Page 2 of 3
Re: <Weird unicode characters thread issue>
Posted: Thu Mar 02, 2017 8:03 pm
by Andrew Lee
Just checked and there are a lot of search queries as follows:
[markb /www.esumsoft.com/products/pop-peeper/ve ... tory/?p=94
[markb /www.esumsoft.com/products/pop-peeper/ve ... x.php?sc=9
etc.
Currently there are 8000+ rows of such search queries, out of a total of 9000+ entries.
I'm not sure what we can do about it. One obvious way is to delete all of them, maybe even filter the queries on "[markb", but it's actually trivial to be a d*ck and bomb the TPFC search box with all kinds of junk.
Am I missing something here? Is there a reason for this junk, and how can we stop it?
Re: <Weird unicode characters thread issue>
Posted: Thu Mar 02, 2017 8:36 pm
by Andrew Lee
Just checked the web server log. Here's an excerpt:
95.213.143.223 - - [02/Mar/2017:12:00:43 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... tory/&so=p HTTP/1.0" 200 53292 "-" "-"
95.213.143.223 - - [02/Mar/2017:12:00:43 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... tory/&s=10 HTTP/1.0" 200 53244 "-" "-"
95.213.143.223 - - [02/Mar/2017:12:00:44 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... tory/&s=25 HTTP/1.0" 200 53244 "-" "-"
95.213.143.223 - - [02/Mar/2017:12:00:45 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... tory/&s=50 HTTP/1.0" 200 53244 "-" "-"
95.213.143.223 - - [02/Mar/2017:12:00:46 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... ory/&s=100 HTTP/1.0" 200 53267 "-" "-"
It looks like an erroneous bot to me. First there are no OS and agent identifiers eg.
176.126.83.247 - - [02/Mar/2017:07:35:28 +0000] "GET /icons/icordJfrR.gif HTTP/1.1" 200 1752 "https://www.portablefreeware.com/index.php?id=1749" "Mozilla/5.0 (Linux; U; Android 5.0.1; en-US; GT-I9505 Build/LRX22C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/10.9.8.770 U3/0.8.0 Mobile Safari/534.30"
Second, it uses HTTP/1.0, which is odd if it's a real browser, or even a more sophisticated bot eg.
68.180.229.49 - - [02/Mar/2017:07:35:15 +0000] "GET /changelog.php?id=805 HTTP/1.1" 200 5311 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/y
search/slurp)"
Anyway it looks like the IP address is fixed i.e. "95.213.143.223". So I'm going to try filtering that out first and see how it goes. I'm also going to remove all "[markb" entries from the search queries db.
Russia Connections...;-)
Posted: Fri Mar 03, 2017 1:21 am
by __philippe
Andrew Lee wrote:Just checked the web server log...Anyway it looks like the IP address is fixed i.e. "95.213.143.223"...
The Spy Who Came in from the Cold ? ...
Code: Select all
C:\mytools\Nirsoft>w 95.213.143.223
WHOIS Source: RIPE NCC
IP Address: 95.213.143.223
Country: Russian Federation
Network Name: SELECTEL-NET
Owner Name: Selectel SPb
CIDR: 95.213.143.0/24
From IP: 95.213.143.0
To IP: 95.213.143.255
Allocated: Yes
Contact Name: Cyrill Malevanov
Address: Selectel Ltd, Cvetochnaya st. 21, 190000, Saint-Petersburg, Russia
Email: malevanov@selectel.ru
Abuse Email:
Phone: +78126778036
Fax: +78126778036
Code: Select all
C:\mytools\Nirsoft>whoiscl selectel.ru
WHOIS Server: whois.tcinet.ru
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).
domain: SELECTEL.RU
nserver: ns1.selectel.org.
nserver: ns2.selectel.org.
nserver: ns3.selectel.org.
nserver: ns4.selectel.org.
state: REGISTERED, DELEGATED, VERIFIED
org: Limited Liability Company "Selectel"
registrar: REGRU-RU
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2008-04-10T20:00:00Z
paid-till: 2017-04-10T21:00:00Z
free-date: 2017-05-12
source: TCI
Last updated on 2017-03-03T08:11:31Z
Re: Russia Connections...;-)
Posted: Fri Mar 03, 2017 2:44 am
by SYSTEM
__philippe wrote:Andrew Lee wrote:Just checked the web server log...Anyway it looks like the IP address is fixed i.e. "95.213.143.223"...
The Spy Who Came in from the Cold ? ...
Note that Selectel is a hosting provider:
https://en.wikipedia.org/wiki/Selectel
We merely know that the author of that bot is a Selectel customer. (Also, chances are that it's merely a buggy bot rather than an attempt to inject rogue top searches.)
Suspicious entries in Popular Searches box
Posted: Wed Mar 22, 2017 2:03 am
by __philippe
Popular Searches:
Someone's poking around our.../etc/passwd/
/../../../../etc/passwd../../../../../etc/passwd../../../../etc/passwdlibreoffice../../../../../etc/passwd../../../../../../../etc/passwd.
Re: Suspicious entries in Popular Searches box
Posted: Wed Mar 22, 2017 3:02 am
by Andrew Lee
__philippe wrote:Popular Searches:
Someone's poking around our.../etc/passwd/
/../../../../etc/passwd../../../../../etc/passwd../../../../etc/passwdlibreoffice../../../../../etc/passwd../../../../../../../etc/passwd.
I got your email on this as well. Some bot probing for security vulnerability? This is crazy? Should I filter them out?
Re: <Weird unicode characters thread issue>
Posted: Wed Mar 22, 2017 3:09 am
by __philippe
@Andrew
Might not be a bad idea to filter out the nosy bugger, if you'll pardon my french...
Re: <Weird unicode characters thread issue>
Posted: Wed Mar 22, 2017 7:59 pm
by Andrew Lee
__philippe wrote:@Andrew
Might not be a bad idea to filter out the nosy bugger, if you'll pardon my french...
Done! I hope the bots have left and will continue to leave us alone...
Suspicious entries in Popular Searches box
Posted: Thu Mar 23, 2017 4:02 am
by __philippe
In connection to the recent security concern,
cheers to
Andrew who also shrewdly tightened pertinent SSL configuration parameters on the TPFC server.
I'm glad to report that TPFC now rates an
A+ overall score on SSLlabs security checker.
(Pre-tightening, the score was a less than ideal
C)
For anyone interested,
SSLlabs is a well-regarded
(my word) Web security checking service
which performs free "
deep analysis of the configuration of any SSL web server on the public Internet"
(their word)
TPFC current score:
Re: <Weird unicode characters thread issue>
Posted: Thu Mar 23, 2017 5:24 pm
by Andrew Lee
For the technically inclined, here's the guide I followed:
https://scaron.info/blog/improve-your-n ... ation.html
I don't pretend to understand everything that's in there, but I can follow step-by-step instructions.
Popular Searches box suspicious entries
Posted: Tue Oct 31, 2017 2:29 am
by __philippe
Curious Cyrillic characters string currently winding its way into the "popular search" box :
"Аналоги пиратских windows-программ для офиса"
Re: Popular Searches box suspicious entries
Posted: Tue Oct 31, 2017 2:35 am
by SYSTEM
__philippe wrote:Curious Cyrillic characters string currently winding its way into the "popular search" box :
"Аналоги пиратских windows-программ для офиса"
According to Google Translate, it's Russian and means "Analogues of pirated windows-programs for the office"
Popular Searches box suspicious entries
Posted: Tue Oct 31, 2017 2:58 am
by __philippe
@SYSTEM
Thanks for the translation.
Still puzzling over why phpBB should flag this oddly
'unorthodox' Cyrillic character string as an (improbable) "Popular Search" ?
Re: Popular Searches box suspicious entries
Posted: Tue Oct 31, 2017 6:22 pm
by webfork
SYSTEM wrote:...means "Analogues of pirated windows-programs for the office"
I'll admit I was curious.
__philippe wrote:Curious Cyrillic characters string currently winding its way into the "popular search" box
Thanks, will pass that along.
Re: <Weird unicode characters thread issue>
Posted: Tue Oct 31, 2017 7:39 pm
by Andrew Lee
I just checked the web logs, and they are legit searches. Some characteristics I have discerned:
1) They are mostly from different IP addresses with no discernible pattern.
2) They have different web browser IDs, from AppleWebKit to Firefox Gecko.
3) They are mostly not clustered in time.
I'm not sure what we can do about them. Suggestions?