Kiwi Forum status?
Is there any insight as to the reason or if/when it might return?
With all of the KiwiSDRs involved with wsprdraemon and the database(s) this is becoming a matter of concern to me.
Glenn n6gn
On Dec 18, 2021, at 10:38 PM, Phil Karn <karn@...> wrote:
I would also like to know the answer to this question. I'm seeing traffic to one of my KiwiSDRs that may or may not be an attack trying to exploit a bug, and I would really like to know if anyone else is seeing the same thing.
Phil
I have had a specific kiwi targeted and channels kicked repeatedly. To the point where I moved the antenna connected to the targeted kiwi, to a new kiwi and left that kiwi as a target, which continued to experience the same attacks.
On Dec 18, 2021, at 10:38 PM, Phil Karn <karn@...> wrote:
I would also like to know the answer to this question. I'm seeing traffic to one of my KiwiSDRs that may or may not be an attack trying to exploit a bug, and I would really like to know if anyone else is seeing the same thing.
Phil
Does anyone on this group have any knowledge of the status of the KiwiSDR forum? It has been read-only for quite some time.Wondering if it is related to the Apache server log4shell vulnerability that has been causing so much alarm recently.
Is there any insight as to the reason or if/when it might return?
With all of the KiwiSDRs involved with wsprdraemon and the database(s) this is becoming a matter of concern to me.
Glenn n6gn
Not likely as the apache part of things still runs
On Fri, Dec 17, 2021 at 05:53 AM, Glenn Elmore wrote:
Does anyone on this group have any knowledge of the status of the KiwiSDR forum? It has been read-only for quite some time.Wondering if it is related to the Apache server log4shell vulnerability that has been causing so much alarm recently.
Is there any insight as to the reason or if/when it might return?
With all of the KiwiSDRs involved with wsprdraemon and the database(s) this is becoming a matter of concern to me.
Glenn n6gn
I'm seeing groups of related IP addresses from places like Sao Paulo, Moscow, Los Angeles and Beijing. The users all claim to be in Piscataway, NJ. The connections are coordinated, persistent and annoying, and I'm not sure exactly what they're trying to do. I wouldn't mind so much if it just hogged one channel, but it's trying to hog all four which it can apparently do even when only one is actually tuned to a frequency. I.e., four TCP connections appear with background traffic on each one, but only one seems to be carrying actual receiver channel data, and only one shows up in the user list. But no new users can log in. I could impose a tighter time limit, but they already disconnect and reconnect every 15 minutes or so.
I'm reserving one channel for use with a password. But I really want to make my KiwiSDRs openly available so I hesitate to get even more restrictive.
And I'm still wondering why they're so interested in just one of the three KiwiSDRs I run. All three are in the directory. This one is different in that it uses a non-standard port number (8873) because of the IP port forwarding needed to reach it but I don't see how that could be relevant.
There is as yet no abusive traffic to the new port, but a steady stream of abusive traffic to the old port continues. I just counted 1,183 attempts (TCP syn packets) in a single minute, from the same addresses as before. There are 33 distinct IP addresses. Most are from several well-defined groups of /24 subnets in just a few /16 blocks: 45.43/16, 152.32/16 (the biggie), 128.14/16, 128.1/16, and 107.150/16. These are probably VPN endpoints, but I don't have an easy way to tell -- does anybody know of a good database?
This confirms my hunch that someone set up a rather elaborate bot but isn't watching it very closely. I'm watching to see how long it takes for them to switch to the new port number, or give up and try an entirely different KiwiSDR.