rejetto forum

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Rom_1983

Pages: 1 2
1
👍 Thumbs up for such a patient and devoted programmer ! The vHost plugin is an awesome feature.

2
Oh, woops, that's really really weird : I've relaunched HFS with the same shortcut, and now it remember things (in the meantime, I've gone in the folder of HFS to check any config file and I gound the "config.yaml" and saw my settings in it). I'm gonna reboot to see if it's related to the short period of time after a reboot where all the environment isn't fully loaded. I'll edit this post to give the answer.

Edit : yeah, it seems that placing a shortcut of HFS in my "Startup" folder leads to HFS running erratically and not launching properly. After two reboots, it launched access.log and error.log but HFS.exe is not found in procresses list (last time when I post my previous message, it has launched but with amnesia). If I launch it manually with the aforementioned shortcut, it launches correctly.

Similar problems :
https://stackoverflow.com/questions/52561921/batch-file-not-working-correctly-at-startup
https://www.tenforums.com/tutorials/57690-create-elevated-shortcut-without-uac-prompt-windows-10-a.html

Edit : this is an issue related to Windows operating system. Feel free to ignore it  ;)

3
Let's move on to HFS ;)

I have a major problem : it's been a few time that when relaunching HFS v3, it ends being amnesic and all my settings are gone (folders shared, etc).

I spent a few hours yesterday setting it, and I'm desperate. Can you help me ? I won't retry anything before a solution.

One thing that bother me and maybe related to that amnesia : to close HFS, there's no "close" button or feature. So I close the CLI (I even try CTRL+C sometimes in it, to cleanly close the program). Is it the way to close it ? How do it save things ? I always push "SAVE" putton in the admin panels.

Quote
i need to know the user acknowledge to the content of the popup
Solution : add a button with "OK" text.

Quote
When you say "admin mode" are you referring to the UAC ?
No : I refer to right-click -> launch as administrator (or make a shortcut, go in its properties, advanced, and check the bock "always launch as admin").
Without that, it doesn't detects my network drives.
Btw I have disabled UAC competly (this is a nightmare and I'm not the only one th think it).

4
Everything else / Re: Let things calm down
« on: April 30, 2022, 01:47:12 PM »
Quote
I'm not fluent with python, but i had quick look at it and didn't find anything harmful.
I think the simple routing aspect with no protection against injections, combined with the amount of attacks in a period of time, is enough to say that there's something malicious here, but indeed, the script in itself is as harmless as a door built in a wall with no lock.
I would have been the author of that Python script, as soon as I would have seen the attacks (given that "this is worldwide botnets touching everybody") I would have implemented a URL filter system. ¯\_(ツ)_/¯

5
Everything else / Re: Let things calm down
« on: April 30, 2022, 01:28:12 PM »
Just a sidenote :

Quote
Losing trust is terrible. Even more terrible if it's all caused by outsider stalkers. Terrible for both person. Yet more if plus region things.
Yeah. You're so victim of "outsiders" from foreign countries, stalking* you (??) and using racism on you to a point that you feel horribly bad where you are.
I personally am french, frenchies are hated around the world, I don't play the crying puppy when giving a script opening the door to attacks in a short period of time and triggering an antivirus.
Good try, but not on me 👍

If you don't accept that people can lose trust on you, you should considere questioning yourself about your knowledge in programming. You may not be that godlike programmer you think you are... And don't make me pass for a blind offender : I've been patient during those stressing days of "trust", while watching quietly that escalation of error messages and sounds and antivirus alert.

As I use HFS v3 and the vHost plugin, I don't care anymore about resolving that drama with what I considere being a hacker in distress being spotted by a +130 IQ "noob" with good common sense.

Feel free to type a new improved version of your script in the same short period of time (24h) with your magic fingers, to prove that your are caring about hacking attemps. Or dodge it like a pro 😎 (like you dodged my proposition to mix it with my own ms-dos script and upload them on Github ; I guess you're not interested in REAL deep relationship around your "work" for a good reason...).

(*) That's a reversion, even a lapsus, and that's often used by attackers.

6
Everything else / Re: Let things calm down
« on: April 30, 2022, 01:02:28 PM »
Quote
@naitlee, you are right and i feel bad for you because i know you were trying to help
And you don't feel bad that a python script is shared on your forum with just no interest in helping to counter those attacks ?
Let's be clear : if those attacks are so benign, the BELL is just "stupid code" to play with my ears, etc, blabla, why was my antivirus triggered and the name of a botnet mentioned ?
At what moment should I react and say to myself "wooooh, this is going wild now" ? When losing data ? When losing login access ?

Quote
The problem is that when the address of a target is known to a hacker, there is little chance that it will not be tested
I don't understand the logic here, but about me spreading my DUCKDNS address, I only did it AFTER the attacks appeared : https://rejetto.com/forum/index.php?topic=13535.msg1067415#msg1067415

Quote
From Rom_1983's point of view, nothing accuses you, but given the suspicion that you are under surveillance, it suggests that these attacks are indirectly linked to your Python scripts.
My point of view is : it is very unlikely that I can be subject to such an amount of hacking attempts just after a Python script was given to me, just by pure coincidence, and that one of the origin of those attacks is the same than the author of the script. If those attacks on port:80 had been going on since years, I would have had a clue of it (an error message, a sound, antivirus reacting, etc). Sorry but I don't buy the " if you open a web server on the internet, and using ports on common numbers makes it just much worse/frequent." : I've already used local HTTP serving with PHP before, I've never, NEVER, experience such an amount of attacks in any CLI opened.

So, the CLI with Python listening to :80 port is just a door opened to what was running behind the scene since years ? Explain me why the guy who gives me the script is coincidently from the same country than the botnet detected and at the same time says that "CONNECT google.com:443" is nothing to his eyes even after antivirus reacting to the botnet. So, Python can't interpret the CONNECT method, just because his script (the "server") could "never be breached" ?

How... many... elements... do... we... need... here ? How ?

A real good and professional person would say "oops, sorry, I'm a little bit reckless here, let me add a strong protection to my script" instead of taking is speaker for a total noob.
All he did was adding a banning system based on HTTP header ! Ok... and the URL typed ? Can't we say that the script doesn't accept URLs like "/actuator/health" instead of watching it with semi-closed eyes and patronizing the guy whom we gave the script ?

Quote
They are still false positives.
You have nerves to dare saying that after I send you a PM with the antivirus screenshot that you never answered. You preferred to come here right after it and talk to admins/moderators, instead of conversing with me. I've always been polite with you, don't try to dodge like that.

If I was a forum admin, I would listen to my instinct and warn you to not share scripts, programs, or plugins anymore. But hey ! That's racism !

Quote
Connect? Just another non-sense that try to horrify you.
BOO ! — Nod32

7
Quote
but I'll take some precautions to lessen unnecessary sufferings.

By reacting like that, you're doing the exact opposite. Just IMAGINE that the botnet would have passed my antivirus protection, and my PC was infected to a point I could not talk here anymore. Just imagine the big "THANK YOU" echoing in my head, and how I would feel about your moral. Attack are real, and botnet are a real shit. You don't protect people by avoiding them to show the facts.

Politeness should never overpass common sense. I see that positive racism still reshape the politically correct everyday, even with all the precautions (I specifically said "don't take this as racism" and "this is not a definitive accusation"). I find dangerous to not be authorized to say that a [put a nation here] botnet attacked me (and no, that's not "normal") neither that a [put the same nation here] user, acting like a pro, try to underestimate the constant threat of the attacks, or that the origin of both the user and the bot converge and is a sign. Especially if the attacks are made on one of my DYNDNS addresses and not the basic :80 port, suggesting that this is not a hasardous coincidence.

Moreover, I find very worrying to see an admin keeping the same speech than the aforementioned user, maybe based on a "de-escalation" psychological effect, and saying me that those error messages are "normal" and "benign". Sorry, but constant injections are dangerous, Python in HTTP-serving context is dangerous, windows error SOUNDS are not a good sign, and antivirus triggered and now alerting from a botnet activity on my computer is definitively a new step indicating that all the previous ones has paid off.

Don't considere that just because a forum user "has a nice avatar", "acts nicely", and "have a lot of message", that would never be a foreign hacker hooked on a technology and having a main interest to wait and see victims coming in his "generous" hands. Scams, since the begining of humanity, always proceed on the basis of empathy. And if you add geopolitical knowledge to that (a country that I won't name, given that violence has such power that we are muted by hypocrisy), well you have an idea of what CAN be (not what IS forcefully). If we can't talk and share our clues anymore, that's more than ever dangerous. Paranoia has nothing to do with it (botnet + antivirus triggered).

If error messages + sounds + antivirus reaction + general escalation of alerts was normal, I think simply launching  servers like CADDY or HFS would lead to such common patterns. However, I never experienced such things before. Finally, I considere that if the author of a script doesn't react normally and doesn't keep adding security (I asked him to add URL filters, as I suggested you to implement it in HFS v3), I find this very suspicious.

About HFS v3 and VHOST

The vHost works like a charm. It's set on port 80 by default, so it's perfect for my use because I don't want additional port used in URLs.

Suggestions

- We cannot move entries (up, down) with the mouse. It would have been cool, to sort things. For now if we're not satisfied after a few moment of what we have done, we have to delete the entries and recreate them.

- There's not EXE staying in the systray, like the V2. Now we launch a CLI, and that populates our taskbar, and I don't want that. I'm sure there's a workaround with softwares allowing to minimize any window in the systray, but the ideal would be to have a native solution.

- Popups hovering when we finished an action don't disappear by themselves. We have to click in the void around, and that may disturb people not used to.

- Network drives aren't detected if we don't launch HFS v3 in admin mode. That's normal with most of softwares, and know this since a long time ^^,  but I suggest to put a line in the UI to inform users.

_______________

Now I want to say congratulations for this new version of HFS. The UI is amazing, there's many options. That's a damn good HTTP solution. The upgrade since v2 is stunning. Keep the good work !

8
About @Naitlee's Python script

- I've had a long discussion with him, because I've been the target of distant hacking attempts everyday since the use of the script a few days ago. Attacks by injection ike : "192.241.214.230 - - [25/Apr/2022 12:02:33] "GET /actuator/health HTTP/1.1" 404 - or "205.210.31.151 - - [29/Apr/2022 14:33:41] code 400, message Bad request version ('À(À$À\x14À')
↨♣>3¢Æ'M←·1♥¸♥»ù~ Úr–£:ë„>♠  h̶Ì‼À/À+À0À,À◄ÀÀ'À#À‼À    À(À$À¶À" 400 -"

- I don't know if these are worldwide bots or a solo hacker, and I don't know if the requests are made by using my IP with the standard 80 port, or my DYNDNS addresses.
- Naitlee helped to improve the script, but it still isn't enough because I'm constantly hearing Windows10 ERROR sounds (several times per day), and those attackers even managed to trigger my antivirus by trying to use a EK-Mozi threat and 127.0.0.1:8000 hacks. See :


- They also try to make my PC to connect to distant servers like "CONNECT google.com:443 HTTP/1.1" 501"

I want to say that to my eyes, the script isn't safe WHATEVER Naitlee will say. He seems too confident and overestimating his capabilities to understand that Python is a dynamic language with a potential impact on the filesystem and operating system, as PHP or any other dynamic language, wich is very suspicious to me. Saying me that "Python is compiled and can't be modified at runtime" and that "I don't understand that all the attack are benign and Python is bullet-proof", is to me the last thing that made me to decide to write this comment. Python is used for many things including writing files, connecting to websites, etc, so any injection and abuse can make a language unstable and propitious to being diverted. I'm not a Python user, but it seems very unrealistic to say that the core-language could never be reached by any breach opened from the original script, and that all methods from the languages aren't accessible just because of "the compilation process".

(...part removed by rejetto...)

I considere that the escalation of attempts, especially the EK-Mozi threat, give me the right to do such a temporary conclusion.
Consequently, I prefer to wait for an official solution by rejetto for now.

Officiel HFS solution

Speaking of wich :

what if i told you i just finished a 15-lines plugin that gives you this.

...HFS 3 of course

@rejetto : very happy to see that you finally did it !
The script developped by Naitlee routes incomming requests by specifiying the IP and port we want. And I'm not sure your plugin allows such a precision.
Moreover, I'm not sure that your plugin allow to use several "hosts", you only give a single example.
But I'll try HFS 3 asap to be sure. THANKS A LOT <3 !

About security

I'm asking right now, due to my experience with the routing of Naitlee's script, some fure improvment(s) that seem to me necessary to avoid bad surprises :

- A way to whitelist URLs incomming in HFS. If a distant user try to reach a URL that isn't corresponding to any URLs parent node, thus he'll been blocked.
- Adding all URL of all nodes corresponding to the tree of folders in HFS being tedious, of course the feature must be friendly and allow to accept any sub-url typed (ex : by using a metacharacter like /stuffs/thing/*).

If you feel I'm not very accurate in my suggestion, please understand that I'm not an advance programmer. I just use my basics to communicate here to help to improve things intelligently (as by "trapping" any malicious user when he types unexpected URLs, without being forcefully exhaustive and bullet-proof ; but we rather do something simple for now than do nothing, and we can count on hackers being stupid by trying to type injection right on the root of URLs we publicly share).

9
@naitlee : I sent you a PM regarding a new security problem. Did you received it ?

10
FINALLY ! It works !  :D Indeed, it was the "/" missing at the begining.
Congrats for the banning system, it will help to secure things.  I'm actually working on a MS-DOS batch to facilitate adding IPs to a desired rule of the Windows' firewall dedicated to block them.
I'm also working on a batch to automate the use of your Python script, with an INI file and the possibility to set several HFS servers and/or hosts+routes.

I'll keep in touch.


11
Quote
One thing to clarify is, I wrote the Python script all by sincere and no malicious thing. I'll never fault anyone.
I want to believe you, I'm thinking about a hasardous coincidence. :) I have banned the IPs through my Windows firewall.

Quote
The -b is for middleware to "bind" an network address, (ex. "-b 127.0.0.1" for only listening to localhost
Ok but how could our computer "listen to" to another computer's requets like if the script was running on it ? That seems impossible to me. That's why I find this option strange.
AH YES ! I know : maybe to bind to another NIC on the same computer ? That would be useful.

Quote
My thought is different, because what a domain name "hosts" (virtually) which "directory" is totally up to you.
That doesn't answer to my question (or I don't understand). Anyway I can't test it and observe the redirection, because your script doesn't work and I have ERRORS as I said.
My HFS is set to port 8000, I've opened that port on my router (NAT) binded to my PC LAN IP, and I've set "sandwichtv.duckdns.org=sites_publics/sandwichTV" to work with your script (with 127.0.0.1 and 80 / 8000 ports). I have Python v3.9 installed.
I type "http://sandwichtv.duckdns.org" in my browser and this gives me the ERRORS.

Code: [Select]
@echo off
start cmd /k py middle.py -p 80 -d 127.0.0.1 -q 8000 -v sandwichtv.duckdns.org,sites_publics/sandwichTV
exit /b

12
Quote
I'm taking note and will try soon. That would be cool.
Woohooooo  ;D

@NaitLee : I don't succeed in using your commandline. I got these error messages in my CMD :

Code: [Select]
192.168.1.1 - - [22/Apr/2022 18:58:39] "GET / HTTP/1.1" 400 -
192.168.1.1 - - [22/Apr/2022 18:58:48] "GET / HTTP/1.1" 400 -
162.221.192.90 - - [22/Apr/2022 19:00:52] "GET / HTTP/1.1" 200 -
192.168.1.1 - - [22/Apr/2022 19:02:42] "GET / HTTP/1.1" 400 -

The 19:00:52 strange IP address correspond to this in HFS (the only entry appearing in it) :
Code: [Select]
19:00:52 192.168.1.1:55200 Requested GET /
192.168.1.1 is my box/router.

EDIT :
162.221.192.90 is an IP from Dallax, Texas, attributed to Zenlayer : https://www.lookip.net/ip/162.221.192.90
The port 55200 has been known for being used by XSAN : https://www.adminsub.net/tcp-udp-port-finder/55200 , https://en.wikipedia.org/wiki/Xsan
This is not duckdns, located in Canada : https://www.ip-lookup.org/location/duckdns.org
Many abuse reported from this IP : https://www.abuseipdb.com/check/162.221.192.90

WTF ?

Edit (02.24AM) :

I'm still attacked, with PHP injections now (see attachment). I find suspicious that the day someone gives me a Python script, someone attempts to hack me. 🚨
I have several enemies due to my Twitch channel, and was aware since I announced the creation of my website two weeks ago, but anyway, I find this surprising.
@rejetto : can you check the script please ?



13
Hello @NaitLee,

Firstable, if you programmed this right after having read my topic, I want to thank you for your kindness and professionalism 😦. I like seing developers devoted in improving things, that's a great quality in a world often ruled by ignorance and contempt where users are always seen like importunate beggars. A big congratulation 👍

Now, I'm a bit distrustful concerning a program shared on Internet, that could be malicious, so I want to check the code before executing it (it will take me some hours, although the script doesn't seem too long).  That said, it seems interesting since it gives users the full control about the redirection, independently from the DYNDNS providers : no extra accounts connections nor profile tweaking, and that's great !

I've read carefully what you wrote and I have a few questions :

1 - Does the use of the :80 port will affect other programs running like CADDY SERVER, wich could use this port ? What I suspect is : I have several CADDY server binded to various local URL with the :80 port, and if your script doesn't filter the entering URL requesting through port :80, I don't see how your script and servers like CADDY could coexist if your script blindly redirect anything entering through the :80 port.
2 - Is the -b parameter dedicated to that purpose ?
3 - I don't understand the difference between -b and -d : does the first one gives the possibility to analyze the IP requesting, or to route to another computer ? In the second case, HFS should be on that computer, and I don't see why we should precise the HFS location with -d.
4 - What do you mean by "and HFS sometimes exposes an absolute link that have the "true" path" ?

Also, we need to be sure that :
5 - Is the IP "mask" (ex : project1.duckdns.org) chunked with what is added after it by the webusers requests ? Ex : will the request "project1.duckdns.org/stuff/thing.html" be recomposed in "project1.duckdns.org/public_websites/project1/stuff/thing.html" locally ?


14
Edit (2022-04-29) : /!\ DO NOT USE THE PYTHON SCRIPT PROVIDED BY @NAITLEE, UNTIL MORE ARE INVESTIGATED IN THE SECURITY OF THE SCRIPT AND THIS WARNING HAS BEEN REMOVED /!\


Hello,

I have set several alias in DUCKDNS.ORG, like :
  • project1.duckdns.org
  • project2.duckdns.org

all pointing to my home IP address. They are intented to be public websites.

In HFS, I have REAL folders for each of them :

/
|-- project1
|-- project2

PROBLEM

When I share the URLs, they are like :


Code: [Select]
project1.duckdns.org/project1
project2.duckdns.org/project2


and this is ugly.

This is even worse if I store the REAL folders in a parent "empty" folder :

/
|-- public_websites /
                                   |-- project1
                                   |-- project2

wich leads to URLs like :

Code: [Select]
project1.duckdns.org/public_websites/project1
project2.duckdns.org/public_websites/project2


REQUEST

I would like them to be just project1.duckdns.org and project2.duckdns.org, pointing to the REAL FOLDERS whatever the position in the VFS tree.
For this, I see two solutions.

SOLUTION 1 : A ROUTING SYSTEM

This is basically what's called "URL rewritting".

HFS should provide a way to detect the URL typed, and LINK IT (not redirect !) to REAL FOLDERS, as junctions (in Windows) or hard links (in LINUX) redirect resources of a hard disk.
One way to achieve this would be to right-click on folders, set the URL, allowing us to type "/" in order for HFS to "reroute" the "/" root to those resources, depending on a certain hostname detected.
There's already a macro to detect the important part of the URL :

Code: [Select]
{.header|host.}
But I don't see what to do with it in the DIFF TEMPLATE of the "/" node.  :-[

SOLUTION 2 : SEVERAL ROOTS

HFS should provide several roots ("/") in several UI, like if it was hosting different websites.



If there is already a solution, I would be excited to hear it because I'm actually desperate. DYNDNS don't offer the way to set an IP + a route as a suffix, like "/public_websites/project1", wich would help to translate project1.duckdns.org into something like 70.56.33.81/public_websites/project1 and transmit the request, thus allowing HFS to directly receive and interprete the "/public_websites/project1" route but still letting it hidden to the user in his browser.


15
Bug reports / Re: Robots are scanning my HFS server
« on: March 22, 2021, 09:55:52 AM »
Merci Mars ;)

Pages: 1 2