Remember that the new log messages can help identify the current WF-only bot versus possible legitimate use. Look for the pattern of intermediate frequency/zoom values during the 90 sec connection period, e.g.
Thu Mar 17 08:17:24 01:17:06.393 01.. 1 L 58.59 kHz WF z8 "kiwirecorder.py" 144.202.84.81 (ARRIVED)
Thu Mar 17 08:17:28 01:17:10.570 01.. 1 58.59 kHz WF z8 "kiwirecorder.py" 144.202.84.81 0:00:04
Thu Mar 17 08:17:38 01:17:20.568 01.. 1 292.97 kHz WF z8 "kiwirecorder.py" 144.202.84.81 0:00:14
Thu Mar 17 08:17:40 01:17:22.576 01.. 1 L GEOLOC: 144.202.84.81 sent no geoloc info, we got "Seattle, Washington, USA" from geo host #0
Thu Mar 17 08:17:48 01:17:30.568 01.. 1 703.13 kHz WF z6 "kiwirecorder.py" 144.202.84.81 Seattle, Washington, USA 0:00:24
Thu Mar 17 08:17:58 01:17:40.568 01.. 1 1406.25 kHz WF z5 "kiwirecorder.py" 144.202.84.81 Seattle, Washington, USA 0:00:34
Thu Mar 17 08:18:08 01:17:50.571 01.. 1 3281.25 kHz WF z5 "kiwirecorder.py" 144.202.84.81 Seattle, Washington, USA 0:00:44
Thu Mar 17 08:18:18 01:18:00.568 01.. 1 9375.00 kHz WF z3 "kiwirecorder.py" 144.202.84.81 Seattle, Washington, USA 0:00:54
Thu Mar 17 08:18:28 01:18:10.570 01.. 1 13125.00 kHz WF z3 "kiwirecorder.py" 144.202.84.81 Seattle, Washington, USA 0:01:04
Thu Mar 17 08:18:38 01:18:20.569 01.. 1 20625.00 kHz WF z3 "kiwirecorder.py" 144.202.84.81 Seattle, Washington, USA 0:01:14
Thu Mar 17 08:18:48 01:18:30.568 01.. 1 28125.00 kHz WF z3 "kiwirecorder.py" 144.202.84.81 Seattle, Washington, USA 0:01:24
Thu Mar 17 08:18:56 01:18:38.152 0... 1 L 28125.00 kHz WF z3 "kiwirecorder.py" 144.202.84.81 Seattle, Washington, USA (LEAVING after 0:01:32)
Sun Mar 27 00:24:45 09:35:25.157 .... [00] ADMIN connection closed
Sun Mar 27 00:26:43 09:37:22.894 0... 0 PWD kiwi W/F ALLOWED: no config pwd set, allow any (158.247.235.18)
Sun Mar 27 00:26:44 09:37:23.518 0... 0 L 58.59 kHz WF z8 "kiwirecorder.py" 158.247.235.18 (ARRIVED)
Sun Mar 27 00:26:52 09:37:32.103 0... 0 API: decided connection is non-Kiwi app (0)
Sun Mar 27 00:26:52 09:37:32.103 0... 0 API: ext_api_users=1 >? ext_api_ch=4 F(OKAY)
Sun Mar 27 00:27:00 09:37:40.103 0... 0 292.97 kHz WF z8 "kiwirecorder.py" 158.247.235.18 0:00:18
Sun Mar 27 00:27:01 09:37:41.113 0... 0 L GEOLOC: 158.247.235.18 sent no geoloc info, we got "Seoul, South Korea" from geo host #2
Sun Mar 27 00:27:01 09:37:41.117 0... task geoloc_task:P2:T002((1000.000 msec) TaskSleep) exited by returning
Sun Mar 27 00:27:10 09:37:50.103 0... 0 703.13 kHz WF z6 "kiwirecorder.py" 158.247.235.18 Seoul, South Korea 0:00:28
Sun Mar 27 00:27:20 09:38:00.103 0... 0 2343.75 kHz WF z5 "kiwirecorder.py" 158.247.235.18 Seoul, South Korea 0:00:38
Sun Mar 27 00:27:30 09:38:10.106 0... 0 3281.25 kHz WF z5 "kiwirecorder.py" 158.247.235.18 Seoul, South Korea 0:00:48
Sun Mar 27 00:27:40 09:38:20.103 0... 0 9375.00 kHz WF z3 "kiwirecorder.py" 158.247.235.18 Seoul, South Korea 0:00:58
Sun Mar 27 00:27:50 09:38:30.103 0... 0 16875.00 kHz WF z3 "kiwirecorder.py" 158.247.235.18 Seoul, South Korea 0:01:08
Sun Mar 27 00:28:00 09:38:40.103 0... 0 20625.00 kHz WF z3 "kiwirecorder.py" 158.247.235.18 Seoul, South Korea 0:01:18
Sun Mar 27 00:28:10 09:38:50.106 0... 0 28125.00 kHz WF z3 "kiwirecorder.py" 158.247.235.18 Seoul, South Korea 0:01:28
Sun Mar 27 00:28:14 09:38:53.928 .... 0 L 28125.00 kHz WF z3 "kiwirecorder.py" 158.247.235.18 Seoul, South Korea (LEAVING after 0:01:31)
Sun Mar 27 00:37:54 09:48:34.096 0... 0 TLIMIT-IP connecting LIMIT OKAY cur:0 < lim:75 for 102.65.130.40
Sun Mar 27 00:37:54 09:48:34.096 0... 0 PWD kiwi SND ALLOWED: no config pwd set, allow any (102.65.130.40)
Sun Mar 27 00:37:56 09:48:35.627 0... 0 PWD kiwi W/F ALLOWED: no config pwd set, allow any (102.65.130.40)
Thanks @jks, that would be cool. I've been monitoring my logs a lot more lately and along with giving me a better understanding of them, I've noticed somewhat of a pattern. I've been blocking the incoming IP address each time I catch them, but it appears that they either change their IP address or add new ones every 2 days. If I'm right, I should get a new hit from a different IP address today at some point.
Mar 21 10:28:58 kiwisdr kiwid: 1d:00:47:34.414 0... 0 58.59 kHz WF z8 "kiwirecorder.py" 45.32.124.96 (ARRIVED)
Mar 21 10:30:28 kiwisdr kiwid: 1d:00:49:04.848 .... 0 28125.00 kHz WF z3 "kiwirecorder.py" 45.32.124.96 Queenstown Estate, Singapore (LEAVING after 0:01:31
)
Mar 23 11:20:16 kiwisdr kiwid: 3d:01:38:52.448 012. 2 58.59 kHz WF z8 "kiwirecorder.py" 158.247.235.18 (ARRIVED)
Mar 23 11:21:46 kiwisdr kiwid: 3d:01:40:23.026 0... 2 28125.00 kHz WF z3 "kiwirecorder.py" 158.247.235.18 Seoul, South Korea (LEAVING after 0:01:32)
Mar 23 12:29:51 kiwisdr kiwid: 3d:02:48:27.787 012. 2 58.59 kHz WF z8 "kiwirecorder.py" 158.247.235.18 (ARRIVED)
Mar 23 12:31:23 kiwisdr kiwid: 3d:02:49:59.496 01.. 2 28125.00 kHz WF z3 "kiwirecorder.py" 158.247.235.18 Seoul, South Korea (LEAVING after 0:01:32)
Mar 25 09:18:34 kiwisdr kiwid: 4d:23:37:10.319 01.. 1 58.59 kHz WF z8 "kiwirecorder.py" 140.82.23.11 (ARRIVED)
Mar 25 09:20:06 kiwisdr kiwid: 4d:23:38:42.107 0... 1 28125.00 kHz WF z3 "kiwirecorder.py" 140.82.23.11 Los Angeles, California, USA (LEAVING after 0:01:32
)
Mar 25 12:11:03 kiwisdr kiwid: 5d:02:29:39.673 0... 0 58.59 kHz WF z8 "kiwirecorder.py" 140.82.23.11 (ARRIVED)
Mar 25 12:12:36 kiwisdr kiwid: 5d:02:31:12.416 .... 0 28125.00 kHz WF z3 "kiwirecorder.py" 140.82.23.11 Los Angeles, California, USA (LEAVING after 0:01:33
)
@fabrys if you want add 1 ip address use /32 (example 140.82.23.11/32) and type Enter key after add new addresses to your Blacklist. After you are finish adding the new IP - go to the Log tab, you should see the iptables reload:
You don't need to add /32 for a single ip address. 1.2.3.4 and 1.2.3.4/32 are equivalent. To verify, use the console tab and type the alias ipt to see the current iptable. Entries will be under the KIWI chain at the end.
I need to improve the UI for those text area panels (local blacklist, ALE admin menu, additional HTML). They need to auto-save and/or have a save button in addition to the current hack of typing return at the end of the text. If you just enter changes in the middle of the text they don't get saved which is lame. You know your changes have been saved when the panel flashes green just like the input fields do.
Okay, we now have a case where information from this thread was used by a Kiwi owner to block an ip range, but which also blocked the noip.com DUC server used by the DUC client on the admin page, connect tab. The owner couldn't figure out why their DUC client wasn't working all of a sudden.
dynupdate.no-ip.com is at 158.247.7.204 so don't put 158.247.0.0/16 into your local blacklist if you use the noip DUC. Now the story is actually a little more complicated than this. The ip reported in this thread was 158.247.235.18 which belongs to the Vultr CIDR 158.247.192.0/18 (158.247.192.0 - 158.247.255.255). But the admin incorrectly entered 158.247.0.0/16 (158.247.0.0 - 158.247.255.255) which is too large and captured the noip address.
Related: I have implemented a "whitelist" capability for the next software release. So you can whitelist a single ip while still having the rest of the range blocked if it's really causing you problems.
I have updated the downloadable blacklist with all of the IPs mentioned in this thread so far (please let me know if I missed anything). The admin network tab should indicate there is a new download available.
It's been well over 10 days since I've had a WF only connection by anything other than "SNR-Measure." My receiver has been working fine and I've had no random restarts during that time. The list of IP addresses that I have logged for these bots are as follows:
Apr 16 10:20:24 kiwisdr kiwid: 6d:19:56:10.547 .1.. 0 28125.00 kHz WF z3 "kiwirecorder.py" 65.20.113.188 West Palm Beach, Florida, USA (LEAVING after 0:01:33)
I think I know why I was ignored for a 10 day span over the past week and a half. My SMA connector came loose and my noise floor was pretty high because of it. Perhaps I was deemed unworthy. 😂
Sorry about that. I update the list under Admin every time it says a new list is available. I figured if they were scanning me then they weren't on it. I'll verify next time.
Hi All, just discovered this thread, I think I can shed some light as to who is using our Kiwis with the name kiwirecorder.py.
I was first contacted by him in 2018 after I noticed he was using my Kiwi for several hrs per day and I had no limit at the time but after applying a 2hr limit I got an email from him apologising if he was taking up too much time and explained his reasons for the long recordings.
I have received 2 donations for use of the SDR and a few weeks ago he contacted me offering to pay me monthly for exclusive use of 1 channel.
He said his hobby is the analysis of communications signals and I have no reason to believe he is being malicious.
Comments
I know that..... had not heard of bots in Singapore before. They run a tight ship there so surprised
Remember that the new log messages can help identify the current WF-only bot versus possible legitimate use. Look for the pattern of intermediate frequency/zoom values during the 90 sec connection period, e.g.
Very interesting discussion, I get this :-
I have an auto-ban solution partly working..
Thanks @jks, that would be cool. I've been monitoring my logs a lot more lately and along with giving me a better understanding of them, I've noticed somewhat of a pattern. I've been blocking the incoming IP address each time I catch them, but it appears that they either change their IP address or add new ones every 2 days. If I'm right, I should get a new hit from a different IP address today at some point.
Well I was close. It was a little over 2 days but here's a new one.
These guys seem to be a prime source of the recurrent kiwirecorder.py connects.
at the OS level, where do I find the kiwi logs
Good morning ....
I probably make some mistakes, but how come despite adding IPs to my local Blacklist
the same IPs still have access to my KIWI?
@fabrys
if you want add 1 ip address use /32 (example 140.82.23.11/32) andtype Enter key after add new addresses to your Blacklist. After you are finish adding the new IP - go to the Log tab, you should see the iptables reload:@rz3dvp ....thank you!! I had omitted a passage.
You don't need to add
/32
for a single ip address.1.2.3.4
and1.2.3.4/32
are equivalent. To verify, use the console tab and type the aliasipt
to see the current iptable. Entries will be under theKIWI
chain at the end.I need to improve the UI for those text area panels (local blacklist, ALE admin menu, additional HTML). They need to auto-save and/or have a save button in addition to the current hack of typing
return
at the end of the text. If you just enter changes in the middle of the text they don't get saved which is lame. You know your changes have been saved when the panel flashes green just like the input fields do.Okay, we now have a case where information from this thread was used by a Kiwi owner to block an ip range, but which also blocked the noip.com DUC server used by the DUC client on the admin page, connect tab. The owner couldn't figure out why their DUC client wasn't working all of a sudden.
dynupdate.no-ip.com is at 158.247.7.204 so don't put 158.247.0.0/16 into your local blacklist if you use the noip DUC. Now the story is actually a little more complicated than this. The ip reported in this thread was 158.247.235.18 which belongs to the Vultr CIDR 158.247.192.0/18 (158.247.192.0 - 158.247.255.255). But the admin incorrectly entered 158.247.0.0/16 (158.247.0.0 - 158.247.255.255) which is too large and captured the noip address.
Related: I have implemented a "whitelist" capability for the next software release. So you can whitelist a single ip while still having the rest of the range blocked if it's really causing you problems.
I have updated the downloadable blacklist with all of the IPs mentioned in this thread so far (please let me know if I missed anything). The admin network tab should indicate there is a new download available.
It's been well over 10 days since I've had a WF only connection by anything other than "SNR-Measure." My receiver has been working fine and I've had no random restarts during that time. The list of IP addresses that I have logged for these bots are as follows:
173.199.70.39
66.42.116.198
149.28.166.127
192.248.145.77
144.202.84.81
216.238.73.79
144.202.76.200
149.28.38.97
45.32.124.96
158.247.235.18
140.82.23.11
167.179.65.161
139.180.147.173
207.246.127.130
Thanks again @jks for all of your help with this.
I had a feeling I was jinxing myself when I made that last post this morning. They have another IP.
The first rule about kiwi bot fight club...
Thanks for 108.61.176.0/23, I had a much more expansive entry in my router.
... always the same, I thought he was already on the general blacklist, the hi on the local one. However, I see some strange commands than usual.
65.20.112.0/23
Added to my router
Vultr - Florida (actual address 65.20.113.188)
I got scanned by the Florida address last night also.
Apr 16 10:18:52 kiwisdr kiwid: 6d:19:54:37.828 01.. 0 58.59 kHz WF z8 "kiwirecorder.py" 65.20.113.188 (ARRIVED)
Apr 16 10:20:24 kiwisdr kiwid: 6d:19:56:10.547 .1.. 0 28125.00 kHz WF z3 "kiwirecorder.py" 65.20.113.188 West Palm Beach, Florida, USA (LEAVING after 0:01:33)
I think I know why I was ignored for a 10 day span over the past week and a half. My SMA connector came loose and my noise floor was pretty high because of it. Perhaps I was deemed unworthy. 😂
I got a new hit last night from the Netherlands. They were hitting me every 20 to 45 minutes or so for a bit. Just sharing.
Confirmed same IP for me. I kicked, and added the /24 it's in to the local blocklist.
I had a couple more yesterday. Piscataway and Houston.
I have added the most recently reported IPs into the downloadable blacklist.
Thanks @jks . Here's another.
And I just got hit by 2 more.
Seoul is new. But the other two are already on the list.
Please check first and don't send me on a wild goose chase. Trust me, I don't have the time.
Sorry about that. I update the list under Admin every time it says a new list is available. I figured if they were scanning me then they weren't on it. I'll verify next time.
Thanks!
Hi All, just discovered this thread, I think I can shed some light as to who is using our Kiwis with the name kiwirecorder.py.
I was first contacted by him in 2018 after I noticed he was using my Kiwi for several hrs per day and I had no limit at the time but after applying a 2hr limit I got an email from him apologising if he was taking up too much time and explained his reasons for the long recordings.
I have received 2 donations for use of the SDR and a few weeks ago he contacted me offering to pay me monthly for exclusive use of 1 channel.
He said his hobby is the analysis of communications signals and I have no reason to believe he is being malicious.