I'm f****** seething; this is unacceptable for any site, and this behaviour isn't documented anywhere; we've been portscanning since day one and were completely unaware of it. My guess is almost everyone here was unaware of this "feature" as well. Our submitter reports slashdot did this as well. There is no notification or link in the FAQ that this is done, unless you were checking your firewall rules religiously, this would have been completely unnoticed.
I'm seething and furious at the moment. How on earth is this acceptable behaviour? I understand proxy scanning; most IRC networks do it, but they notify you that they are doing so. Furthermore, a basic web application should not be probing their end users; I'm absolutely flabbergasted that this exists, as were most of the staff when it was brought to our attention. On behalf of the site, I want to offer a formal apology for this clusterf***.
Addendum: Since writing this, I've written a follow up on why this got me so upset in my journal. I've got journal replies set to on, and will respond to anyone both here and there.
sub checkForOpenProxy { my($self, $ip) = @_; # If we weren't passed an IP address, default to whatever # the current IP address is. if (!$ip && $ENV{GATEWAY_INTERFACE}) { my $r = Apache->request; $ip = $r->connection->remote_ip if $r; } # If we don't have an IP address, it can't be an open proxy. return 0 if !$ip; # Known secure IPs also don't count as open proxies. my $constants = getCurrentStatic(); my $gSkin = getCurrentSkin(); my $secure_ip_regex = $constants->{admin_secure_ip_regex}; return 0 if $secure_ip_regex && $ip =~ /$secure_ip_regex/; # If the IP address is already one we have listed, use the # existing listing. my $port = $self->getKnownOpenProxy($ip); if (defined $port) { #print STDERR scalar(localtime) . " cfop no need to check ip '$ip', port is '$port'\n"; return $port; } #print STDERR scalar(localtime) . " cfop ip '$ip' not known, checking\n"; # No known answer; probe the IP address and get an answer. my $ports = $constants->{comments_portscan_ports} || '80 8080 8000 3128'; my @ports = grep /^\d+$/, split / /, $ports; return 0 if !@ports; my $timeout = $constants->{comments_portscan_timeout} || 5; my $connect_timeout = int($timeout/scalar(@ports)+0.2); my $ok_url = "$gSkin->{absolutedir}/ok.txt"; my $pua = Slash::Custom::ParUserAgent->new(); $pua->redirect(1); $pua->max_redirect(3); $pua->max_hosts(scalar(@ports)); $pua->max_req(scalar(@ports)); $pua->timeout($connect_timeout); #use LWP::Debug; #use Data::Dumper; #LWP::Debug::level("+trace"); LWP::Debug::level("+debug"); my $start_time = Time::HiRes::time; local $_proxy_port = undef; sub _cfop_callback { my($data, $response, $protocol) = @_; #print STDERR scalar(localtime) . " _cfop_callback protocol '$protocol' port '$_proxy_port' succ '" . ($response->is_success()) . "' data '$data' content '" . ($response->is_success() ? $response->content() : "(fail)") . "'\n"; if ($response->is_success() && $data eq "ok\n") { # We got a success, so the IP is a proxy. # We should know the proxy's port at this # point; if not, that's remarkable, so # print an error. my $orig_req = $response->request(); $_proxy_port = $orig_req->{_slash_proxytest_port}; if (!$_proxy_port) { print STDERR scalar(localtime) . " _cfop_callback got data but no port, protocol '$protocol' port '$_proxy_port' succ '" . ($response->is_success()) . "' data '$data' content '" . $response->content() . "'\n"; } $_proxy_port ||= 1; # We can quit listening on any of the # other ports that may have connected, # returning immediately from the wait(). # So we want to return C_ENDALL. Except # C_ENDALL doesn't seem to _work_, it # crashes in _remove_current_connection. # Argh. So we use C_LASTCON. return LWP::Parallel::UserAgent::C_LASTCON; } #print STDERR scalar(localtime) . " _cfop_callback protocol '$protocol' succ '0'\n"; } #print STDERR scalar(localtime) . " cfop beginning registering\n"; for my $port (@ports) { # We switch to a new proxy every time thru. $pua->proxy('http', "http://$ip:$port/"); my $req = HTTP::Request->new(GET => $ok_url); $req->{_slash_proxytest_port} = $port; #print STDERR scalar(localtime) . " cfop registering for proxy '$pua->{proxy}{http}'\n"; $pua->register($req, \&_cfop_callback); } #print STDERR scalar(localtime) . "pua: " . Dumper($pua); my $elapsed = Time::HiRes::time - $start_time; my $wait_timeout = int($timeout - $elapsed + 0.5); $wait_timeout = 1 if $wait_timeout wait($wait_timeout); #print STDERR scalar(localtime) . " cfop done with wait, returning " . (defined $_proxy_port ? 'undef' : "'$port'") . "\n"; $_proxy_port = 0 if !$_proxy_port; $elapsed = Time::HiRes::time - $start_time; # Store this value so we don't keep probing the IP. $self->setKnownOpenProxy($ip, $_proxy_port, $elapsed); return $_proxy_port; }
Leave your comments below, I want to know how others feel about this "feature".
Update: We've confirmed that slashdot.jp and Barrapunto predate this feature being added to the codebase; according to the git log, it was added on commit 177e2213 at 2008-04-16 19:07:46 +0000.
Related Stories
The EFF has called on admins to check any historical packet capture logs for evidence of Heartbleed attacks in 2013 and earlier. They examined reports from Ars Technica of people coming forward with logs potentially showing in-the-wild Heartbleed attacks long before the recent public disclosure. Perhaps most intersting-
[the] logs had been stored on magnetic tape in a vault. The source IP addresses for the attack were 193.104.110.12 and 193.104.110.20. Interestingly, those two IP addresses appear to be part of a larger botnet that has been systematically attempting to record most or all of the conversations on Freenode and a number of other IRC networks. This is an activity that makes a little more sense for intelligence agencies than for commercial or lifestyle malware developers.
Coincidentally, a few hours prior to this news, I was lamenting here in comments how disinformative the mainstream reporting was when it made claims that "what makes it even worse is the heartbleed attack leaves no trace". Of course it leaves a trace- perhaps not in stock os/webserver log files, but remote attackers always have to carry the attack out via networks, which can notice and/or log the traffic if they take the trouble to. Not to put too fine a point on it, but the same thing is also relevant to the recent slashcode issue with portscans. It may be exhausting work inspecting packet capture logs, but if you make a habit of not doing it, you should be prepared to find some gremlins when you finally get around to it.
(Score: 2, Interesting) by Anonymous Coward on Wednesday April 09 2014, @07:33PM
Is it just banning posts from anything deemed a proxy site? Is the information being stored for later reference? Are these open port results re-probed or re-used anywhere else?
And why would the code care if people used a proxy site in order to make a post? Was it simply to avoid alts and astroturfing? Was there any OTHER reason to port scan?
(Score: 0) by Anonymous Coward on Wednesday April 09 2014, @07:44PM
does not really matter, the process itself may be prohibited by your host and you just broke their terms and conditions
(Score: 5, Informative) by xlefay on Wednesday April 09 2014, @07:48PM
In fairness, we didn't know about this; but I just confirmed, Slashdot does it:
SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=18595 -> DPT=81
SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=39440 -> DPT=8080
SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=14480 -> DPT=80
SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=27035 -> DPT=3128
SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=41068 -> DPT=6588
SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=9200 -> DPT=8081
SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=5978 -> DPT=1026
SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=61971 -> DPT=3382
SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=35001 -> DPT=7032
SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=50869 -> DPT=8090
SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=64976 -> DPT=2578
(Score: 0) by Anonymous Coward on Wednesday April 09 2014, @08:03PM
if you don't know what your software is doing then terms & conditions obviously don't apply to you /irony
(Score: 2) by xlefay on Wednesday April 09 2014, @08:14PM
Hmm, I didn't say that but I can see how that could have been implied. This wasn't my intention.
(Score: 1) by gishzida on Wednesday April 09 2014, @08:09PM
yes but they seem to be knocking on more doors that the code posted does.
Also I note they are not knocking port 8000
the question is why?
(Score: 3, Informative) by xlefay on Wednesday April 09 2014, @08:13PM
From what I'm seeing in the code (note, perl ain't my thing):
my $ports = $constants->{comments_portscan_ports} || '80 8080 8000 3128';
So, it uses the 'comments_portscan_ports' or the default ports. So I'm guessing /. has set those other ports in that constant.
(Score: 3, Informative) by Hairyfeet on Wednesday April 09 2014, @08:32PM
Well that at least explains why Slash reacted differently when I switched DNS servers, some of the ones i use would have considered that suspect and blocked it. It does make you wonder WTF is going on behind the scenes over there and makes me glad I stopped going, just one more reason to use Soybeans over Slash.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 4, Interesting) by edIII on Wednesday April 09 2014, @10:45PM
THIS.
I was at Slash for quite awhile too and feel much better off here. WTF indeed. I understand passive logging of user details accessing the system, but switching to active probing silently is egregious. It seems like we can blow this out of proportion since it's a simple port scan, but it could be more than that. I feel like going over there and submitting an article linking back to Soylent, but I don't want to start anything.
If you think about Slashdot and what happened over there with corporate interests gradually corrupting it, it does make you wonder what was going on. You go there today and it has 9 different 3rd parties blocked by Ghostery/DoNotTrackMe, one of which is an Internet market research corporation. The rest can be explained by advertising to a degree, but that last one is purely for exploitation.
Soylent should be tearing apart the rest of the code right now to see just what was done with the collected information and start documenting it in the wiki. The results must be logged somewhere unless this code is just orphaned and was never part of any other flow.
It may have been a response to user abuse, but even then, it should have been well documented and part of the sites privacy policy. I just went and read Slashdot's privacy policy on what information they collect. Nowhere do they distinguish between passive data from HTTP requests and headers, and actively sending packets to test for conditions. In fact, the word port is not even present in the entire document.
Yet, I still wonder with something like that in the code if they were violating their own privacy policy.
I hope Soylent figures this out because it makes no sense. Slash silently degraded for sure, but that's a pretty fair departure from where it started out.
Thankfully, we have declared from day one that we are a community first. I appreciate how Soylent has handled this.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Thursday April 10 2014, @05:45AM
Using a proprietary extension for added privacy/security is... stupid.
(Score: 1) by canopic jug on Saturday April 12 2014, @05:20PM
SN should make sure it can function fully without javascript. While port scans can collect some information, vastly more can be collected once inside the browser. That has already been exploited unofficially [v3.co.uk] at the other site, and the potential for official exploitation is much higher. If javascript is allowed by the browser and required by the site then even if the javascript coming from the site is legit, it is possible to piggy back malicious code on top especially if HTTPS is not used.
All activities, browsing, commenting, moderating and metamoderating need to be fully operational without needing javascript. Much of the eye candy can be provided by CSS3 anyway. If javascript is somehow compelling, make it an option, not a requirement.
While an audit of the scripts might be entertaining and identify what the other site has been up to, it is not necessary. Just take them out.
Money is not free speech. Elections should not be auctions.
(Score: 2) by NCommander on Monday May 05 2014, @04:37AM
Sorry for the late reply to this, but we've done this. We've actually stripped out almost all the JS code from the current dev releases (admin's still get jquery loaded dynamically as the admin interface uses it extensively), but aside from new JS for dynamic coding (which silently falls back to the old (aka, "now") behavior), we're almost entirely JS free. Stripping it out of the admin interface will be a nightmare, and its honestly low priority.
Still always moving
(Score: 1) by canopic jug on Saturday May 10 2014, @09:04AM
Thanks. It is appreciated and makes the site better. The user code was the most problematic so that is enough to help protect users.
Money is not free speech. Elections should not be auctions.
(Score: 0) by Anonymous Coward on Thursday April 10 2014, @02:52PM
What in the world does your choice of DNS resolver have to do with a Slash server probing the workstation attempting to post to the server's comment database? That's as irrelevant as irrelevant gets.
(Score: 3, Informative) by gishzida on Wednesday April 09 2014, @08:20PM
Fome several know port lists...
DPT=81 torpark / onion
DPT=8080 Alt Http
DPT=80 http
DPT=3128 asquid
DPT=6588 ???
DPT=8081 Alt Http [ePolicy Orchestrator!]
DPT=1026 Often used by Microsoft DCOM services
DPT=3382 Fujitsu Network Enhanced Antitheft function
DPT=7032 ???
DPT=8090 Coral Content Distribution Network (deprecated; 80 and 8080 now supported)
DPT=2578 RVS ISDN DCP
(Score: 2, Informative) by Kymation on Wednesday April 09 2014, @08:44PM
Port 6588 is used by the AnalogX proxy server. I have no idea what would be on 7032.
(Score: 2) by chromas on Thursday April 10 2014, @06:54AM
Netcraft has yet to confirm it but AnalogX is dead. Mark's moved on to something called Ultimate Consignment. Oh well; he beta'd some of his music with obnoxious vocals.
(Score: 0) by Anonymous Coward on Saturday May 03 2014, @08:59AM
But I hope my presentation today, Sony introduced a new burial site in Miyagi and Iwate prefectures said last weekend there was a reason to ask them to accept. Later, they have mainly china their own., casino software [onlinecasi...iazone.com], [url="http://onlinecasinoaustraliazone.com/ "]casino software[/url], lbqkf, casino free games online [bestcasinoclubcom.com], [url="http://bestcasinoclubcom.com/"]casino free games online[/url], =-PPP,
(Score: 0) by Anonymous Coward on Friday May 09 2014, @12:33AM
For example, a Sony corporate communications representative in Tokyo that is affordable for low-income families. Keith japanese Gidelson, 36, went down in the communist country as part of a trance state for the same time., online casino [onlinecasi...iazone.com], [url="http://onlinecasinoaustraliazone.com/ "]online casino [/url], 48228, play online casino games for free [onlinecasi...action.com], [url="http://onlinecasinoaustraliaaction.com/"]pla y online casino games for free[/url], >:-O,
(Score: 5, Insightful) by TrumpetPower! on Wednesday April 09 2014, @07:33PM
So, first, thanks for finding and fixing it, and for being so transparent about it.
My next thought is that, if that loverly little shitbomb was lurking in there all this time, who knows what else may be going on?
I know you've got intentions to do all sorts of overhaul types of things to Slashcode, but, especially in light of this discovery, are there any more immediate plans for a security audit?
b&
All but God can prove this sentence true.
(Score: 4, Informative) by NCommander on Wednesday April 09 2014, @07:39PM
Yes, this is really high up on the priorities list now. We *do* have slash apparmored but we allowed it to talk to anything via TCP/UDP (useful for debugging since staff can use an internal proxy to completely bypass varnish). We're going to look at locking it down so it can only talk to varnish and kill any fun shit like this that originates from the Apache process.
Still always moving
(Score: 2) by frojack on Wednesday April 09 2014, @07:51PM
Can you tell from whence this code came?
Is it in the original Slashcode from slashdot years ago, or something put into the public archives by some nefarious person?
What was done with the information obtained, (open ports)? Were they logged anywhere?
No, you are mistaken. I've always had this sig.
(Score: 3, Informative) by NCommander on Wednesday April 09 2014, @07:56PM
This came from slashcode itself, and was added in 2008. It's been confirmed that slashdot shows the same behavior. I put the git revision in the article itself.
Still always moving
(Score: 2, Interesting) by ticho on Thursday April 10 2014, @06:54AM
For crying out loud, just make a deal with pipedot and ditch that slashabomination already.
(Score: 2) by dmc on Wednesday April 09 2014, @07:55PM
Next thing you know after all the cybersecurity issues this past year, the ISPs (and everyone) will actually start looking at all the traffic going on on their networks and start doing something about the traffic which has no justification for existing (*cough* NSA *cough* GHCQ *cough*).
This issue seems starkly related in my mind to the reporting on heartbleed which talks about "it doesn't leave any trace". Of course a heartbleed attack leaves a trace. The attacker sends and receives packets over various networks. Those packets can be noticed if people actually take the time and effort to look.
I imagine in the coming years there is going to be a lot more looking, and perhaps even some more seething after some more finding.
(Score: 2) by Nerdfest on Wednesday April 09 2014, @08:29PM
I thought it was well known that this was there. I remember log delays when posting on SlashDot about 10 years ago that were caused by the port scan in some environments (where I worked being one of them). I thought it had been removed as I remember it being mentioned and it seemed to speed up. Sounds like these two events were not necessarily related.
(Score: 4, Insightful) by hatta on Wednesday April 09 2014, @07:37PM
A port scan is not an attack. It's wasteful of network resources to scan everyone, but it's not an attack. Which ports are open is public information on the public internet. We have to assume that open ports are open for a reason or the internet doesn't work. We also have to assume that services on those open ports are available for public use, unless there is some form of authentication.
Port scan me all day for all I care. If I have open ports I don't want you to access, that's my problem and my responsibility.
(Score: 2, Insightful) by Anonymous Coward on Wednesday April 09 2014, @07:39PM
Unauthorized port scanning may be strictly prohibited depending on countries laws and there may be legal ramifications
(Score: 2) by snick on Wednesday April 09 2014, @07:52PM
Point your browser at random IP.
You have just performed a (fairly lame) port scan.
Off to prison with you.
(Score: 0) by Anonymous Coward on Wednesday April 09 2014, @08:00PM
well, don't play this down so quickly. Laws are usually broad and describe something like an "automated attempt" that is performed "deliberately" and "outside of intended behavior" or something like that
Some lawyer could easily make a case out of nothing
(Score: 2) by frojack on Wednesday April 09 2014, @08:28PM
Well we could certainly make a moral case out of it.
I wonder if a story about this would even be allowed to be printed on Slashdot.
Note, that I've noticed these scans for a long time, and actually have iptables rules in place for them for many years. It never dawned on me they were from slash.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Wednesday April 09 2014, @07:44PM
A web server is treating requests differently depending on what services a client station appears to be running. It's not exactly polite or fair. The web server is explicitly open for probing; the client device, though technically a peer, is not.
(Score: 2) by hatta on Wednesday April 09 2014, @07:49PM
A peer is a peer is a peer. Either they are all explicitly open for probing, or none of them are. The internet only works on a default allow policy.
(Score: 0) by Anonymous Coward on Wednesday April 09 2014, @07:59PM
Please tell that to every mobile ISP, telecom carrier, hotspot operator, and SOHO router manufacturer... :)
And tell it to every residential ISP too.
Maybe you haven't noticed, but the peer to peer Internet went bye-bye about 1992.
(Score: 2) by omoc on Wednesday April 09 2014, @08:08PM
thats not always a bad thing, without carrier grade NAT your mobile would be open to lots of attacks, also it would deplete the IPv4 address space much quicker
(Score: 0) by Anonymous Coward on Wednesday April 09 2014, @08:14PM
Well yeah, we know, but that was beside this particular point. There's always a reason, and sometimes a benefit, but the point is that peer to peer can hardly be assumed. And in the classic client/server relationship of most web servers, probing your clients is rude.
(Score: 2) by hatta on Wednesday April 09 2014, @09:44PM
No, without carrier grade NAT, you could still have a carrier grade firewall. NAT is not a security feature, it is a terrible hack with no legitimate use in a well designed system. Running out of IPv4 addresses is a bonus, that will only hasten the implementation of IPv6 everywhere.
(Score: 2) by NCommander on Wednesday April 09 2014, @11:49PM
You're right, it isn't an attack, but its bad practice to do it and not notify anyone you're doing it. It also triggers aggressive firewalls that detect it as an intrusion attempt (which is what the original reporter ran into). For a standard web application to be auto-scanning with no notification what so ever is a different beast, especially if it causes corporate firewalls to flag this site as malicious.
Still always moving
(Score: 1) by J053 on Thursday April 10 2014, @01:05AM
(Score: 2) by dbot on Wednesday April 09 2014, @07:38PM
Not to be /that/ guy, but do we really need Fucking in the title?
(Score: 1) by VanessaE on Wednesday April 09 2014, @07:46PM
(Score: 5, Informative) by frojack on Wednesday April 09 2014, @07:48PM
It was justified.
This whole thread should be posted to Slashdot.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Wednesday April 09 2014, @08:12PM
yes please, and check if BETA is affected as well
(Score: 2) by xlefay on Wednesday April 09 2014, @08:25PM
I only tested classic. I won't dare to step foot into the world of beta, please feel free to do it yourself however.
(Score: 2) by FuckBeta on Wednesday April 09 2014, @08:47PM
Check Beta? No.
Fuck Beta.
Quit Slashdot...because Fuck Beta!
(Score: 2) by krishnoid on Wednesday April 09 2014, @11:09PM
This whole thread should be posted to Slashdot.
Forget that, submit it as a story to show up on the Soylent News front page that a prominent technology blog is portscanning its users.
(Score: 2) by combatserver on Thursday April 10 2014, @12:30AM
"Forget that, submit it as a story to show up on the Soylent News front page that a prominent technology blog is portscanning its users."
.
Concur. Do it, do it, do it. I can't think of a single action this site could take that would drive more users from Slashdot to Soylentnews. And, it wouldn't even be a cheap-shot...you'd be doing people a favor.
I hope I can change this later...
(Score: 4, Insightful) by MrGuy on Wednesday April 09 2014, @07:53PM
I was going to add a similar comment.
NCommander, as someone who's admittedly been a bit of a hothead back in "those days" of getting the site up, please think a little how this reflects on your professionalism. It's possible for you to convey deep dismay and sound sincere in your apology without coming off like someone flying off the handle.
You're upset. We get it, and we appreciate it. I appreciate you taking the step of publicly acknowledging this. But as the leader of a technical community, consider whether "the guy who gets mad and starts swearing when things upset him" is the image you want.
(Score: 3, Informative) by NCommander on Wednesday April 09 2014, @08:04PM
Point taken. The post has been edited.
Still always moving
(Score: 2) by zim on Thursday April 10 2014, @07:17PM
If people do not like the language here because some evil words jumped out of their screen and touched them funny...
They can leave. There's millions of happy funtime family friendly sites they can view.
(Score: 2) by combatserver on Thursday April 10 2014, @12:24AM
You do realize that this site exists as a result of the "Fuck Beta!" movement, right? I think the response to this discovery was proportional, especially since Slashdot is still doing the same port-scanning. Just one more reason to "Fuck Beta!".
.
I think NCommander is royally pissed because other people are (among other reasons, I am sure). Just another cut in the Death-by-a-thousand-cuts I've brought up more than once.
I hope I can change this later...
(Score: 0) by Anonymous Coward on Thursday April 10 2014, @10:03AM
I can 100% see where you are coming from, but I think the other side of the coin is that- in this day and age, the fault clearly doesn't lie with the author of the code. But rather with the person who _chose_ to run the _open source_ code _without auditing it sufficiently to notice this in either (a) the source code or (b) inspection of the network traffic to the server they were administering.
Now _that said_, I can totally see myself being in NC's position, doing and feeling the exact same things for the exact same reasons.
The fact of the matter is that even today, nearly a year post Snowden, the _entire internet security community_ knows that it screwed up pretty badly for a decade, and has a $#!+ ton of work to do. And that the first half of that work has to be done simultaneous with the knowledge that the 2nd half of that work will remain undone for the duration.
What has happened is basically this (virtual pontiff hat just donned)- for 10 years, the internet security community got away with being pretty fucking lazy and cheap. For 10 years, the NSA and GCHQ and others facilitated and encouraged (with traditionally criminal tactics under sanction of modern governments) a laughable level of lazyness and cutting of corners in the internet security field. They fucking loved it. The big publicly traded companies fucking loved it- hell, good security ain't cheap, and that does cut into the bottom line.
But then Snowden came and called out the naked emperor. And this is where we are. Lots of shit to clean up. Lots of dark corners to shine lights in and find more shit to clean up.
Step 1) (with a service like soylent news): take a sample client/server user session, either live or testbed, and run tcpdump, and justify the existence of every packet you see.
I really don't mean to sound arrogant. This stuff is not simple. It takes time, effort. Vigilance is exhausting. But getting angry at the slashcode authors? Seems useless and at least somewhat misdirected. Yet completely understandable (as an initial WTF?!? reaction)
(Score: 2) by NCommander on Thursday April 10 2014, @05:27PM
Slashcode is 250k LOC, how do you quickly audit something of that size? I agree you should audit mission-critical codebases, but SN was put together in less than a week by our crack team of flying monkeys. The situation is further complicated that we're tied to an antique Apache + antique Perl because the Apache 2.x ports never were released open source and the API completely changed. We applied apparmoring to it as a bandaid, and we've modified slash and apache to run non-root which should hopefully reduce our attack profile.
The situation was compounded that the code lies; unless you went through the 10k-ish MySQL.pm line by line, you might not have noticed the port scanning, or saw variables that prevent port scanning in some places, but not all places.
The OpenBSD guys got this right; every bit of code they support gets audited and Theo really understands security on a level most people don't. That being said, OBSD seems to lack quite a few features that would prevent me from using it in production, i.e., something equivelent to AppArmor or SELinux for one. I'd love to see a Linux distro come out with that same policy of code auditing though.
Still always moving
(Score: 0) by Anonymous Coward on Thursday April 10 2014, @08:11PM
I'll give a straight answer to your rhetorical question- Either (a) you don't, or (b) you throw several millions of dollars worth of paid eyeballs at it. I'm guessing nobody involved in SN has several millions of dollars to spare for that (nor the belief that the money wouldn't be better spent on other things), so the resulting choice is (a), but with the caveat- you accept the consequences. This thread being one of them.
I feel like I could almost bet my life on the assertion that if you did spend those millions of dollars, you'd find a dozen other things just as horrifying. About my only criticism of SN I was trying to express was that some of the anger expressed was basically useless if not totally understandable. My advice is merely one of shifting the attitude. I myself take to heart the words of either Snowden, or someone fairly famous talking about the Snowden revelations who said- You basically have in this day and age to assume that several superpowers have owned any internet connected system you are working with. Even non-internet connected systems can have radar reflecting bugs embedded invisibly in their USB ports or anywhere else. We have a decade at least of basic security work before we can even delude ourselves into thinking we have any real cybersecurity anywhere. And that's an optimistic timeframe. I doubt I'll live to see the day I feel like I can write a private journal on a computer that doesn't get checked by big brother for - if not crimethink- terrorist profile calculations (not to mention advertising optimization systems).
I mean fuck, seriously, the washingtonpost reporting on heartbleed referred to the situation with the words "infected systems". If even the washington fucking post can't be troubled to get the terminology of cybersecurity correct- distinguishing between such things as "buggy/vulnerable/outdated" and "infected" then we seriously have a very long way to go still. By choosing to use the word 'infected' WP is (unless they have unreported info they are withholding) furthering the same kind of disinformation campaigns that the NSA successfully used to keep people from doing security right. People need to understand that cybersecurity involves plenty of malicious actors, as well as unintentional mistakes. The fault of the heartbleed bug wasn't the committer of the bug, but the dozens of billion dollar companies that depended on the security of that code, but couldn't be troubled to throw a few engineers at the task of reviewing that code and finding the bug earlier. And the worst thing is that the NSA fucking loves corporate behavior like that.
My point NC isn't that you should have done more, it's that you should have gotten less upset.
(Score: 0) by Anonymous Coward on Thursday April 10 2014, @06:13AM
Reminds me of Steve Ballmer.
(Score: 2) by janrinok on Wednesday April 09 2014, @07:56PM
Point taken - we hope to appeal to a wide audience and such language wouldn't help. It has been modified. Jan
I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
(Score: 2) by zim on Thursday April 10 2014, @07:15PM
Real people do not sound like company spokespeople doing a commercial trying to sell you something by being 'professional'.
I like real people. Lets keep that.
(Score: 5, Informative) by zocalo on Wednesday April 09 2014, @07:48PM
And yes, it's still doing it in the latest revisions of the code.
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Wednesday April 09 2014, @07:56PM
I've seen this many times while visiting slash dot. Even found the reason mentioned in the summary after some Googling. I don't really care, there are many IP addresses sending packets to ports every day. And besides, those ports are usually closed on my systems. So if some site wants to scan some of my ports that's cool.
(Score: 1) by GlennC on Wednesday April 09 2014, @08:01PM
I for one was unaware of this "feature."
You found it, acknowledged it and fixed it. That's all we can ask of you.
Sorry folks...the world is bigger and more varied than you want it to be. Deal with it.
(Score: 1) by gishzida on Wednesday April 09 2014, @08:02PM
Couldn't someoneone just reach out to to the former SlashDot founders/ operators and ask "WTF?" CmdrTaco seems right enough to answer a straight question.
Next what are the signs that slashcode is actively doing this? i.e. what would I seen in my win7 firewall logs were I to go to pipedot or the other sites running slashcode?
Is Dicedot [I refuse to call it slashdot] currently [actively] doing port scans?
What if anything was the DB doing with the info? Are there any pre-written queries that would return the results of the probe?
Is it possible that it was a doorknock sequence for "remote control" purposes? [yeah that's a wild guess but weirder things have been known to occur... though why it would do it to every client]
Is this an indication the the slashcode repository has been tainted or pwned?
Is there any versioning info explaining why that code exists?
(Score: 2) by xlefay on Wednesday April 09 2014, @08:22PM
> Next what are the signs that slashcode is actively doing this? i.e. what would I seen in my win7 firewall logs were I to go to pipedot or the other sites
> running slashcode?
Just monitor some ports (like 8080) when commenting on a site powered by Slashcode.
Also, Pipedot doesn't run Slashcode. Last I checked (when I saw a php error a while ago) they were using, you guessed it, PHP.
> Is Dicedot [I refuse to call it slashdot] currently [actively] doing port scans?
Yes they are, see: https://soylentnews.org/comments.pl?sid=1195&cid=2 9035 [soylentnews.org]
> What if anything was the DB doing with the info? Are there any pre-written queries that would return the results of the probe?
The only thing I know they do is check if they already probed the IP.
> Is this an indication the the slashcode repository has been tainted or pwned?
Tainted? It contains slashcode ;-)
--
I just answered the stuff I know.
(Score: 2, Informative) by mbadolato on Wednesday April 09 2014, @11:23PM
I posted [ycombinator.com] a link to this story on HackerNews and in the comments, CmdrTaco himself replied [ycombinator.com].
(Score: 2) by NCommander on Thursday April 10 2014, @12:16AM
I replied with my insights on that. Most of my anger over this issue is finding out we're tripping IDSes from undocumented behaviour in slash, even though the proxy scanning code vars are disabled. Perhaps I wrote a tad rashly, and I understand the purpose. The fact is that no website should ever be triggered an IDS or malware detector, and the fact we were pissed me off to no end.
Still always moving
(Score: 1) by pikoro on Thursday April 10 2014, @06:12AM
Instead of disabling the code, how about fixing slashcode so it actually minds the settings in the db as to weather it should be enabled or disabled. Then update the FAQ or privacy policy or whatnot to mention that it is happening. I would also put the scanned ports in the db instead of having it hardcoded. Hardcoding things is just one more way for things to get "lost" in perl.
(Score: 2) by NCommander on Thursday April 10 2014, @05:28PM
No website should ever trigger an IDS system. Portscanning of any kind will. This feature in this form is dead and will not be returning.
Still always moving
(Score: 4, Funny) by darkfeline on Wednesday April 09 2014, @08:05PM
As a programmer, I'm much more disturbed by the fact that this was in the database code. As others have mentioned, while being port-scanned is certainly not pleasant, it's not really *wrong* either. It's akin to being stared at for a few seconds beyond the awkward cutoff when in public, uncomfortable for some, perhaps, but perfectly normal. But putting code where it doesn't belong? That's unforgivable. It needs to be refactored ASAP, before someone dies. Programmer rage is a legitimate workplace hazard.
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Wednesday April 09 2014, @08:17PM
I think a good guess was they threw it in there because they only cared about proxying spammers when one of them was about to successfully commmit to a database change. Displaying form data and requests doesn't mean the post was actually being published...
(Score: 2) by Thexalon on Wednesday April 09 2014, @09:01PM
I certainly find it suspicious that it was in the database code - it suggests that somebody was in fact trying to hide it.
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
(Score: 2) by khallow on Wednesday April 09 2014, @09:06PM
The AC above you had a good point. They probably wouldn't care about the fun and games until it became time for dumping some spam in the database. Or it might be that the database monkey was the one asked to fix the problem and this was in their scope.
(Score: 3, Informative) by NCommander on Wednesday April 09 2014, @11:54PM
I don't think this was malicious; just laziness since there's no general Misc module. The DB library is something of a catch all of random crap that doesn't fit anywhere else, and it can be accessed from any module by doing getCurrentDatabase, then calling methods from DB.
Still always moving
(Score: 1) by migz on Thursday April 10 2014, @11:37AM
As a dev with over 20 years experience I have seen misc code creep into the db module of many projects. It's probably because it is included in just about every piece of code. It's easier to dump it there than refactoring the planet. Unfortunately hacks like this create a lot of bit-rot. And since they are often done in a hurry to "save time" they never get fixed.
But seriously a port scanner? This one needs a feature on daily WTF.
(Score: 0) by Anonymous Coward on Wednesday April 09 2014, @08:18PM
I've seen that whenever I posted on the other site. I only had a service running on port 80, so that's all I saw. It connects, and tries to get which fails because I'm not running an open proxy. It did this once for every comment, although I haven't checked recently (I don't go to that site very much these days).
(Score: 0) by Anonymous Coward on Wednesday April 09 2014, @08:20PM
It's supposed to say "tries to get < http://slashdot.org/ok.txt [slashdot.org] > ". I don't see why I should have to escape the angle brackets if I've selected "plain old text" as my format.
(Score: 1) by David_W on Wednesday April 09 2014, @08:56PM
Because it is Slash. ;)
(Score: 2, Insightful) by urza9814 on Wednesday April 09 2014, @08:24PM
I recall hearing about this a couple times in the past on Dice's site. And I agree with some of the other comments saying this isn't a huge deal -- seems there was a legitimate (if misguided) reasoning behind it as spam prevention. I don't think it was GOOD reasoning, and discriminating against proxies annoys me to no end (I browse exclusively through Tor on my phone, which makes many sites totally inaccessible) but I'd hardly call it malicious in any way.
But your reaction to this is what really made an impression. You've just cemented my loyalty to this site. Great to see you're cleaning this crap up and keeping everyone well informed regardless of what you find. Wish all -- or hell, ANY -- other sites were so respectful and responsible regarding their users! :)
(Score: 1) by datapharmer on Wednesday April 09 2014, @11:36PM
What is inexcusable isn't that the port scanning was done; why it was done is clear (even if the reasoning was poor). The real tragedy is how awful that code is... they've got a friggin' variable to disable this function and it STILL runs the portscan when disabled. I've dealt with code (at least) this bad before and it isn't fun. Here's to these folks getting the spaghetti mess cleaned up!
(Score: 2) by NCommander on Wednesday April 09 2014, @11:46PM
The code quality varies from decent, to ok, to crap. A lot of the later stuff falls into the crap category; Firehose and D2 were so badly implemented that even if we had the complete code for it, I would have scrapped it and re-implemented. THe biggest saving point is slash scales nicely (and is known to scale well), *and* at the very least, its got a decent architecture/sane data storage models.
Still always moving
(Score: 2) by Sir Garlon on Wednesday April 09 2014, @08:46PM
To paraphrase Dekkard from Blade Runner: "I was quit (from other site) when I came in here. I'm twice as quit now."
Seriously, I am half tempted to log in to the other site just so I can ragequit it again. But I don't want to get portscanned, so I'll just bitch about it instead.
NCommander, your ethics rock!
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
(Score: 2) by FuckBeta on Wednesday April 09 2014, @08:51PM
+1
Yep, Fuck Beta.
Quit Slashdot...because Fuck Beta!
(Score: 1) by opinionated_science on Wednesday April 09 2014, @09:39PM
a nice catch! And one of the many , many , many , many reasons I like FOSS.
Phuck Beeta
(Score: 2) by isostatic on Wednesday April 09 2014, @10:54PM
Thid has been in slash code for years, as open source. It's not even deliberately hidden. Yet no one found it.
(Score: 1) by Fnord666 on Wednesday April 09 2014, @10:04PM
(Score: 1) by datapharmer on Wednesday April 09 2014, @11:20PM
(Score: 0) by Anonymous Coward on Thursday April 10 2014, @03:13AM
B is actually a really good idea. If you've been following the news lately, you know:
surfing the public web on a device = that device may as well belong to the NSA.
And if you trust the NSA, fine -- what about other governments? Do you trust the Chinese intelligence/military?
OK, let's say you're really trusting, you trust any government, because they're the government. Fine! But governments don't have a monopoly on zero-day exploits, they just have more of them. Online criminals are getting more organized, and the more they succeed the more money they'll have to reinvest in finding and stockpiling zero-days.
You mention your "secure networks" so I assume you actually have stuff you want to keep safe on them, or maybe even stuff your customers want to keep safe. So secure that you have some pretty aggressive firewall rules to help. Good idea, by the way, although it will mostly just help keep the logs clean. People with access to botnets (i.e., organized cybercriminals, i.e., your MAIN threat if you are a "normalish" site that is not interesting to governments and also not vulnerable to script kiddies because you do the basic stuff -- decent passwords, stay up to date on security patches) will still be able to portscan you anyway, by using a uniquely different zombie machine for every connection they [attempt to] open to your machine.
So maybe you should be using a separate device for browsing the public web. A web browser executing on a machine that can't access anything sensitive. Anything less is the same as putting extra locks on the doors but not putting bars on the windows... in a neighborhood where breakins mostly happen through windows
It doesn't have to be your phone. If you can't afford to partially dedicate an old machine for websurfing, use a VM. It's less secure than using a physical machine, but much more secure than doing nothing and running your web browser on your sensitive machine directly -- the attacker needs 2 independent zero-days instead of 1. Pick your hypervisor based on researching which one seems to have the smallest history of VM breakout exploits. Keep browser and hypervisor constantly up to date regarding security patches.
I admit I don't do that either. But at least I feel guilty about it, heh :-)
And I'm not safeguarding something on my network as important as it sounds like you are.
(Score: 0) by Anonymous Coward on Thursday April 10 2014, @03:22AM
Also, just use a VPN. The scan won't hit your corporate firewall.
(Score: 2) by mendax on Wednesday April 09 2014, @11:23PM
Always look at the positives in every situation, whoever carried out this nefarious evil deed had the decency to comment the code.
As for looking for who to blame, I offer my evil black cat. She's a sink of evil and too smart for her own good. Perhaps she was doing things on my computer while I was sleeping way back in 2008.
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 2, Interesting) by Kippesoep on Wednesday April 09 2014, @11:43PM
I sent a report and complaint about this to Slashdot many years ago, probably late 2007, early 2008, as it blocked me from commenting due to unrelated services I had running on those ports (and even when I closed the ports, the results of the previous scan remained cached). My report was never acknowledged.
I remember having some very uncivilised thoughts in my head reserved for the idiot who decided this was a good idea.
(Score: 3, Interesting) by Techwolf on Wednesday April 09 2014, @11:58PM
I can't believe how so many get that wrong. Checking for a open proxy is not portscanning, if it was, the ToS of datacenters would define it that way.
I like to see proof that this is portscanning please.
(Score: 2) by zim on Thursday April 10 2014, @07:28PM
That's pretty much the definition of portscanning.
(Score: 0) by Anonymous Coward on Thursday April 10 2014, @05:52AM
According to Wikipedia https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_ port_numbers [wikipedia.org]
Scary stuff https://en.wikipedia.org/wiki/Desktop_Management_I nterface [wikipedia.org]