ok, I finally managed to restart it, deleting and recreating the socket...
2017-06-27 17803, 2017
agentsim has quit
2017-06-27 17844, 2017
henadel has quit
2017-06-27 17831, 2017
ruaok returns
2017-06-27 17835, 2017
ruaok
iliekcomputers: lol. :)
2017-06-27 17841, 2017
Slurpee joined the channel
2017-06-27 17841, 2017
Slurpee has quit
2017-06-27 17841, 2017
Slurpee joined the channel
2017-06-27 17809, 2017
ruaok
everyone: we're about to unveil what zas has been working on.
2017-06-27 17820, 2017
zas
(yes, i was working...)
2017-06-27 17829, 2017
ruaok
I wish it was more positive, but still zas has some very good detective work.
2017-06-27 17833, 2017
ruaok
Quesito: join us here.
2017-06-27 17842, 2017
Quesito
hola
2017-06-27 17847, 2017
ruaok
zas: please give us a short-ish recap of what happend.
2017-06-27 17858, 2017
zas
short will be hard, but i'll try ;)
2017-06-27 17823, 2017
zas
back to 2016, before we moved to hetzner, we started to see an increase in traffic
2017-06-27 17850, 2017
zas
it was unexplained, we thought about people abusing our ws of course
2017-06-27 17806, 2017
zas
but since we were on the move to new host, we didn't care that much
2017-06-27 17823, 2017
zas
the whole move took us a lot of time and energy, until now
2017-06-27 17843, 2017
zas
a week ago, there was a sudden drop in the traffic
2017-06-27 17814, 2017
zas
so i started to dig logs to find an explanation
2017-06-27 17843, 2017
zas
i noticed a lot of queries from 2 UAs, but from a lot of different IPs (>100k)
2017-06-27 17827, 2017
zas
while i couldn't explain the drop in traffic, something was starting to appear
2017-06-27 17810, 2017
zas
those 2 UAs were denied since a long time, being generic and non meaningful UAs (User Agent string in case of ...)
2017-06-27 17850, 2017
zas
but still, the number of requests incoming was very high: about 60-65% of the total number of requests on our web service
2017-06-27 17839, 2017
zas
so, we explored different possibilities, one was hacked devices, hosting botnet agents, querying us for unknown reason
2017-06-27 17829, 2017
zas
so, i did few nmap and discovered that all random IPs i tested were having a common point: more or less same ports open to the internet
2017-06-27 17802, 2017
zas
usual botnet agents are more smart, and use complex ways to hide their presence
2017-06-27 17818, 2017
ruaok
these folks were anything but smart.
2017-06-27 17841, 2017
zas
plus the botnet hypothesis would imply that someone was behind, someone very angry vs us....
2017-06-27 17830, 2017
zas
so ... i used good'ol telnet, and discovered that all IPs were leading to a QNAP nas devicee
2017-06-27 17801, 2017
Leo_Verto[m]
oh wow, that's really shitty of them
2017-06-27 17810, 2017
zas
those devices are well known to be used by botnets ...
2017-06-27 17829, 2017
zas
i started to block IPs of those devices
2017-06-27 17843, 2017
zas
in the goal to be contacted by owners of those
2017-06-27 17810, 2017
zas
and it worked, with the help of sam___,, rdswift, and few others we inspected those devices
2017-06-27 17823, 2017
zas
and found nothing to worry about
2017-06-27 17838, 2017
zas
but it confirmed that the requests were coming from them
2017-06-27 17828, 2017
zas
why would a multimedia nas query mb.o ? .... ;)
2017-06-27 17837, 2017
zas
either tagging or scraping
2017-06-27 17822, 2017
zas
but no way to be sure until i got my hands on such device, so i ordered one yesterday, got it at home today, and started to look for what i was suspecting
i still have questions about the other UA (curl/7.43.0)
2017-06-27 17810, 2017
drsaunder joined the channel
2017-06-27 17815, 2017
zas
but i think it was just the old version of libscrap.so without a UA set
2017-06-27 17800, 2017
zas
both are sending requests in the exact same format (i found IPs emitting both, prolly someone having an old and a new NAS)
2017-06-27 17838, 2017
zas
so here we are: QNAP NAS are sending tons of requests to us, users aren't aware of it, they are blocked since months (and no one cares)
2017-06-27 17850, 2017
zas
it costs us a lot of resources, and time
2017-06-27 17821, 2017
zas
that's all folks ;)
2017-06-27 17836, 2017
reosarevok
So what now?
2017-06-27 17850, 2017
zas
^^ the question
2017-06-27 17851, 2017
ruaok
now it goes over to quesito.
2017-06-27 17809, 2017
reosarevok
I assume at least a "fuck these idiots" blog post, but is this something we can do something about more seriously?
2017-06-27 17811, 2017
ruaok
with zas' info, her and I will work up the total damages done and equate them to $$$.
2017-06-27 17813, 2017
reosarevok
Court-seriously?
2017-06-27 17814, 2017
Leo_Verto[m]
there are API keys in one of the pastes, those aren't for anything MB, are they?
2017-06-27 17824, 2017
ruaok
then we'll send them an invoice.
2017-06-27 17840, 2017
ruaok
and just like the invoice that merkel received from trump, they are not going to pay.
2017-06-27 17842, 2017
zas
Leo_Verto[m]: nope
2017-06-27 17804, 2017
ruaok
but, we gotta do this the right way. introduce ourselves and then ask them to come clean.
2017-06-27 17823, 2017
zas
but they'll be happy to know their API is used with hardcoded keys ;)
2017-06-27 17828, 2017
reosarevok
I mean it's not just us, then? It's us, and IMDB, and who knows what else
2017-06-27 17829, 2017
Quesito
step 1: play nice and ask nicely (even when you dont want to)
2017-06-27 17829, 2017
Leo_Verto[m]
could you figure out if that same NAS software is hitting other services in the same way it hit MB? maybe teaming up would be a good idea, wouldn't it?
2017-06-27 17844, 2017
zas
reosarevok: right, not just us
2017-06-27 17856, 2017
reosarevok
Well I guess zas knows what else :D
2017-06-27 17857, 2017
Quesito
we need to team up. this company is a giant.
2017-06-27 17806, 2017
Quesito
we might need
2017-06-27 17828, 2017
ruaok
think cake.
2017-06-27 17839, 2017
ruaok
imdb == amazon
2017-06-27 17839, 2017
zas
cake time!
2017-06-27 17846, 2017
ruaok
they may not have noticed.
2017-06-27 17852, 2017
Quesito
unless its like a class action...i donno.
2017-06-27 17857, 2017
ruaok
we just need to follow the good cop route.
2017-06-27 17816, 2017
zas
i don't think the court path is the right path, we actually want them to use our ws
2017-06-27 17820, 2017
ruaok
no, this isn't class action worthy. this isn't worth a whole lot, really.
2017-06-27 17825, 2017
Quesito
this is all still sinking in for me...this is f-d up.
2017-06-27 17831, 2017
zas
but they have to respect rules
2017-06-27 17836, 2017
ruaok
get another unicorn in the door and that is considerably much more money.
2017-06-27 17850, 2017
ruaok
it is fucked up and we have a right to be angry.
2017-06-27 17859, 2017
ruaok
but these people wasted our time, let's not waste too much more.
2017-06-27 17812, 2017
ruaok
I get this feeling that these people are first rate douches.
2017-06-27 17824, 2017
ruaok
and first rate douches know exactly what they are doing.
