The Watcher

	
# I am the Watcher. I am your guide through this vast new twtiverse.
# 
# Usage:
#     https://watcher.sour.is/api/plain/users              View list of users and latest twt date.
#     https://watcher.sour.is/api/plain/twt                View all twts.
#     https://watcher.sour.is/api/plain/mentions?uri=:uri  View all mentions for uri.
#     https://watcher.sour.is/api/plain/conv/:hash         View all twts for a conversation subject.
# 
# Options:
#     uri     Filter to show a specific users twts.
#     offset  Start index for quey.
#     limit   Count of items to return (going back in time).
# 
# twt range = 1 42
# self = https://watcher.sour.is/conv/ve43paq

prologic

twtxt.net

25 Jul 24 14:54 UTC

@stigatle / @abucci My current working theory is that there is an asshole out there that has a feed that both your pods are fetching with a multi-GB avatar URL advertised in their feed's preamble (metadata). I'd love for you both to review this PR, and once merged, re-roll your pods and dump your respective caches and share with me using https://gist.mills.io/

prologic

twtxt.net

25 Jul 24 14:54 UTC

@stigatle / @abucci My current working theory is that there is an asshole out there that has a feed that both your pods are fetching with a multi-GB avatar URL advertised in their feed's preamble (metadata). I'd love for you both to review this PR, and once merged, re-roll your pods and dump your respective caches and share with me using https://gist.mills.io/

prologic

twtxt.net

25 Jul 24 14:55 UTC

Or if y'all trust my monkey-ass coding skillz I'll just merge and you can do a git pull and rebuild 😅

prologic

twtxt.net

25 Jul 24 14:55 UTC

Or if y'all trust my monkey-ass coding skillz I'll just merge and you can do a git pull and rebuild 😅

prologic

twtxt.net

25 Jul 24 15:00 UTC

I'm going to merge this...

prologic

twtxt.net

25 Jul 24 15:00 UTC

I'm going to merge this...

prologic

twtxt.net

25 Jul 24 15:01 UTC

@abucci / @stigatle Please git pull, rebuild and redeploy.

There is also a shell script in ./tools called dump_cache.sh. Please run this, dump your cache and share it with me. 🙏

prologic

twtxt.net

25 Jul 24 15:01 UTC

@abucci / @stigatle Please git pull, rebuild and redeploy.

There is also a shell script in ./tools called dump_cache.sh. Please run this, dump your cache and share it with me. 🙏

stigatle

yarn.stigatle.no

25 Jul 24 17:01 UTC+0200

@prologic Ok, I'm running it now. I'll keep an eye out for the tmp folder now (I built the branch you have made). I'll let you know shortly if it helped on my end.

stigatle

yarn.stigatle.no

25 Jul 24 17:01 UTC+0200

@prologic I'm running it now. I'll keep an eye out for the tmp folder now (I built the branch you have made). I'll let you know shortly if it helped on my end.

prologic

twtxt.net

25 Jul 24 15:03 UTC

@stigatle The problem is it'll only cause the attack to stop and error out. It won't stop your pod from trying to do this over and over again. That's why I need some help inspecting both your pods for "bad feeds".

prologic

twtxt.net

25 Jul 24 15:03 UTC

@stigatle The problem is it'll only cause the attack to stop and error out. It won't stop your pod from trying to do this over and over again. That's why I need some help inspecting both your pods for "bad feeds".

prologic

twtxt.net

25 Jul 24 15:03 UTC

if we can figure out wtf is going on here and my theory is right, we can blacklist that feed, hell even add it to the codebase as an "asshole".

prologic

twtxt.net

25 Jul 24 15:03 UTC

if we can figure out wtf is going on here and my theory is right, we can blacklist that feed, hell even add it to the codebase as an "asshole".

prologic

twtxt.net

25 Jul 24 15:10 UTC

Just thinking out loud here... With that PR merged (_or if you built off that branch_), you _might_ hopefully see new errors popup and we might catch this problematic bad feed in the act? Hmmm 🧐

prologic

twtxt.net

25 Jul 24 15:10 UTC

Just thinking out loud here... With that PR merged (_or if you built off that branch_), you _might_ hopefully see new errors popup and we might catch this problematic bad feed in the act? Hmmm 🧐

stigatle

yarn.stigatle.no

25 Jul 24 17:13 UTC+0200

@prologic so, if I'm correct the dump tool made a pods.txt and a stats.txt file, those are the ones you want?

stigatle

yarn.stigatle.no

25 Jul 24 17:13 UTC+0200

@prologic so, if I'm correct the dump tool made a pods.txt and a stats.txt file, those are the ones you want? or do you want the output that it spits out in the console window?

abucci

anthony.buc.ci

25 Jul 24 15:15 UTC

I'm seeing GETs like this over and over again:


"GET /external?nick=lovetocode999&uri=https://vuf.minagricultura.gov.co/Lists/Informacin%20Servicios%20Web/DispForm.aspx?ID=8375144 HTTP/1.1" 200 35861 17.077914ms

always to nick=lovetocode999, but with different uris. What are these calls?

prologic

twtxt.net

25 Jul 24 15:17 UTC

@stigatle You want to run backup_db.sh and dump_cache.sh They pipe JSON to stdout and prompt for your admin password. Example:


URL=<your_pod_url> ADMIN=<your_admin_user> ./tools/dump_cache.sh > cache.json

prologic

twtxt.net

25 Jul 24 15:17 UTC

@stigatle You want to run backup_db.sh and dump_cache.sh They pipe JSON to stdout and prompt for your admin password. Example:


URL=<your_pod_url> ADMIN=<your_admin_user> ./tools/dump_cache.sh > cache.json

prologic

twtxt.net

25 Jul 24 15:18 UTC

But just have a look at the yarnd server logs too. Any new interesting errors? 🤔 No more multi-GB tmp files? 🤔

prologic

twtxt.net

25 Jul 24 15:18 UTC

But just have a look at the yarnd server logs too. Any new interesting errors? 🤔 No more multi-GB tmp files? 🤔

stigatle

yarn.stigatle.no

25 Jul 24 17:21 UTC+0200

@prologic thank you. I run it now as you said, I'll get the files put somewhere shortly.

abucci

anthony.buc.ci

25 Jul 24 15:21 UTC

@prologic Hitting that URL returns a bunch of HTML even though there is no user named lovetocode999 on my pod. I think it should 404, and maybe with a delay, to discourage whatever this abuse is. Basically this can be used to DDoS a pod by forcing it to generate a hunch of HTML just by doing a bogus GET like this.

prologic

twtxt.net

25 Jul 24 15:22 UTC

@stigatle Ta. I hope my theory is right 😅

prologic

twtxt.net

25 Jul 24 15:22 UTC

@stigatle Ta. I hope my theory is right 😅

stigatle

yarn.stigatle.no

25 Jul 24 17:26 UTC+0200

@prologic here you go:
https://drive.proton.me/urls/XRKQQ632SG#LXWehEZMNQWF

abucci

anthony.buc.ci

25 Jul 24 15:27 UTC

@prologic Try hitting this URL:

https://twtxt.net/external?nick=nosuchuser&uri=https://foo.com

Change nosuchuser to any phrase at all.

If you hit https://twtxt.net/external?nick=nosuchuser , you're given an error. If you hit that URL above with the uri parameter, you can a legitimate-looking page. I think that is a bug.

prologic

twtxt.net

25 Jul 24 15:27 UTC

@stigatle Thank you! 🙏

prologic

twtxt.net

25 Jul 24 15:27 UTC

@stigatle Thank you! 🙏

stigatle

yarn.stigatle.no

25 Jul 24 17:30 UTC+0200

@prologic No worries, thanks for working on the fix for it so fast :)

abucci

anthony.buc.ci

25 Jul 24 15:31 UTC

@prologic


./tools/dump_cache.sh: line 8: bat: command not found
No Token Provided

I don't have bat on my VPS and there is no package for installing it. Is cat a reasonable alternate?

prologic

twtxt.net

25 Jul 24 15:31 UTC

Ooof


$ jq '.Feeds | keys[]' cache.json | wc -l
4402

If you both don't mind dropping your caches. I would recommend it. Settings -> Poderator Settings -> Reset cache.

prologic

twtxt.net

25 Jul 24 15:31 UTC

Ooof


$ jq '.Feeds | keys[]' cache.json | wc -l
4402

If you both don't mind dropping your caches. I would recommend it. Settings -> Poderator Settings -> Refresh cache.

prologic

twtxt.net

25 Jul 24 15:31 UTC

Ooof


$ jq '.Feeds | keys[]' cache.json | wc -l
4402

If you both don't mind dropping your caches. I would recommend it. Settings -> Poderator Settings -> Refresh cache.

prologic

twtxt.net

25 Jul 24 15:31 UTC

That was also a source of abuse that also got plugged (_being able to fill up the cache with garbage data_)

prologic

twtxt.net

25 Jul 24 15:31 UTC

That was also a source of abuse that also got plugged (_being able to fill up the cache with garbage data_)

stigatle

yarn.stigatle.no

25 Jul 24 17:34 UTC+0200

@prologic you want a new cache from me - or was the one I sent OK for what you needed?

prologic

twtxt.net

25 Jul 24 15:37 UTC

@stigatle The one you sent is fine. I'm inspecting it now. I'm just saying, do yourself a favor and nuke your pod's garbage cache 🤣 It'll rebuild automatically in a much more prestine state.

prologic

twtxt.net

25 Jul 24 15:37 UTC

@stigatle The one you sent is fine. I'm inspecting it now. I'm just saying, do yourself a favor and nuke your pod's garbage cache 🤣 It'll rebuild automatically in a much more prestine state.

stigatle

yarn.stigatle.no

25 Jul 24 17:44 UTC+0200

@prologic will do, thanks for the tip!