<Weird unicode characters thread issue>

All suggestions about TPFC should be posted here. Discussions about changes to TPFC will also be carried out here.
Message
Author
User avatar
Andrew Lee
Posts: 3052
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: <Weird unicode characters thread issue>

#16 Post by Andrew Lee »

Just checked and there are a lot of search queries as follows:

[markb /www.esumsoft.com/products/pop-peeper/ve ... tory/?p=94
[markb /www.esumsoft.com/products/pop-peeper/ve ... x.php?sc=9
etc.


Currently there are 8000+ rows of such search queries, out of a total of 9000+ entries.

I'm not sure what we can do about it. One obvious way is to delete all of them, maybe even filter the queries on "[markb", but it's actually trivial to be a d*ck and bomb the TPFC search box with all kinds of junk.

Am I missing something here? Is there a reason for this junk, and how can we stop it?

User avatar
Andrew Lee
Posts: 3052
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: <Weird unicode characters thread issue>

#17 Post by Andrew Lee »

Just checked the web server log. Here's an excerpt:

95.213.143.223 - - [02/Mar/2017:12:00:43 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... tory/&so=p HTTP/1.0" 200 53292 "-" "-"
95.213.143.223 - - [02/Mar/2017:12:00:43 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... tory/&s=10 HTTP/1.0" 200 53244 "-" "-"
95.213.143.223 - - [02/Mar/2017:12:00:44 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... tory/&s=25 HTTP/1.0" 200 53244 "-" "-"
95.213.143.223 - - [02/Mar/2017:12:00:45 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... tory/&s=50 HTTP/1.0" 200 53244 "-" "-"
95.213.143.223 - - [02/Mar/2017:12:00:46 +0000] "GET /index.php?q=[MarkB+/?q=[MarkB+/www.esumsoft.com/products/pop-peeper/ve ... ory/&s=100 HTTP/1.0" 200 53267 "-" "-"


It looks like an erroneous bot to me. First there are no OS and agent identifiers eg.

176.126.83.247 - - [02/Mar/2017:07:35:28 +0000] "GET /icons/icordJfrR.gif HTTP/1.1" 200 1752 "https://www.portablefreeware.com/index.php?id=1749" "Mozilla/5.0 (Linux; U; Android 5.0.1; en-US; GT-I9505 Build/LRX22C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/10.9.8.770 U3/0.8.0 Mobile Safari/534.30"

Second, it uses HTTP/1.0, which is odd if it's a real browser, or even a more sophisticated bot eg.

68.180.229.49 - - [02/Mar/2017:07:35:15 +0000] "GET /changelog.php?id=805 HTTP/1.1" 200 5311 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/y
search/slurp)"


Anyway it looks like the IP address is fixed i.e. "95.213.143.223". So I'm going to try filtering that out first and see how it goes. I'm also going to remove all "[markb" entries from the search queries db.

User avatar
__philippe
Posts: 687
Joined: Wed Jun 26, 2013 2:09 am

Russia Connections...;-)

#18 Post by __philippe »

Andrew Lee wrote:Just checked the web server log...Anyway it looks like the IP address is fixed i.e. "95.213.143.223"...
The Spy Who Came in from the Cold ? ... :wink:

Code: Select all

C:\mytools\Nirsoft>w 95.213.143.223
WHOIS Source: RIPE NCC
IP Address:   95.213.143.223
Country:      Russian Federation
Network Name: SELECTEL-NET
Owner Name:   Selectel SPb
CIDR:         95.213.143.0/24
From IP:      95.213.143.0
To IP:        95.213.143.255
Allocated:    Yes
Contact Name: Cyrill Malevanov
Address:      Selectel Ltd, Cvetochnaya st. 21, 190000, Saint-Petersburg, Russia
Email:        malevanov@selectel.ru
Abuse Email:
Phone:        +78126778036
Fax:          +78126778036

Code: Select all

C:\mytools\Nirsoft>whoiscl selectel.ru

WHOIS Server: whois.tcinet.ru

% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain:        SELECTEL.RU
nserver:       ns1.selectel.org.
nserver:       ns2.selectel.org.
nserver:       ns3.selectel.org.
nserver:       ns4.selectel.org.
state:         REGISTERED, DELEGATED, VERIFIED
org:           Limited Liability Company "Selectel"
registrar:     REGRU-RU
admin-contact: http://www.reg.ru/whois/admin_contact
created:       2008-04-10T20:00:00Z
paid-till:     2017-04-10T21:00:00Z
free-date:     2017-05-12
source:        TCI

Last updated on 2017-03-03T08:11:31Z

User avatar
SYSTEM
Posts: 2041
Joined: Sat Jul 31, 2010 1:19 am
Location: Helsinki, Finland

Re: Russia Connections...;-)

#19 Post by SYSTEM »

__philippe wrote:
Andrew Lee wrote:Just checked the web server log...Anyway it looks like the IP address is fixed i.e. "95.213.143.223"...
The Spy Who Came in from the Cold ? ... :wink:
Note that Selectel is a hosting provider: https://en.wikipedia.org/wiki/Selectel

We merely know that the author of that bot is a Selectel customer. (Also, chances are that it's merely a buggy bot rather than an attempt to inject rogue top searches.)
My YouTube channel | Release date of my 13th playlist: August 24, 2020

User avatar
__philippe
Posts: 687
Joined: Wed Jun 26, 2013 2:09 am

Suspicious entries in Popular Searches box

#20 Post by __philippe »

Popular Searches:
Someone's poking around our.../etc/passwd/ :?:

/../../../../etc/passwd../../../../../etc/passwd../../../../etc/passwdlibreoffice../../../../../etc/passwd../../../../../../../etc/passwd.

User avatar
Andrew Lee
Posts: 3052
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: Suspicious entries in Popular Searches box

#21 Post by Andrew Lee »

__philippe wrote:Popular Searches:
Someone's poking around our.../etc/passwd/ :?:

/../../../../etc/passwd../../../../../etc/passwd../../../../etc/passwdlibreoffice../../../../../etc/passwd../../../../../../../etc/passwd.
I got your email on this as well. Some bot probing for security vulnerability? This is crazy? Should I filter them out? :o

User avatar
__philippe
Posts: 687
Joined: Wed Jun 26, 2013 2:09 am

Re: <Weird unicode characters thread issue>

#22 Post by __philippe »

@Andrew

Might not be a bad idea to filter out the nosy bugger, if you'll pardon my french... :roll:

User avatar
Andrew Lee
Posts: 3052
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: <Weird unicode characters thread issue>

#23 Post by Andrew Lee »

__philippe wrote:@Andrew

Might not be a bad idea to filter out the nosy bugger, if you'll pardon my french... :roll:
Done! I hope the bots have left and will continue to leave us alone...

User avatar
__philippe
Posts: 687
Joined: Wed Jun 26, 2013 2:09 am

Suspicious entries in Popular Searches box

#24 Post by __philippe »

In connection to the recent security concern,
cheers to Andrew who also shrewdly tightened pertinent SSL configuration parameters on the TPFC server.

I'm glad to report that TPFC now rates an A+ overall score on SSLlabs security checker.
(Pre-tightening, the score was a less than ideal C)

For anyone interested, SSLlabs is a well-regarded (my word) Web security checking service
which performs free "deep analysis of the configuration of any SSL web server on the public Internet" (their word)

TPFC current score:
Image

User avatar
Andrew Lee
Posts: 3052
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: <Weird unicode characters thread issue>

#25 Post by Andrew Lee »

For the technically inclined, here's the guide I followed:

https://scaron.info/blog/improve-your-n ... ation.html

I don't pretend to understand everything that's in there, but I can follow step-by-step instructions. :D

User avatar
__philippe
Posts: 687
Joined: Wed Jun 26, 2013 2:09 am

Popular Searches box suspicious entries

#26 Post by __philippe »

Curious Cyrillic characters string currently winding its way into the "popular search" box :

"Аналоги пиратских windows-программ для офиса"

User avatar
SYSTEM
Posts: 2041
Joined: Sat Jul 31, 2010 1:19 am
Location: Helsinki, Finland

Re: Popular Searches box suspicious entries

#27 Post by SYSTEM »

__philippe wrote:Curious Cyrillic characters string currently winding its way into the "popular search" box :

"Аналоги пиратских windows-программ для офиса"
According to Google Translate, it's Russian and means "Analogues of pirated windows-programs for the office"
My YouTube channel | Release date of my 13th playlist: August 24, 2020

User avatar
__philippe
Posts: 687
Joined: Wed Jun 26, 2013 2:09 am

Popular Searches box suspicious entries

#28 Post by __philippe »

@SYSTEM
Thanks for the translation.

Still puzzling over why phpBB should flag this oddly 'unorthodox' Cyrillic character string as an (improbable) "Popular Search" ? :roll:

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Popular Searches box suspicious entries

#29 Post by webfork »

SYSTEM wrote:...means "Analogues of pirated windows-programs for the office"
I'll admit I was curious.
__philippe wrote:Curious Cyrillic characters string currently winding its way into the "popular search" box
Thanks, will pass that along.

User avatar
Andrew Lee
Posts: 3052
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: <Weird unicode characters thread issue>

#30 Post by Andrew Lee »

I just checked the web logs, and they are legit searches. Some characteristics I have discerned:

1) They are mostly from different IP addresses with no discernible pattern.

2) They have different web browser IDs, from AppleWebKit to Firefox Gecko.

3) They are mostly not clustered in time.

I'm not sure what we can do about them. Suggestions?

Post Reply