YaCy Proxy abuse?!

Hier finden YaCy User Hilfe wenn was nicht funktioniert oder anders funktioniert als man dachte. Bei offensichtlichen Fehlern diese bitte gleich in die Bugs (http://bugs.yacy.net) eintragen.
Forumsregeln
In diesem Forum geht es um Benutzungsprobleme und Anfragen für Hilfe. Wird dabei ein Bug identifiziert, wird der thread zur Bearbeitung in die Bug-Sektion verschoben. Wer hier also einen Thread eingestellt hat und ihn vermisst, wird ihn sicherlich in der Bug-Sektion wiederfinden.

YaCy Proxy abuse?!

Beitragvon tinkerphone » Di Okt 14, 2014 12:09 pm

Hi,
today I took a look at the network traffic from YaCy.

Did anybody else notice "non yacy related" traffic? I get lots of traffic from CN - mostly login attempts to various sites. To bad i can´t read Chinese ..
tinkerphone
 
Beiträge: 26
Registriert: Fr Okt 10, 2014 10:38 am

Re: YaCy Proxy abuse?!

Beitragvon sixcooler » Di Okt 14, 2014 12:37 pm

Hello tinkerphone,

what are your Proxy Access Settings?
Perhaps you should use more IP-Filtering and/or an Proxy-Account
(/Settings_p.html?page=ProxyAccess)

cu, sixcooler.
sixcooler
 
Beiträge: 494
Registriert: Do Aug 14, 2008 5:22 pm

Re: YaCy Proxy abuse?!

Beitragvon tinkerphone » Di Okt 14, 2014 1:17 pm

Hi sixcooler,
i am fiddling around a bit. The current settings are:
Transparent Proxy: on
Access only with qualified account: on (admin, ______) /unchanged
Use Proxy Account: on

The rest is rather vanilla (i think...).
However, I get this traffic almost instantly when I start yacy. I would not care much if I would knew its just my host. But it hit me that the YaCy network might have found an other use by blackhats.
tinkerphone
 
Beiträge: 26
Registriert: Fr Okt 10, 2014 10:38 am

Re: YaCy Proxy abuse?!

Beitragvon Orbiter » Di Okt 14, 2014 2:51 pm

tinkerphone hat geschrieben:I get this traffic almost instantly when I start yacy

Hi, can you describe precise how you measure that? I.e. there is a network monitor within YaCy which shows what IP has opened which servlet, please see
/AccessTracker_p.html?page=0
/AccessTracker_p.html?page=1
and
/Connections_p.html
If the traffic is not shown there, then it is not traffic to YaCy, just to your host, i.e. another application.
Orbiter
 
Beiträge: 5797
Registriert: Di Jun 26, 2007 10:58 pm
Wohnort: Frankfurt am Main

Re: YaCy Proxy abuse?!

Beitragvon tinkerphone » Di Okt 14, 2014 3:23 pm

Hi,
i am not sure whats going on. I not that good at networking.
The connections I get are not listed within YaCy.

I used mitmproxy to sniff around a bit. As soon as i start yacy i get for example connections like these:

Code: Alles auswählen
142.4.96.197:4725: clientconnect
Request                                                                                                                         
Content-Type:     application/x-www-form-urlencoded
Connection:       keep-alive
Accept:           text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Maxthon/4.4.1.2000 Chrome/30.0.1599.101 Safari/537.36
Origin:           https://login.plaync.co.kr
DNT:              1
Referer:          https://login.plaync.co.kr/login/login
Accept-Encoding:  gzip,deflate
Accept-Language:  ko-KR
Host:             login.plaync.co.kr
Content-Length:   379
URLEncoded form
id:             chanhee88z@duam.net
pwd:            cksgml88
game_id:        13
return_url:     http://kr.plaync.com/
returnurl:      http://kr.plaync.com/
cancel_url:     http://kr.plaync.com/
fail_url:       
loginsite:     
site_id:        13
adult_yn:       N
encoding_type:  utf-8
ukey:           8A17DFD5A1AA83003AE65E08CF6331B930B318D0B1273931C9E844E4F9F07A88F7625C599C030A81A6A8D9C962B25BB2EA89CA8AF5C9E555507F02A87B2088AA
loginLevel:     

142.4.96.197:4725: clientdisconnect


They look like login attempts with different user/pass identifications (you can see it in the response). (in this case)
Whatever is going on, to me it seems that YaCy is involved in some way.
tinkerphone
 
Beiträge: 26
Registriert: Fr Okt 10, 2014 10:38 am

Re: YaCy Proxy abuse?!

Beitragvon tinkerphone » Mi Okt 15, 2014 2:17 pm

After thinking about it - Just an idea:
I don´t know how it works in detail but my guess:
1. YaCy Peers are announcing their IP addresses
2. There is a probability that those YaCy peers run a proxy
-> Fetch the IPs, test for proxy, use proxy for :twisted: stuff
tinkerphone
 
Beiträge: 26
Registriert: Fr Okt 10, 2014 10:38 am

Re: YaCy Proxy abuse?!

Beitragvon Orbiter » Mi Okt 15, 2014 4:21 pm

by default the proxy lets only users from localhost in.
tinkerphone hat geschrieben:use proxy for :twisted: stuff

This use case does not exist unless you open the proxy for the public on purpose.
Orbiter
 
Beiträge: 5797
Registriert: Di Jun 26, 2007 10:58 pm
Wohnort: Frankfurt am Main

Re: YaCy Proxy abuse?!

Beitragvon Erik_S » Mi Okt 15, 2014 10:04 pm

Hello,

tinkerphone hat geschrieben:Fetch the IPs
This is not a difficult process.
One of the easiest ways is to fetch and merge all the uploaded Seed-List-Files (from various YaCy-Peers that claim the State "Principal") and you have an up to date List of all currently online YaCy-Peers. A little bit more complicated but even more up to date is to query all active YaCy-Peers directly for there Seed-List and merge it in a Database (this is that my Analysis-Tool does and i needed only a few days to Code it from ground up).

tinkerphone hat geschrieben:test for proxy, use proxy for :twisted: stuff
I say my Analysis-Tool does not evil things, but, can you really trust me?
I think i can develop a well Proxy-Test in lesser than 10 work hours. In my opinion, any good programmer on this world can do the same Job in the same Time.

Orbiter hat geschrieben:by default the proxy lets only users from localhost in
Sure?
In YaCy exist a Bug that let it think that an incoming HTTP-Request should handled as Proxy in cases there this HTTP-Request means the Peer itself (the HTTP-Error-Code 403). Why can not exist an additional bug that let YaCy think the Proxy is enabled for everyone?

Greetings
Erik
Erik_S
 
Beiträge: 185
Registriert: Sa Aug 30, 2014 11:13 am


Zurück zu Fragen und Antworten

Wer ist online?

Mitglieder in diesem Forum: 0 Mitglieder und 3 Gäste

cron