rejetto forum

Recent Posts

91
Everything else / Re: Let things calm down
« Last post by Rom_1983 on April 30, 2022, 01:47:12 PM »
Quote
I'm not fluent with python, but i had quick look at it and didn't find anything harmful.
I think the simple routing aspect with no protection against injections, combined with the amount of attacks in a period of time, is enough to say that there's something malicious here, but indeed, the script in itself is as harmless as a door built in a wall with no lock.
I would have been the author of that Python script, as soon as I would have seen the attacks (given that "this is worldwide botnets touching everybody") I would have implemented a URL filter system. ¯\_(ツ)_/¯
92
Everything else / Re: Let things calm down
« Last post by rejetto on April 30, 2022, 01:34:24 PM »
I'm not fluent with python, but i had quick look at it and didn't find anything harmful.
We are not talking about a black box, instructions are there, readable for anyone.
Would anybody find malicious instructions please let me know, and I'll take actions accordingly.
93
Everything else / Re: Let things calm down
« Last post by Rom_1983 on April 30, 2022, 01:28:12 PM »
Just a sidenote :

Quote
Losing trust is terrible. Even more terrible if it's all caused by outsider stalkers. Terrible for both person. Yet more if plus region things.
Yeah. You're so victim of "outsiders" from foreign countries, stalking* you (??) and using racism on you to a point that you feel horribly bad where you are.
I personally am french, frenchies are hated around the world, I don't play the crying puppy when giving a script opening the door to attacks in a short period of time and triggering an antivirus.
Good try, but not on me 👍

If you don't accept that people can lose trust on you, you should considere questioning yourself about your knowledge in programming. You may not be that godlike programmer you think you are... And don't make me pass for a blind offender : I've been patient during those stressing days of "trust", while watching quietly that escalation of error messages and sounds and antivirus alert.

As I use HFS v3 and the vHost plugin, I don't care anymore about resolving that drama with what I considere being a hacker in distress being spotted by a +130 IQ "noob" with good common sense.

Feel free to type a new improved version of your script in the same short period of time (24h) with your magic fingers, to prove that your are caring about hacking attemps. Or dodge it like a pro 😎 (like you dodged my proposition to mix it with my own ms-dos script and upload them on Github ; I guess you're not interested in REAL deep relationship around your "work" for a good reason...).

(*) That's a reversion, even a lapsus, and that's often used by attackers.
94
- We cannot move entries (up, down) with the mouse. It would have been cool, to sort things. For now if we're not satisfied after a few moment of what we have done, we have to delete the entries and recreate them.

i will likely add the up/down at some point because that "editor" is meant to be generic, and other plugins may be sensible to the order of data.
Anyway, this is not true for vhosting plugin, the way it is right now at least. So you should be ok without the order, but if you really really want to change the order you can still open config.yaml file with notepad and you may find it's easy to make it.

Quote
- There's not EXE staying in the systray, like the V2. Now we launch a CLI, and that populates our taskbar, and I don't want that. I'm sure there's a workaround with softwares allowing to minimize any window in the systray, but the ideal would be to have a native solution.

i hope at some point we'll have hfs install as a service, and be controlled with a tray application like you say.
It's not high priority for me, and it would be cool if someone else would work on it, as the tray icon would probably be a separate program.
I added it to the to-do list.

Quote
- Popups hovering when we finished an action don't disappear by themselves. We have to click in the void around, and that may disturb people not used to.

in some cases this is good, because i need to know the user acknowledge to the content of the popup.
I'm sure some cases would be better with the behaviour you just suggested. Feel free to point at some of them you care about, and I'll consider which ones to transform.

Quote
- Network drives aren't detected if we don't launch HFS v3 in admin mode. That's normal with most of softwares, and know this since a long time ^^,  but I suggest to put a line in the UI to inform users.

thanks for the suggestion, but I'm not able to confirm it yet: i have a couple of networked drive here and HFS sees'em even if I don't get the "User Access Control" warning of windows when i launch it. When you say "admin mode" are you referring to the UAC ?


Quote
Now I want to say congratulations for this new version of HFS. The UI is amazing, there's many options. That's a damn good HTTP solution. The upgrade since v2 is stunning. Keep the good work !

thanks, it was not an easy decision because making it will take about 1 year of my time just for the first version. It's not easy to start a project this big. That's why I delayed it for 8 years.
95
Everything else / Re: Let things calm down
« Last post by Rom_1983 on April 30, 2022, 01:02:28 PM »
Quote
@naitlee, you are right and i feel bad for you because i know you were trying to help
And you don't feel bad that a python script is shared on your forum with just no interest in helping to counter those attacks ?
Let's be clear : if those attacks are so benign, the BELL is just "stupid code" to play with my ears, etc, blabla, why was my antivirus triggered and the name of a botnet mentioned ?
At what moment should I react and say to myself "wooooh, this is going wild now" ? When losing data ? When losing login access ?

Quote
The problem is that when the address of a target is known to a hacker, there is little chance that it will not be tested
I don't understand the logic here, but about me spreading my DUCKDNS address, I only did it AFTER the attacks appeared : https://rejetto.com/forum/index.php?topic=13535.msg1067415#msg1067415

Quote
From Rom_1983's point of view, nothing accuses you, but given the suspicion that you are under surveillance, it suggests that these attacks are indirectly linked to your Python scripts.
My point of view is : it is very unlikely that I can be subject to such an amount of hacking attempts just after a Python script was given to me, just by pure coincidence, and that one of the origin of those attacks is the same than the author of the script. If those attacks on port:80 had been going on since years, I would have had a clue of it (an error message, a sound, antivirus reacting, etc). Sorry but I don't buy the " if you open a web server on the internet, and using ports on common numbers makes it just much worse/frequent." : I've already used local HTTP serving with PHP before, I've never, NEVER, experience such an amount of attacks in any CLI opened.

So, the CLI with Python listening to :80 port is just a door opened to what was running behind the scene since years ? Explain me why the guy who gives me the script is coincidently from the same country than the botnet detected and at the same time says that "CONNECT google.com:443" is nothing to his eyes even after antivirus reacting to the botnet. So, Python can't interpret the CONNECT method, just because his script (the "server") could "never be breached" ?

How... many... elements... do... we... need... here ? How ?

A real good and professional person would say "oops, sorry, I'm a little bit reckless here, let me add a strong protection to my script" instead of taking is speaker for a total noob.
All he did was adding a banning system based on HTTP header ! Ok... and the URL typed ? Can't we say that the script doesn't accept URLs like "/actuator/health" instead of watching it with semi-closed eyes and patronizing the guy whom we gave the script ?

Quote
They are still false positives.
You have nerves to dare saying that after I send you a PM with the antivirus screenshot that you never answered. You preferred to come here right after it and talk to admins/moderators, instead of conversing with me. I've always been polite with you, don't try to dodge like that.

If I was a forum admin, I would listen to my instinct and warn you to not share scripts, programs, or plugins anymore. But hey ! That's racism !

Quote
Connect? Just another non-sense that try to horrify you.
BOO ! — Nod32
96
i quickly considered the evidence you brought, and i determined that it was not enough for the statements you made against NaitLee. You may disagree, and I may be wrong, but that's the best i can do for the moment.
I'm not asking you to trust the guy. Don't, if you feel like it. I don't say he cannot be evil, I said you went a bit too far with words for this place.

I didn't say "benign" to any attack. I can't say if you had any damage or if you had any real threat on you.
I know most web attacks are automatic (= cheap), hoping to find something very specific behind the "door", but without really knowing, and thus most of them are ineffective.

I don't want to prevent your "free speech" in general, just here. In a way I'm responsible for this forum, but I don't have time and will to investigate this further, and I have to make a few decisions anyway.  I'm not here to lecture people how to live.
 
Answering the rest in a following post.
97
Quote
but I'll take some precautions to lessen unnecessary sufferings.

By reacting like that, you're doing the exact opposite. Just IMAGINE that the botnet would have passed my antivirus protection, and my PC was infected to a point I could not talk here anymore. Just imagine the big "THANK YOU" echoing in my head, and how I would feel about your moral. Attack are real, and botnet are a real shit. You don't protect people by avoiding them to show the facts.

Politeness should never overpass common sense. I see that positive racism still reshape the politically correct everyday, even with all the precautions (I specifically said "don't take this as racism" and "this is not a definitive accusation"). I find dangerous to not be authorized to say that a [put a nation here] botnet attacked me (and no, that's not "normal") neither that a [put the same nation here] user, acting like a pro, try to underestimate the constant threat of the attacks, or that the origin of both the user and the bot converge and is a sign. Especially if the attacks are made on one of my DYNDNS addresses and not the basic :80 port, suggesting that this is not a hasardous coincidence.

Moreover, I find very worrying to see an admin keeping the same speech than the aforementioned user, maybe based on a "de-escalation" psychological effect, and saying me that those error messages are "normal" and "benign". Sorry, but constant injections are dangerous, Python in HTTP-serving context is dangerous, windows error SOUNDS are not a good sign, and antivirus triggered and now alerting from a botnet activity on my computer is definitively a new step indicating that all the previous ones has paid off.

Don't considere that just because a forum user "has a nice avatar", "acts nicely", and "have a lot of message", that would never be a foreign hacker hooked on a technology and having a main interest to wait and see victims coming in his "generous" hands. Scams, since the begining of humanity, always proceed on the basis of empathy. And if you add geopolitical knowledge to that (a country that I won't name, given that violence has such power that we are muted by hypocrisy), well you have an idea of what CAN be (not what IS forcefully). If we can't talk and share our clues anymore, that's more than ever dangerous. Paranoia has nothing to do with it (botnet + antivirus triggered).

If error messages + sounds + antivirus reaction + general escalation of alerts was normal, I think simply launching  servers like CADDY or HFS would lead to such common patterns. However, I never experienced such things before. Finally, I considere that if the author of a script doesn't react normally and doesn't keep adding security (I asked him to add URL filters, as I suggested you to implement it in HFS v3), I find this very suspicious.

About HFS v3 and VHOST

The vHost works like a charm. It's set on port 80 by default, so it's perfect for my use because I don't want additional port used in URLs.

Suggestions

- We cannot move entries (up, down) with the mouse. It would have been cool, to sort things. For now if we're not satisfied after a few moment of what we have done, we have to delete the entries and recreate them.

- There's not EXE staying in the systray, like the V2. Now we launch a CLI, and that populates our taskbar, and I don't want that. I'm sure there's a workaround with softwares allowing to minimize any window in the systray, but the ideal would be to have a native solution.

- Popups hovering when we finished an action don't disappear by themselves. We have to click in the void around, and that may disturb people not used to.

- Network drives aren't detected if we don't launch HFS v3 in admin mode. That's normal with most of softwares, and know this since a long time ^^,  but I suggest to put a line in the UI to inform users.

_______________

Now I want to say congratulations for this new version of HFS. The UI is amazing, there's many options. That's a damn good HTTP solution. The upgrade since v2 is stunning. Keep the good work !
98
Everything else / Re: Let things calm down
« Last post by rejetto on April 30, 2022, 10:36:01 AM »
@naitlee, you are right and i feel bad for you because i know you were trying to help
99
Moreover, I'm not sure that your plugin allow to use several "hosts", you only give a single example.

I was in a hurry and didn't communicate it in the best of ways, but that's what the "+" button in the picture is for, to add more.

Quote
- A way to whitelist URLs incomming in HFS. If a distant user try to reach a URL that isn't corresponding to any URLs parent node, thus he'll been blocked.

I'm not totally sure what you meant by that, but it's giving me a huge hint on how to tell unwanted traffic. Surely a lot of people have come to this eons ago, but me? just now.
I've been paying little attention to the "domain" thing at this stage of the project, for good reasons, but most of the unwanted traffic will come to you just with your IP, randomly.
Rejecting all traffic not using the domain is a piece of cake. I could easily make a feature for that. I'm not sure if as a plugin. I'm trying to make plugins to both show people what they can do, and also to let people customize them to better suite their needs, possibly by making a new plugin out of them.

Problem is: a lot of people don't have a domain, and I'm not sure I want to force them, limiting possible usages of the server. Also because it would rely on external services, I'm trying to not bind the project to external services.
100
Regarding the statements about python, javascript, etc, my 2 cents are: I'm not expert in the security field, yet my profession requires me to know more than the average person. I consider true the statement that some languages/technologies pay their flexibility with some extra risks. And yet, these risks heavily depend on what the programmer does. There are organizations "risking" millions of dollars on stuff built with such technologies. Everybody decides his own level of paranoia, but remember there's a price to pay for paranoia too.
Attacks and remote executions have always existed with and without newer technologies.
Also, remember that python, node, etc, are open source and watched closely by the whole world. You decide.

I've asked a friend who's in IT security to give me a hand ensuring HFS 3 is good enough. It's not an easy task, and it's even harder doing it in my time off, after I'm tired because of my job. But, hey, it's open source, everyone who can contribute to make it more secure is welcome to give a hand.