This is why we can't have nice things

jksjks
edited June 29 in KiwiSDR Discussion

Don't start multiple threads about the botnet topic. They will be deleted.

The proxy service has been disabled because the money (for which I am not compensated) is now flying out of my back pocket:

botnet.proxy.png

I will try and develop a fix in the code to better identify and remove these connections.

Update: The proxy service has been re-enabled if you're running v1.690 or later.

IK8SUTnitroenginestudentkrajolo22

Comments

  • jksjks

    v1.689 (and later) has countermeasures against the "botnet".

    v1.690 (and later) is necessary for your Kiwi to resume using the proxy service.

    These updates will happen automatically overnight (local time) unless you've disabled automatic updates. You can manually update by going to the admin page "update" tab and clicking "build now" and waiting 30 minutes or so for the build to complete. Your Kiwi will restart when the build is complete.

    HB9TMCstudentkranitroenginejolo22
  • KU4SDKU4SD

    Thanks for what you do to support KiwiSDR.

  • HB9TMCHB9TMC

    That seems to work, they get kicked after 1-2 seconds. Thanks!

    @jks was that traffic increase all from these HFDL bots?

  • jksjks

    Was that traffic increase all from these HFDL bots?

    Don't know for sure of course, but that's the presumption.

  • jksjks

    As mentioned by @HB9TMC the botnet will still attempt to connect to your Kiwi, and will still be logged. But is now kicked within a few seconds which will cause much less harm.

    So if you're running v1.689 or later and still see these log messages don't be alarmed. The countermeasure is working as intended. At some point maybe I'll stop logging the messages. But at this point they are useful because they tell us if the botnet has changed behavior.

    Sat Jun 29 18:24:16 07:11:58.043 01..  1   L API: non-Kiwi app fingerprint-3 was denied connection
Sat Jun 29 18:24:16 07:11:58.086 0...  1   L  5514.00 kHz  iq z0  "kiwi_nc.py" 197.202.200.92 (LEAVING after 0:00:03)


  • HB9TMCHB9TMC

    A casualty is that it's now not possible to do TDoA near the HFDL frequencies, as someone just tried.

    But yeah, that's why whe can't have nice things. Perhaps it's possible to have a whilte-list for the TDoA server. Or they'll give up soon and the filter can be removed.


    Sun Jun 30 09:50:56 1d:00:11:49.625 01234567  1         API: decided connection is non-Kiwi app (served=0) 
Sun Jun 30 09:50:56 1d:00:11:49.625 01234567  1         API: ext_api_users=1 >? ext_api_ch=8 F(OKAY)
Sun Jun 30 09:50:56 1d:00:11:49.626 01234567  1       L API: TRIG=F SND(T3) f_kHz=6658.500 freq_trig=0 hasDelimiter=1 z=0
Sun Jun 30 09:50:56 1d:00:11:49.630 01234567  1       L API: non-Kiwi app fingerprint-2 was denied connection
Sun Jun 30 09:50:57 1d:00:11:49.668 0.234567  1       L  6658.50 kHz  iq z0  "TDoA_service" 50.116.2.70 (LEAVING after 0:00:10)
  • jksjks

    I can change that. But we shouldn't be talking about specifics of the countermeasures here because, well, you never know who's reading..

  • jksjks

    On my test Kiwi in Europe it seems the bot may have stopped about 10 hours ago (it's now 18:55 UTC 30 Jun). This output is from running this command in the admin console: msl | grs LEAVING | gr kiwi_nc | tail -n 10

    Jun 30 08:26:26 beaglebone kiwid: 21:14:07.710 .... 0    17919.00 kHz  iq z0  "kiwi_nc.py" 103.78.53.36 (LEAVING after 0:00:01)
Jun 30 08:26:35 beaglebone kiwid: 21:14:16.917 .... 0    17919.00 kHz  iq z0  "kiwi_nc.py" 103.78.53.36 (LEAVING after 0:00:01)
Jun 30 08:26:50 beaglebone kiwid: 21:14:31.625 .... 0    17919.00 kHz  iq z0  "kiwi_nc.py" 103.78.53.36 (LEAVING after 0:00:02)
Jun 30 08:27:00 beaglebone kiwid: 21:14:41.300 .... 0    17919.00 kHz  iq z0  "kiwi_nc.py" 103.78.53.36 (LEAVING after 0:00:02)
Jun 30 08:27:15 beaglebone kiwid: 21:14:56.321 .... 0    17928.00 kHz  iq z0  "kiwi_nc.py" 103.124.251.179 (LEAVING after 0:00:04)
Jun 30 08:27:29 beaglebone kiwid: 21:15:10.654 .... 0    17928.00 kHz  iq z0  "kiwi_nc.py" 103.124.251.179 (LEAVING after 0:00:03)
Jun 30 08:27:42 beaglebone kiwid: 21:15:24.016 .... 0    17928.00 kHz  iq z0  "kiwi_nc.py" 105.110.37.254 (LEAVING after 0:00:04)
Jun 30 08:28:00 beaglebone kiwid: 21:15:41.471 .... 0    17928.00 kHz  iq z0  "kiwi_nc.py" 105.110.37.254 (LEAVING after 0:00:08)
Jun 30 08:28:19 beaglebone kiwid: 21:16:00.806 .... 0    17928.00 kHz  iq z0  "kiwi_nc.py" 105.110.37.254 (LEAVING after 0:00:04)
Jun 30 08:28:53 beaglebone kiwid: 21:16:34.097 .... 0    17928.00 kHz  iq z0  "kiwi_nc.py" 105.107.139.206 (LEAVING after 0:00:02)


    And the proxy service has returned to normal more or less:

    Screenshot 2024-07-01 at 6.41.54 AM.png


  • HB9TMCHB9TMC

    They still tried it 2 hours ago here. From 11:49 to 11:54 and 17:11 to 17:17 UTC

    A non-public security forum would be good perhaps.

  • jksjks

    Like I have time to setup and manage such a thing, lol

    scratchmoney
  • HB9TMCHB9TMC

    I do, I could set up a mailing list, if there is interest.

  • jksjks

    In case the botnet is using the rx.kiwisdr.com list as the source of public Kiwi IP addresses I have removed any Kiwis from that list that are not running v1.690 or later. Currently that is about 90 Kiwis (out of 750+ total).

    These Kiwis did not update automatically overnight so must be set for manual updates.

  • jksjks
    edited July 3

    I would like to know the IP addresses associated with the Kiwi log message fingerprint-2 was denied connection. Note -2, not -3. The IP will appear in the LEAVING message just after.

    Do not post here. Email to support@kiwisdr.com instead. Thank you very much.

  • jksjks

    An easy way to do this is to use the following command in the admin console tab:

    gr -A 1 fingerprint-2 /var/log/user.log

Sign In or Register to comment.