Stories
Slash Boxes
Comments

SoylentNews is people

F%1&£@! Unbelievable: Slashcode Portscanning Disabled

posted by NCommander on Wednesday April 09 2014, @07:26PM   Printer-friendly
from the seething-with-anger dept.
I've pushed an emergency fix to production to close bug #142 on the tracker. For those unaware, Slashcode portscans every user when they login or post a comment. While we knew that there was some code involved in checking for open proxies, I thought it had been disabled, and the default settings in the database all default to off. The fact of the matter though is the backend was ignoring all disable checks in the database and scanning every IP to see if they were a proxy on ports 80, 3123, 8000, and 8080.

I'm f****** seething; this is unacceptable for any site, and this behaviour isn't documented anywhere; we've been portscanning since day one and were completely unaware of it. My guess is almost everyone here was unaware of this "feature" as well. Our submitter reports slashdot did this as well. There is no notification or link in the FAQ that this is done, unless you were checking your firewall rules religiously, this would have been completely unnoticed.

I'm seething and furious at the moment. How on earth is this acceptable behaviour? I understand proxy scanning; most IRC networks do it, but they notify you that they are doing so. Furthermore, a basic web application should not be probing their end users; I'm absolutely flabbergasted that this exists, as were most of the staff when it was brought to our attention. On behalf of the site, I want to offer a formal apology for this clusterf***.

Addendum: Since writing this, I've written a follow up on why this got me so upset in my journal. I've got journal replies set to on, and will respond to anyone both here and there.Here's the revelent bit of code from Slash/DB/MySQL/MySQL.pm (yes, it lives in the DB API, no I don't know why) 
sub checkForOpenProxy {
my($self, $ip) = @_;
# If we weren't passed an IP address, default to whatever
# the current IP address is.
if (!$ip && $ENV{GATEWAY_INTERFACE}) {
my $r = Apache->request;
$ip = $r->connection->remote_ip if $r;
}

# If we don't have an IP address, it can't be an open proxy.
return 0 if !$ip;
# Known secure IPs also don't count as open proxies.
my $constants = getCurrentStatic();
my $gSkin = getCurrentSkin();

my $secure_ip_regex = $constants->{admin_secure_ip_regex};
return 0 if $secure_ip_regex && $ip =~ /$secure_ip_regex/;

# If the IP address is already one we have listed, use the
# existing listing.
my $port = $self->getKnownOpenProxy($ip);
if (defined $port) {
#print STDERR scalar(localtime) . " cfop no need to check ip '$ip', port is '$port'\n";
return $port;
}
#print STDERR scalar(localtime) . " cfop ip '$ip' not known, checking\n";

# No known answer; probe the IP address and get an answer.
my $ports = $constants->{comments_portscan_ports} || '80 8080 8000 3128';
my @ports = grep /^\d+$/, split / /, $ports;
return 0 if !@ports;
my $timeout = $constants->{comments_portscan_timeout} || 5;
my $connect_timeout = int($timeout/scalar(@ports)+0.2);
my $ok_url = "$gSkin->{absolutedir}/ok.txt";

my $pua = Slash::Custom::ParUserAgent->new();
$pua->redirect(1);
$pua->max_redirect(3);
$pua->max_hosts(scalar(@ports));
$pua->max_req(scalar(@ports));
$pua->timeout($connect_timeout);

#use LWP::Debug;
#use Data::Dumper;
#LWP::Debug::level("+trace"); LWP::Debug::level("+debug");

my $start_time = Time::HiRes::time;

local $_proxy_port = undef;
sub _cfop_callback {
my($data, $response, $protocol) = @_;
#print STDERR scalar(localtime) . " _cfop_callback protocol '$protocol' port '$_proxy_port' succ '" . ($response->is_success()) . "' data '$data' content '" . ($response->is_success() ? $response->content() : "(fail)") . "'\n";
if ($response->is_success() && $data eq "ok\n") {
# We got a success, so the IP is a proxy.
# We should know the proxy's port at this
# point; if not, that's remarkable, so
# print an error.
my $orig_req = $response->request();
$_proxy_port = $orig_req->{_slash_proxytest_port};
if (!$_proxy_port) {
print STDERR scalar(localtime) . " _cfop_callback got data but no port, protocol '$protocol' port '$_proxy_port' succ '" . ($response->is_success()) . "' data '$data' content '" . $response->content() . "'\n";
}
$_proxy_port ||= 1;
# We can quit listening on any of the
# other ports that may have connected,
# returning immediately from the wait().
# So we want to return C_ENDALL. Except
# C_ENDALL doesn't seem to _work_, it
# crashes in _remove_current_connection.
# Argh. So we use C_LASTCON.
return LWP::Parallel::UserAgent::C_LASTCON;
}
#print STDERR scalar(localtime) . " _cfop_callback protocol '$protocol' succ '0'\n";
}

#print STDERR scalar(localtime) . " cfop beginning registering\n";
for my $port (@ports) {
# We switch to a new proxy every time thru.
$pua->proxy('http', "http://$ip:$port/");
my $req = HTTP::Request->new(GET => $ok_url);
$req->{_slash_proxytest_port} = $port;
#print STDERR scalar(localtime) . " cfop registering for proxy '$pua->{proxy}{http}'\n";
$pua->register($req, \&_cfop_callback);
}
#print STDERR scalar(localtime) . "pua: " . Dumper($pua);
my $elapsed = Time::HiRes::time - $start_time;
my $wait_timeout = int($timeout - $elapsed + 0.5);
$wait_timeout = 1 if $wait_timeout wait($wait_timeout);
#print STDERR scalar(localtime) . " cfop done with wait, returning " . (defined $_proxy_port ? 'undef' : "'$port'") . "\n";
$_proxy_port = 0 if !$_proxy_port;
$elapsed = Time::HiRes::time - $start_time;

# Store this value so we don't keep probing the IP.
$self->setKnownOpenProxy($ip, $_proxy_port, $elapsed);

return $_proxy_port;
}


Leave your comments below, I want to know how others feel about this "feature".

Update: We've confirmed that slashdot.jp and Barrapunto predate this feature being added to the codebase; according to the git log, it was added on commit 177e2213 at 2008-04-16 19:07:46 +0000.
 
This discussion has been archived. No new comments can be posted.
F%1&£@! Unbelievable: Slashcode Portscanning Disabled | Log In/Create an Account | Top | 91 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2, Interesting) by Anonymous Coward on Wednesday April 09 2014, @07:33PM

    by Anonymous Coward on Wednesday April 09 2014, @07:33PM (#29019)

    Is it just banning posts from anything deemed a proxy site? Is the information being stored for later reference? Are these open port results re-probed or re-used anywhere else?

    And why would the code care if people used a proxy site in order to make a post? Was it simply to avoid alts and astroturfing? Was there any OTHER reason to port scan?

    Starting Score:    0  points
    Moderation   +2  
       Interesting=1, Underrated=1, Total=2
    Extra 'Interesting' Modifier   0  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Wednesday April 09 2014, @07:44PM

    by Anonymous Coward on Wednesday April 09 2014, @07:44PM (#29029)

    does not really matter, the process itself may be prohibited by your host and you just broke their terms and conditions

    • (Score: 5, Informative) by xlefay on Wednesday April 09 2014, @07:48PM

      by xlefay (65) on Wednesday April 09 2014, @07:48PM (#29035) Journal

      In fairness, we didn't know about this; but I just confirmed, Slashdot does it:


      SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=18595 -> DPT=81
      SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=39440 -> DPT=8080
      SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=14480 -> DPT=80
      SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=27035 -> DPT=3128
      SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=41068 -> DPT=6588
      SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=9200 -> DPT=8081
      SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=5978 -> DPT=1026
      SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=61971 -> DPT=3382
      SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=35001 -> DPT=7032
      SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=50869 -> DPT=8090
      SRC=216.34.181.45 -> DST=10.0.0.14 -> PROTO=TCP -> SPT=64976 -> DPT=2578

      • (Score: 0) by Anonymous Coward on Wednesday April 09 2014, @08:03PM

        by Anonymous Coward on Wednesday April 09 2014, @08:03PM (#29053)

        if you don't know what your software is doing then terms & conditions obviously don't apply to you /irony

        • (Score: 2) by xlefay on Wednesday April 09 2014, @08:14PM

          by xlefay (65) on Wednesday April 09 2014, @08:14PM (#29065) Journal

          Hmm, I didn't say that but I can see how that could have been implied. This wasn't my intention.

      • (Score: 1) by gishzida on Wednesday April 09 2014, @08:09PM

        by gishzida (2870) on Wednesday April 09 2014, @08:09PM (#29060) Journal

        yes but they seem to be knocking on more doors that the code posted does.

        Also I note they are not knocking port 8000

        the question is why?

        • (Score: 3, Informative) by xlefay on Wednesday April 09 2014, @08:13PM

          by xlefay (65) on Wednesday April 09 2014, @08:13PM (#29063) Journal

          From what I'm seeing in the code (note, perl ain't my thing):


          my $ports = $constants->{comments_portscan_ports} || '80 8080 8000 3128';

          So, it uses the 'comments_portscan_ports' or the default ports. So I'm guessing /. has set those other ports in that constant.

          • (Score: 3, Informative) by Hairyfeet on Wednesday April 09 2014, @08:32PM

            by Hairyfeet (75) <bassbeast1968NO@SPAMgmail.com> on Wednesday April 09 2014, @08:32PM (#29086) Journal

            Well that at least explains why Slash reacted differently when I switched DNS servers, some of the ones i use would have considered that suspect and blocked it. It does make you wonder WTF is going on behind the scenes over there and makes me glad I stopped going, just one more reason to use Soybeans over Slash.

            --
            ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.

            • (Score: 4, Interesting) by edIII on Wednesday April 09 2014, @10:45PM

              by edIII (791) on Wednesday April 09 2014, @10:45PM (#29133)

              THIS.

              I was at Slash for quite awhile too and feel much better off here. WTF indeed. I understand passive logging of user details accessing the system, but switching to active probing silently is egregious. It seems like we can blow this out of proportion since it's a simple port scan, but it could be more than that. I feel like going over there and submitting an article linking back to Soylent, but I don't want to start anything.

              If you think about Slashdot and what happened over there with corporate interests gradually corrupting it, it does make you wonder what was going on. You go there today and it has 9 different 3rd parties blocked by Ghostery/DoNotTrackMe, one of which is an Internet market research corporation. The rest can be explained by advertising to a degree, but that last one is purely for exploitation.

              Soylent should be tearing apart the rest of the code right now to see just what was done with the collected information and start documenting it in the wiki. The results must be logged somewhere unless this code is just orphaned and was never part of any other flow.

              It may have been a response to user abuse, but even then, it should have been well documented and part of the sites privacy policy. I just went and read Slashdot's privacy policy on what information they collect. Nowhere do they distinguish between passive data from HTTP requests and headers, and actively sending packets to test for conditions. In fact, the word port is not even present in the entire document.

              Yet, I still wonder with something like that in the code if they were violating their own privacy policy.

              I hope Soylent figures this out because it makes no sense. Slash silently degraded for sure, but that's a pretty fair departure from where it started out.

              Thankfully, we have declared from day one that we are a community first. I appreciate how Soylent has handled this.

              --
              Technically, lunchtime is at any moment. It's just a wave function.

              • (Score: 0) by Anonymous Coward on Thursday April 10 2014, @05:45AM

                by Anonymous Coward on Thursday April 10 2014, @05:45AM (#29278)

                Ghostery

                Using a proprietary extension for added privacy/security is... stupid.

              • (Score: 1) by canopic jug on Saturday April 12 2014, @05:20PM

                by canopic jug (3949) Subscriber Badge on Saturday April 12 2014, @05:20PM (#30560) Journal

                SN should make sure it can function fully without javascript. While port scans can collect some information, vastly more can be collected once inside the browser. That has already been exploited unofficially [v3.co.uk] at the other site, and the potential for official exploitation is much higher. If javascript is allowed by the browser and required by the site then even if the javascript coming from the site is legit, it is possible to piggy back malicious code on top especially if HTTPS is not used.

                All activities, browsing, commenting, moderating and metamoderating need to be fully operational without needing javascript. Much of the eye candy can be provided by CSS3 anyway. If javascript is somehow compelling, make it an option, not a requirement.

                While an audit of the scripts might be entertaining and identify what the other site has been up to, it is not necessary. Just take them out.

                --
                Money is not free speech. Elections should not be auctions.

                • (Score: 2) by NCommander on Monday May 05 2014, @04:37AM

                  by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Monday May 05 2014, @04:37AM (#39670) Homepage Journal

                  Sorry for the late reply to this, but we've done this. We've actually stripped out almost all the JS code from the current dev releases (admin's still get jquery loaded dynamically as the admin interface uses it extensively), but aside from new JS for dynamic coding (which silently falls back to the old (aka, "now") behavior), we're almost entirely JS free. Stripping it out of the admin interface will be a nightmare, and its honestly low priority.

                  --
                  Still always moving

                  • (Score: 1) by canopic jug on Saturday May 10 2014, @09:04AM

                    by canopic jug (3949) Subscriber Badge on Saturday May 10 2014, @09:04AM (#41533) Journal

                    Thanks. It is appreciated and makes the site better. The user code was the most problematic so that is enough to help protect users.

                    --
                    Money is not free speech. Elections should not be auctions.

            • (Score: 0) by Anonymous Coward on Thursday April 10 2014, @02:52PM

              by Anonymous Coward on Thursday April 10 2014, @02:52PM (#29471)

              What in the world does your choice of DNS resolver have to do with a Slash server probing the workstation attempting to post to the server's comment database? That's as irrelevant as irrelevant gets.

      • (Score: 3, Informative) by gishzida on Wednesday April 09 2014, @08:20PM

        by gishzida (2870) on Wednesday April 09 2014, @08:20PM (#29071) Journal

        Fome several know port lists...

        DPT=81 torpark / onion
        DPT=8080 Alt Http
        DPT=80 http
        DPT=3128 asquid
        DPT=6588 ???
        DPT=8081 Alt Http [ePolicy Orchestrator!]
        DPT=1026 Often used by Microsoft DCOM services
        DPT=3382 Fujitsu Network Enhanced Antitheft function
        DPT=7032 ???
        DPT=8090 Coral Content Distribution Network (deprecated; 80 and 8080 now supported)
        DPT=2578 RVS ISDN DCP

        • (Score: 2, Informative) by Kymation on Wednesday April 09 2014, @08:44PM

          by Kymation (1047) Subscriber Badge on Wednesday April 09 2014, @08:44PM (#29089)

          Port 6588 is used by the AnalogX proxy server. I have no idea what would be on 7032.

          • (Score: 2) by chromas on Thursday April 10 2014, @06:54AM

            by chromas (34) Subscriber Badge on Thursday April 10 2014, @06:54AM (#29308) Journal

            Netcraft has yet to confirm it but AnalogX is dead. Mark's moved on to something called Ultimate Consignment. Oh well; he beta'd some of his music with obnoxious vocals.

  • (Score: 0) by Anonymous Coward on Saturday May 03 2014, @08:59AM

    by Anonymous Coward on Saturday May 03 2014, @08:59AM (#39192)

    But I hope my presentation today, Sony introduced a new burial site in Miyagi and Iwate prefectures said last weekend there was a reason to ask them to accept. Later, they have mainly china their own., casino software [onlinecasi...iazone.com], [url="http://onlinecasinoaustraliazone.com/ "]casino software[/url], lbqkf, casino free games online [bestcasinoclubcom.com], [url="http://bestcasinoclubcom.com/"]casino free games online[/url], =-PPP,

  • (Score: 0) by Anonymous Coward on Friday May 09 2014, @12:33AM

    by Anonymous Coward on Friday May 09 2014, @12:33AM (#41108)

    For example, a Sony corporate communications representative in Tokyo that is affordable for low-income families. Keith japanese Gidelson, 36, went down in the communist country as part of a trance state for the same time., online casino [onlinecasi...iazone.com], [url="http://onlinecasinoaustraliazone.com/ "]online casino [/url], 48228, play online casino games for free [onlinecasi...action.com], [url="http://onlinecasinoaustraliaaction.com/"]pla y online casino games for free[/url], >:-O,