Stories
Slash Boxes
Comments

SoylentNews is people

posted by NCommander on Wednesday April 09 2014, @07:26PM   Printer-friendly
from the seething-with-anger dept.
I've pushed an emergency fix to production to close bug #142 on the tracker. For those unaware, Slashcode portscans every user when they login or post a comment. While we knew that there was some code involved in checking for open proxies, I thought it had been disabled, and the default settings in the database all default to off. The fact of the matter though is the backend was ignoring all disable checks in the database and scanning every IP to see if they were a proxy on ports 80, 3123, 8000, and 8080.

I'm f****** seething; this is unacceptable for any site, and this behaviour isn't documented anywhere; we've been portscanning since day one and were completely unaware of it. My guess is almost everyone here was unaware of this "feature" as well. Our submitter reports slashdot did this as well. There is no notification or link in the FAQ that this is done, unless you were checking your firewall rules religiously, this would have been completely unnoticed.

I'm seething and furious at the moment. How on earth is this acceptable behaviour? I understand proxy scanning; most IRC networks do it, but they notify you that they are doing so. Furthermore, a basic web application should not be probing their end users; I'm absolutely flabbergasted that this exists, as were most of the staff when it was brought to our attention. On behalf of the site, I want to offer a formal apology for this clusterf***.

Addendum: Since writing this, I've written a follow up on why this got me so upset in my journal. I've got journal replies set to on, and will respond to anyone both here and there.Here's the revelent bit of code from Slash/DB/MySQL/MySQL.pm (yes, it lives in the DB API, no I don't know why)
sub checkForOpenProxy {
my($self, $ip) = @_;
# If we weren't passed an IP address, default to whatever
# the current IP address is.
if (!$ip && $ENV{GATEWAY_INTERFACE}) {
my $r = Apache->request;
$ip = $r->connection->remote_ip if $r;
}

# If we don't have an IP address, it can't be an open proxy.
return 0 if !$ip;
# Known secure IPs also don't count as open proxies.
my $constants = getCurrentStatic();
my $gSkin = getCurrentSkin();

my $secure_ip_regex = $constants->{admin_secure_ip_regex};
return 0 if $secure_ip_regex && $ip =~ /$secure_ip_regex/;

# If the IP address is already one we have listed, use the
# existing listing.
my $port = $self->getKnownOpenProxy($ip);
if (defined $port) {
#print STDERR scalar(localtime) . " cfop no need to check ip '$ip', port is '$port'\n";
return $port;
}
#print STDERR scalar(localtime) . " cfop ip '$ip' not known, checking\n";

# No known answer; probe the IP address and get an answer.
my $ports = $constants->{comments_portscan_ports} || '80 8080 8000 3128';
my @ports = grep /^\d+$/, split / /, $ports;
return 0 if !@ports;
my $timeout = $constants->{comments_portscan_timeout} || 5;
my $connect_timeout = int($timeout/scalar(@ports)+0.2);
my $ok_url = "$gSkin->{absolutedir}/ok.txt";

my $pua = Slash::Custom::ParUserAgent->new();
$pua->redirect(1);
$pua->max_redirect(3);
$pua->max_hosts(scalar(@ports));
$pua->max_req(scalar(@ports));
$pua->timeout($connect_timeout);

#use LWP::Debug;
#use Data::Dumper;
#LWP::Debug::level("+trace"); LWP::Debug::level("+debug");

my $start_time = Time::HiRes::time;

local $_proxy_port = undef;
sub _cfop_callback {
my($data, $response, $protocol) = @_;
#print STDERR scalar(localtime) . " _cfop_callback protocol '$protocol' port '$_proxy_port' succ '" . ($response->is_success()) . "' data '$data' content '" . ($response->is_success() ? $response->content() : "(fail)") . "'\n";
if ($response->is_success() && $data eq "ok\n") {
# We got a success, so the IP is a proxy.
# We should know the proxy's port at this
# point; if not, that's remarkable, so
# print an error.
my $orig_req = $response->request();
$_proxy_port = $orig_req->{_slash_proxytest_port};
if (!$_proxy_port) {
print STDERR scalar(localtime) . " _cfop_callback got data but no port, protocol '$protocol' port '$_proxy_port' succ '" . ($response->is_success()) . "' data '$data' content '" . $response->content() . "'\n";
}
$_proxy_port ||= 1;
# We can quit listening on any of the
# other ports that may have connected,
# returning immediately from the wait().
# So we want to return C_ENDALL. Except
# C_ENDALL doesn't seem to _work_, it
# crashes in _remove_current_connection.
# Argh. So we use C_LASTCON.
return LWP::Parallel::UserAgent::C_LASTCON;
}
#print STDERR scalar(localtime) . " _cfop_callback protocol '$protocol' succ '0'\n";
}

#print STDERR scalar(localtime) . " cfop beginning registering\n";
for my $port (@ports) {
# We switch to a new proxy every time thru.
$pua->proxy('http', "http://$ip:$port/");
my $req = HTTP::Request->new(GET => $ok_url);
$req->{_slash_proxytest_port} = $port;
#print STDERR scalar(localtime) . " cfop registering for proxy '$pua->{proxy}{http}'\n";
$pua->register($req, \&_cfop_callback);
}
#print STDERR scalar(localtime) . "pua: " . Dumper($pua);
my $elapsed = Time::HiRes::time - $start_time;
my $wait_timeout = int($timeout - $elapsed + 0.5);
$wait_timeout = 1 if $wait_timeout wait($wait_timeout);
#print STDERR scalar(localtime) . " cfop done with wait, returning " . (defined $_proxy_port ? 'undef' : "'$port'") . "\n";
$_proxy_port = 0 if !$_proxy_port;
$elapsed = Time::HiRes::time - $start_time;

# Store this value so we don't keep probing the IP.
$self->setKnownOpenProxy($ip, $_proxy_port, $elapsed);

return $_proxy_port;
}


Leave your comments below, I want to know how others feel about this "feature".

Update: We've confirmed that slashdot.jp and Barrapunto predate this feature being added to the codebase; according to the git log, it was added on commit 177e2213 at 2008-04-16 19:07:46 +0000.
 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by hatta on Wednesday April 09 2014, @07:37PM

    by hatta (879) on Wednesday April 09 2014, @07:37PM (#29024)

    A port scan is not an attack. It's wasteful of network resources to scan everyone, but it's not an attack. Which ports are open is public information on the public internet. We have to assume that open ports are open for a reason or the internet doesn't work. We also have to assume that services on those open ports are available for public use, unless there is some form of authentication.

    Port scan me all day for all I care. If I have open ports I don't want you to access, that's my problem and my responsibility.

    Starting Score:    1  point
    Moderation   +2  
       Insightful=1, Underrated=1, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 2, Insightful) by Anonymous Coward on Wednesday April 09 2014, @07:39PM

    by Anonymous Coward on Wednesday April 09 2014, @07:39PM (#29027)

    Unauthorized port scanning may be strictly prohibited depending on countries laws and there may be legal ramifications

    • (Score: 2) by snick on Wednesday April 09 2014, @07:52PM

      by snick (1408) on Wednesday April 09 2014, @07:52PM (#29041)

      Point your browser at random IP.

      You have just performed a (fairly lame) port scan.

      Off to prison with you.

      • (Score: 0) by Anonymous Coward on Wednesday April 09 2014, @08:00PM

        by Anonymous Coward on Wednesday April 09 2014, @08:00PM (#29048)

        well, don't play this down so quickly. Laws are usually broad and describe something like an "automated attempt" that is performed "deliberately" and "outside of intended behavior" or something like that

        Some lawyer could easily make a case out of nothing

        • (Score: 2) by frojack on Wednesday April 09 2014, @08:28PM

          by frojack (1554) on Wednesday April 09 2014, @08:28PM (#29083) Journal

          Well we could certainly make a moral case out of it.

          I wonder if a story about this would even be allowed to be printed on Slashdot.

          Note, that I've noticed these scans for a long time, and actually have iptables rules in place for them for many years. It never dawned on me they were from slash.

          --
          No, you are mistaken. I've always had this sig.
  • (Score: 0) by Anonymous Coward on Wednesday April 09 2014, @07:44PM

    by Anonymous Coward on Wednesday April 09 2014, @07:44PM (#29030)

    A web server is treating requests differently depending on what services a client station appears to be running. It's not exactly polite or fair. The web server is explicitly open for probing; the client device, though technically a peer, is not.

    • (Score: 2) by hatta on Wednesday April 09 2014, @07:49PM

      by hatta (879) on Wednesday April 09 2014, @07:49PM (#29036)

      A peer is a peer is a peer. Either they are all explicitly open for probing, or none of them are. The internet only works on a default allow policy.

      • (Score: 0) by Anonymous Coward on Wednesday April 09 2014, @07:59PM

        by Anonymous Coward on Wednesday April 09 2014, @07:59PM (#29047)

        Please tell that to every mobile ISP, telecom carrier, hotspot operator, and SOHO router manufacturer... :)

        And tell it to every residential ISP too.

        Maybe you haven't noticed, but the peer to peer Internet went bye-bye about 1992.

        • (Score: 2) by omoc on Wednesday April 09 2014, @08:08PM

          by omoc (39) on Wednesday April 09 2014, @08:08PM (#29058)

          thats not always a bad thing, without carrier grade NAT your mobile would be open to lots of attacks, also it would deplete the IPv4 address space much quicker

          • (Score: 0) by Anonymous Coward on Wednesday April 09 2014, @08:14PM

            by Anonymous Coward on Wednesday April 09 2014, @08:14PM (#29064)

            Well yeah, we know, but that was beside this particular point. There's always a reason, and sometimes a benefit, but the point is that peer to peer can hardly be assumed. And in the classic client/server relationship of most web servers, probing your clients is rude.

          • (Score: 2) by hatta on Wednesday April 09 2014, @09:44PM

            by hatta (879) on Wednesday April 09 2014, @09:44PM (#29120)

            No, without carrier grade NAT, you could still have a carrier grade firewall. NAT is not a security feature, it is a terrible hack with no legitimate use in a well designed system. Running out of IPv4 addresses is a bonus, that will only hasten the implementation of IPv6 everywhere.

  • (Score: 2) by NCommander on Wednesday April 09 2014, @11:49PM

    by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Wednesday April 09 2014, @11:49PM (#29155) Homepage Journal

    You're right, it isn't an attack, but its bad practice to do it and not notify anyone you're doing it. It also triggers aggressive firewalls that detect it as an intrusion attempt (which is what the original reporter ran into). For a standard web application to be auto-scanning with no notification what so ever is a different beast, especially if it causes corporate firewalls to flag this site as malicious.

    --
    Still always moving
  • (Score: 1) by J053 on Thursday April 10 2014, @01:05AM

    by J053 (3532) <dakineNO@SPAMshangri-la.cx> on Thursday April 10 2014, @01:05AM (#29177) Homepage
    I kinda agree. While egregiously scanning on every connect is pretty lame, it is _my_ responsibility to protect my network from this. You can scan me for those ports all day, and all you'll get is a RST packet in return. I also don't see the reason for it - you're* running a discussion site - WTF does it matter if the participants are coming in via proxies or carrier pigeons? Lots of organizations operate bidirectional web proxies - either to improve performance (local caching) or for internal security/compliance reasons. * obviously referring to the original slashcode author(s) - kudos to you for taking it out.