Kiwi Forum status?


Glenn Elmore
 

Does anyone on this group have any knowledge of the status of the KiwiSDR forum?  It has been read-only for quite some time.
Is there any insight as to the reason or if/when it might return? 
With all of the KiwiSDRs involved with wsprdraemon and the database(s) this is becoming a matter of concern to me.  
Glenn n6gn


Phil Karn
 

I would also like to know the answer to this question. I'm seeing traffic to one of my KiwiSDRs that may or may not be an attack trying to exploit a bug, and I would really like to know if anyone else is seeing the same thing.
Phil


WA2TP - Tom
 

I have had a specific kiwi targeted and channels kicked repeatedly. To the point where I moved the antenna connected to the targeted kiwi, to a new kiwi and left that kiwi as a target, which continued to experience the same attacks. 

On Dec 18, 2021, at 10:38 PM, Phil Karn <karn@...> wrote:

I would also like to know the answer to this question. I'm seeing traffic to one of my KiwiSDRs that may or may not be an attack trying to exploit a bug, and I would really like to know if anyone else is seeing the same thing.
Phil


Rob Robinett
 

I found some rather persistent bots in Maui, KPh and KFS but was able to suppress them by adding their public IP address/16 to the Kiw's block nets table.

On Sat, Dec 18, 2021 at 6:39 PM WA2TP <myis300@...> wrote:
I have had a specific kiwi targeted and channels kicked repeatedly. To the point where I moved the antenna connected to the targeted kiwi, to a new kiwi and left that kiwi as a target, which continued to experience the same attacks. 

On Dec 18, 2021, at 10:38 PM, Phil Karn <karn@...> wrote:

I would also like to know the answer to this question. I'm seeing traffic to one of my KiwiSDRs that may or may not be an attack trying to exploit a bug, and I would really like to know if anyone else is seeing the same thing.
Phil



--
Rob Robinett
AI6VN
mobile: +1 650 218 8896


Bruce KX4AZ
 

On Fri, Dec 17, 2021 at 05:53 AM, Glenn Elmore wrote:
Does anyone on this group have any knowledge of the status of the KiwiSDR forum?  It has been read-only for quite some time.
Is there any insight as to the reason or if/when it might return? 
With all of the KiwiSDRs involved with wsprdraemon and the database(s) this is becoming a matter of concern to me.  
Glenn n6gn
Wondering if it is related to the Apache server log4shell vulnerability that has been causing so much alarm recently.


Jim Lill
 

Not likely as the apache part of things still runs

On 12/19/21 11:22 AM, Bruce KX4AZ wrote:
On Fri, Dec 17, 2021 at 05:53 AM, Glenn Elmore wrote:
Does anyone on this group have any knowledge of the status of the KiwiSDR forum?  It has been read-only for quite some time.
Is there any insight as to the reason or if/when it might return? 
With all of the KiwiSDRs involved with wsprdraemon and the database(s) this is becoming a matter of concern to me.  
Glenn n6gn
Wondering if it is related to the Apache server log4shell vulnerability that has been causing so much alarm recently.


Phil Karn
 

I'm seeing groups of related IP addresses from places like Sao Paulo, Moscow, Los Angeles and Beijing. The users all claim to be in Piscataway, NJ. The connections are coordinated, persistent and annoying, and I'm not sure exactly what they're trying to do. I wouldn't mind so much if it just hogged one channel, but it's trying to hog all four which it can apparently do even when only one is actually tuned to a frequency. I.e., four TCP connections appear with background traffic on each one, but only one seems to be carrying actual receiver channel data, and only one shows up in the user list. But no new users can log in. I could impose a tighter time limit, but they already disconnect and reconnect every 15 minutes or so.

I'm reserving one channel for use with a password. But I really want to make my KiwiSDRs openly available so I hesitate to get even more restrictive.

And I'm still wondering why they're so interested in just one of the three KiwiSDRs I run. All three are in the directory. This one is different in that it uses a non-standard port number (8873) because of the IP port forwarding needed to reach it but I don't see how that could be relevant.


Phil Karn
 

I'm trying an experiment. Last night I changed the port number of the KiwiSDR. That change has propagated through to the list on http://kiwisdr.com/public. I configured my router to return "administratively prohibited" ICMP messages to attempts to access the old port. And I cleared the blocking list, i.e., every IP address is allowed to access the new port number.

There is as yet no abusive traffic to the new port, but a steady stream of abusive traffic to the old port continues. I just counted 1,183 attempts (TCP syn packets) in a single minute, from the same addresses as before. There are 33 distinct IP addresses. Most are from several well-defined groups of /24 subnets in just a few /16 blocks: 45.43/16, 152.32/16 (the biggie), 128.14/16, 128.1/16, and 107.150/16. These are probably VPN endpoints, but I don't have an easy way to tell -- does anybody know of a good database?

This confirms my hunch that someone set up a rather elaborate bot but isn't watching it very closely. I'm watching to see how long it takes for them to switch to the new port number, or give up and try an entirely different KiwiSDR.