oct 31, 2017 6:22 pm

SYSTEM wrote:...means "Analogues of pirated windows-programs for the office"
I'll admit I was curious.
__philippe wrote:Curious Cyrillic characters string currently winding its way into the "popular search" box
Thanks, will pass that along.
Supporting Net Neutrality - BattleForTheNet | Why this matters | More from EFF.org

User avatar
Andrew Lee
Posts: 2207
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: <Weird unicode characters thread issue>

#30 Post by Andrew Lee » Tue Oct 31, 2017 7:39 pm

I just checked the web logs, and they are legit searches. Some characteristics I have discerned:

1) They are mostly from different IP addresses with no discernible pattern.

2) They have different web browser IDs, from AppleWebKit to Firefox Gecko.

3) They are mostly not clustered in time.

I'm not sure what we can do about them. Suggestions?

Post Reply