sub checkForOpenProxy { my($self, $ip) = @_; # If we weren't passed an IP address, default to whatever # the current IP address is. if (!$ip && $ENV{GATEWAY_INTERFACE}) { my $r = Apache->request; $ip = $r->connection->remote_ip if $r; } # If we don't have an IP address, it can't be an open proxy. return 0 if !$ip; # Known secure IPs also don't count as open proxies. my $constants = getCurrentStatic(); my $gSkin = getCurrentSkin(); my $secure_ip_regex = $constants->{admin_secure_ip_regex}; return 0 if $secure_ip_regex && $ip =~ /$secure_ip_regex/; # If the IP address is already one we have listed, use the # existing listing. my $port = $self->getKnownOpenProxy($ip); if (defined $port) { #print STDERR scalar(localtime) . " cfop no need to check ip '$ip', port is '$port'\n"; return $port; } #print STDERR scalar(localtime) . " cfop ip '$ip' not known, checking\n"; # No known answer; probe the IP address and get an answer. my $ports = $constants->{comments_portscan_ports} || '80 8080 8000 3128'; my @ports = grep /^\d+$/, split / /, $ports; return 0 if !@ports; my $timeout = $constants->{comments_portscan_timeout} || 5; my $connect_timeout = int($timeout/scalar(@ports)+0.2); my $ok_url = "$gSkin->{absolutedir}/ok.txt"; my $pua = Slash::Custom::ParUserAgent->new(); $pua->redirect(1); $pua->max_redirect(3); $pua->max_hosts(scalar(@ports)); $pua->max_req(scalar(@ports)); $pua->timeout($connect_timeout); #use LWP::Debug; #use Data::Dumper; #LWP::Debug::level("+trace"); LWP::Debug::level("+debug"); my $start_time = Time::HiRes::time; local $_proxy_port = undef; sub _cfop_callback { my($data, $response, $protocol) = @_; #print STDERR scalar(localtime) . " _cfop_callback protocol '$protocol' port '$_proxy_port' succ '" . ($response->is_success()) . "' data '$data' content '" . ($response->is_success() ? $response->content() : "(fail)") . "'\n"; if ($response->is_success() && $data eq "ok\n") { # We got a success, so the IP is a proxy. # We should know the proxy's port at this # point; if not, that's remarkable, so # print an error. my $orig_req = $response->request(); $_proxy_port = $orig_req->{_slash_proxytest_port}; if (!$_proxy_port) { print STDERR scalar(localtime) . " _cfop_callback got data but no port, protocol '$protocol' port '$_proxy_port' succ '" . ($response->is_success()) . "' data '$data' content '" . $response->content() . "'\n"; } $_proxy_port ||= 1; # We can quit listening on any of the # other ports that may have connected, # returning immediately from the wait(). # So we want to return C_ENDALL. Except # C_ENDALL doesn't seem to _work_, it # crashes in _remove_current_connection. # Argh. So we use C_LASTCON. return LWP::Parallel::UserAgent::C_LASTCON; } #print STDERR scalar(localtime) . " _cfop_callback protocol '$protocol' succ '0'\n"; } #print STDERR scalar(localtime) . " cfop beginning registering\n"; for my $port (@ports) { # We switch to a new proxy every time thru. $pua->proxy('http', "http://$ip:$port/"); my $req = HTTP::Request->new(GET => $ok_url); $req->{_slash_proxytest_port} = $port; #print STDERR scalar(localtime) . " cfop registering for proxy '$pua->{proxy}{http}'\n"; $pua->register($req, \&_cfop_callback); } #print STDERR scalar(localtime) . "pua: " . Dumper($pua); my $elapsed = Time::HiRes::time - $start_time; my $wait_timeout = int($timeout - $elapsed + 0.5); $wait_timeout = 1 if $wait_timeout wait($wait_timeout); #print STDERR scalar(localtime) . " cfop done with wait, returning " . (defined $_proxy_port ? 'undef' : "'$port'") . "\n"; $_proxy_port = 0 if !$_proxy_port; $elapsed = Time::HiRes::time - $start_time; # Store this value so we don't keep probing the IP. $self->setKnownOpenProxy($ip, $_proxy_port, $elapsed); return $_proxy_port; }
(Score: 1) by gishzida on Wednesday April 09 2014, @08:02PM
Couldn't someoneone just reach out to to the former SlashDot founders/ operators and ask "WTF?" CmdrTaco seems right enough to answer a straight question.
Next what are the signs that slashcode is actively doing this? i.e. what would I seen in my win7 firewall logs were I to go to pipedot or the other sites running slashcode?
Is Dicedot [I refuse to call it slashdot] currently [actively] doing port scans?
What if anything was the DB doing with the info? Are there any pre-written queries that would return the results of the probe?
Is it possible that it was a doorknock sequence for "remote control" purposes? [yeah that's a wild guess but weirder things have been known to occur... though why it would do it to every client]
Is this an indication the the slashcode repository has been tainted or pwned?
Is there any versioning info explaining why that code exists?
(Score: 2) by xlefay on Wednesday April 09 2014, @08:22PM
> Next what are the signs that slashcode is actively doing this? i.e. what would I seen in my win7 firewall logs were I to go to pipedot or the other sites
> running slashcode?
Just monitor some ports (like 8080) when commenting on a site powered by Slashcode.
Also, Pipedot doesn't run Slashcode. Last I checked (when I saw a php error a while ago) they were using, you guessed it, PHP.
> Is Dicedot [I refuse to call it slashdot] currently [actively] doing port scans?
Yes they are, see: https://soylentnews.org/comments.pl?sid=1195&cid=2 9035 [soylentnews.org]
> What if anything was the DB doing with the info? Are there any pre-written queries that would return the results of the probe?
The only thing I know they do is check if they already probed the IP.
> Is this an indication the the slashcode repository has been tainted or pwned?
Tainted? It contains slashcode ;-)
--
I just answered the stuff I know.
(Score: 2, Informative) by mbadolato on Wednesday April 09 2014, @11:23PM
I posted [ycombinator.com] a link to this story on HackerNews and in the comments, CmdrTaco himself replied [ycombinator.com].
(Score: 2) by NCommander on Thursday April 10 2014, @12:16AM
I replied with my insights on that. Most of my anger over this issue is finding out we're tripping IDSes from undocumented behaviour in slash, even though the proxy scanning code vars are disabled. Perhaps I wrote a tad rashly, and I understand the purpose. The fact is that no website should ever be triggered an IDS or malware detector, and the fact we were pissed me off to no end.
Still always moving
(Score: 1) by pikoro on Thursday April 10 2014, @06:12AM
Instead of disabling the code, how about fixing slashcode so it actually minds the settings in the db as to weather it should be enabled or disabled. Then update the FAQ or privacy policy or whatnot to mention that it is happening. I would also put the scanned ports in the db instead of having it hardcoded. Hardcoding things is just one more way for things to get "lost" in perl.
(Score: 2) by NCommander on Thursday April 10 2014, @05:28PM
No website should ever trigger an IDS system. Portscanning of any kind will. This feature in this form is dead and will not be returning.
Still always moving