Announcement

Collapse
No announcement yet.

Phoney users?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Phoney users?

    I have a little educational program that I give away for free. In downloading it – or just opening the webpage – the downloader naturally furnishes their IP address to my webhost. Also, each time the program starts it downloads a PHP file on my server which finds the IP address and adds it to a users list on my server, recording the date and time, and using geoplugin.net it determines location of the IP.

    Here are the last few dozen entries (I’ve lined up the locations):
    Code:
    Thu 04-08  05:59pm  89.208.29.59     Russia
    Thu 04-08  05:59pm  194.186.142.20   Lytkarino Russia
    Thu 04-08  05:59pm  194.186.142.20   Lytkarino Russia
    Thu 04-08  06:02pm  14.33.131.72     Yongin-si South Korea
    Thu 04-08  06:09pm  207.102.138.19   Kamloops, British Columbia, Canada
    Thu 04-08  06:19pm  66.102.6.159     Bismarck, Missouri, US
    Thu 04-08  08:06pm  34.72.86.44      Council Bluffs, Iowa, US
    Thu 04-08  08:51pm  195.74.76.222    Prague, Hlavni mesto Praha, Czechia
    Thu 04-08  08:54pm  72.12.194.92     West Lafayette, Indiana, US
    Thu 04-08  09:18pm  72.12.194.92     West Lafayette, Indiana, US
    Thu 04-08  09:50pm  205.169.39.31    Colorado Springs, Colorado, US
    Thu 04-08  10:29pm  34.72.86.44      Council Bluffs, Iowa, US
    Fri 04-09  01:25am  178.148.234.26   Belgrade, Belgrade, Serbia
    Fri 04-09  01:25am  207.102.138.40   Kamloops, British Columbia, Canada
    Fri 04-09  10:37am  195.74.76.222    Prague, Hlavni mesto Praha, Czechia
    Fri 04-09  03:33pm  207.102.138.19   Kamloops, British Columbia, Canada
    Fri 04-09  03:48pm  106.75.52.88     , , China
    Fri 04-09  04:32pm  195.74.76.222    Prague, Hlavni mesto Praha, Czechia
    Fri 04-09  04:51pm  195.74.76.222    Prague, Hlavni mesto Praha, Czechia
    Fri 04-09  06:09pm  204.13.201.139   Chicago, Illinois, US
    Fri 04-09  06:09pm  35.187.132.161   , , US
    Fri 04-09  06:09pm  35.187.132.190   , , US
    Fri 04-09  06:16pm  178.128.140.117  Amsterdam, North Holland, Netherlands
    Fri 04-09  06:16pm  147.147.220.17   Bath, England, United Kingdom
    Fri 04-09  06:16pm  212.102.57.71    Frankfurt am Main, Hesse, Germany
    Fri 04-09  06:16pm  62.254.68.74     , , United Kingdom
    Fri 04-09  06:16pm  174.128.251.154  Denver, Colorado, US
    Fri 04-09  06:25pm  83.28.168.151    Debica, Subcarpathia, Poland
    Fri 04-09  06:25pm  46.134.161.200   Katowice, Silesia, Poland
    Fri 04-09  06:28pm  89.208.29.60     , , Russia
    Fri 04-09  06:33pm  95.49.96.184     Potok, Subcarpathia, Poland
    Fri 04-09  06:33pm  46.134.161.200   Katowice, Silesia, Poland
    Fri 04-09  07:04pm  unknown          , , US
    Fri 04-09  07:09pm  205.169.39.103   Colorado Springs, Colorado, US
    Fri 04-09  07:09pm  205.169.39.103   Colorado Springs, Colorado, US
    Fri 04-09  07:13pm  54.214.213.191   Boardman, Oregon, US
    Fri 04-09  07:14pm  207.102.138.19   Kamloops, British Columbia, Canada
    Fri 04-09  07:15pm  157.230.210.133  North Bergen, New Jersey, US
    Fri 04-09  07:17pm  195.239.51.127   Moscow, Moscow, Russia
    Fri 04-09  07:21pm  165.231.227.30   Rome, Latium, Italy
    Fri 04-09  07:41pm  46.183.218.132   , , Belize
    Fri 04-09  07:42pm  46.183.218.132   , , Belize
    Fri 04-09  07:42pm  46.183.218.132   , , Belize
    Fri 04-09  07:42pm  194.110.114.2    Warsaw, Mazovia, Poland
    Fri 04-09  07:43pm  91.90.123.11     , , Belgium
    I suspect a lot of these are phony. For example, if I download the program myself, the first time I run it my virus-checker – AVG – pops up and says the program looks suspicious and they will block it temporarily while they analyze it further. A few minutes later AVG pops up again and says it is OK, go ahead and run it. If I then check the users list, I see at the end:
    ... 195.74.76.222 Prague, Hlavni mesto Praha, Czechia

    By the way, Subcarpathia? It sounds like “The Prince and the Showgirl” (1957).
    Politically incorrect signatures about immigration patriots are forbidden. Searching “immigration patriots” is forbidden. Thinking about searching ... well, don’t even think about it.

  • #2
    That's fairly typical traffic.
    Bots and spiders crawling the web. Many looking for sites to compromise and use for various nefarious activities.

    Here's last months stats from one of my websites which is only of interest to people in PNG:

    Click image for larger version

Name:	awstats.jpg
Views:	208
Size:	109.0 KB
ID:	806686

    Comment


    • #3
      "... each time the program starts it downloads a PHP file on my server"

      If that were true, your server would be totally mis-configured. PHP files should never be downloaded - that's the whole point of server side processing
      Perhaps you mean:
      "...each time the program starts it runs a PHP file on my server"

      Comment


      • #4
        The program uses URLDownloadToFile to run the PHP.

        A bot can find the exe, but how does it find the PHP file? There's an index.htm file in the same folder which is just blank. In other words, a person can't find it, how can a bot?
        Politically incorrect signatures about immigration patriots are forbidden. Searching “immigration patriots” is forbidden. Thinking about searching ... well, don’t even think about it.

        Comment


        • #5
          How can I keep those pesky bots from finding and downloading the PHP file?
          Last edited by Mark Hunter; 9 Apr 2021, 10:28 PM.
          Politically incorrect signatures about immigration patriots are forbidden. Searching “immigration patriots” is forbidden. Thinking about searching ... well, don’t even think about it.

          Comment


          • #6
            Originally posted by Mark Hunter View Post
            I suspect a lot of these are phony. For example, if I download the program myself, the first time I run it my virus-checker – AVG – pops up and says the program looks suspicious and they will block it temporarily while they analyze it further. A few minutes later AVG pops up again and says it is OK, go ahead and run it. If I then check the users list, I see at the end:
            ... 195.74.76.222 Prague, Hlavni mesto Praha, Czechia
            AVG or AVAST?

            The 195.74.76.0/24 block is assigned to Avast. It looks like your program is being intrecepted by Avast Anti-Virus which is routing your URLDownloadToFIle via their servers.



            Comment


            • #7
              AVG, but Avast Software has a majority stake in AVG Technologies – at least that was announced in 2016.

              I forgot to mention: I know that practically all of the list entries were made by the running program accessing the PHP file. There is more information in the list than I indicated.

              Inside the program is its version number and when it downloads the PHP file it appends “?version=whatever” to the URL to the PHP file. Then the PHP code gets whatever places it in the entry on the list. I edited it out for the listing here, thinking it wasn’t relevant.

              The point is that if you just download the PHP file directly, version will be empty. And indeed there are a couple of entries like that on the list, but practically all of them show a version.

              So random people claiming to be here and there all over the world are running the program.
              Last edited by Mark Hunter; 10 Apr 2021, 01:17 AM.
              Politically incorrect signatures about immigration patriots are forbidden. Searching “immigration patriots” is forbidden. Thinking about searching ... well, don’t even think about it.

              Comment


              • #8
                This morning I found in the users file, on my server, for the free program I wrote:
                Code:
                Sat 04-17  06:00am  190.106.134.112  San Nicolás de los Arroyos, Buenos Aires, Argentina
                (30 times in a row except the time went from 05:59am to 06:00am)
                
                Sat 04-17  06:00am  194.110.114.2  Warsaw, Mazovia, Poland
                (43 times in a row except the time went from 06:00am to 06:01am)
                
                Sat 04-17  08:28am  185.77.248.82  , , Israel
                (31 times in a row except the time went from 08:28am to 08:29am)
                
                Sat 04-17  08:30am  178.175.128.41  Chisinau, Chișinău Municipality, Moldova
                (43 times in a row)
                Any idea why they are doing this? The program is free. The only reason to “crack” it would be to modify the code, but what would be the point.



                Politically incorrect signatures about immigration patriots are forbidden. Searching “immigration patriots” is forbidden. Thinking about searching ... well, don’t even think about it.

                Comment


                • #9
                  Ever heard of bots and VPNs? Also: the locations listed are the entities these IP address blocks have been assigned to (=typically ISPs). Don't mistake that for actual (user) locations.

                  And no one is interested in cracking your application. Like serach engines, these bots crawl every web server they can get hold of and try to find exploitable vulnerabilities. You seemed to have no idea how sophisticated these bots are. E.g. they have a list of parameters to try out for web sites, which often reveal interesting (aka exploitable) information about the server and the software it's running. Here's what you can try: rename your parameter from "version" to something else, e.g. "PinkButterflySandwichFork" and see if you still get these hits.

                  Comment

                  Working...
                  X