The Watcher

he emailed my ISP about causing logging abuse. This is the only real ISP in my area, its gonna basically send me back to dialup.

stigatle

yarn.stigatle.no

25 Jul 24 19:09 UTC+0200

@xuu For what reason?

lyse

lyse.isobeef.org

25 Jul 24 19:00 UTC+0200

@abucci Just making sure you're seeing @xuu's twt, in case he's still on your blacklist:

> Hey so.. i just got an email from my ISP saying they will terminate my service. Did i break something @abucci ?
>
> – https://txt.sour.is/twt/oohzbqa

xuu

txt.sour.is

25 Jul 24 10:57 UTC-0600

Hey so.. i just got an email from my ISP saying they will terminate my service. Did i break something @abucci ?

xuu

dev.txt.sour.is

25 Jul 24 10:57 UTC-0600

Hey so.. i just got an email from my ISP saying they will terminate my service. Did i break something @abucci ?

prologic

twtxt.net

25 Jul 24 16:35 UTC

@abucci No worries! All in the name of better reliability and security 😅

prologic

twtxt.net

25 Jul 24 16:35 UTC

@abucci No worries! All in the name of better reliability and security 😅

prologic

twtxt.net

25 Jul 24 16:34 UTC

@stigatle Thanks! Sooo cold 🥶

prologic

twtxt.net

25 Jul 24 16:34 UTC

@stigatle Thanks! Sooo cold 🥶

prologic

twtxt.net

25 Jul 24 16:32 UTC

@stigatle no problems 👌 one problem solved at least 🤣

stigatle

yarn.stigatle.no

25 Jul 24 18:32 UTC+0200

@prologic sleep well!

prologic

twtxt.net

25 Jul 24 16:32 UTC

@stigatle no problems 👌 one problem solved at least 🤣

prologic

twtxt.net

25 Jul 24 16:30 UTC

Anyway, I'm gonna have to go to bed... We'll continue this on the weekend. Still trying to hunt down some kind of suspected mult-GB avatar using @stigatle 's pod's cache:


$ (echo "URL Bytes"; sort -n -k 2 -r < avatars.txt | head) | column -t
URL                                                                                                       Bytes
https://birkbak.neocities.org/avatar.jpg                                                                  667640
https://darch.neocities.org/avatar.png                                                                    652960
http://darch.dk/avatar.png                                                                                603210
https://social.naln1.ca/media/0c4f65a4be32ff3caf54efb60166a8c965cc6ac7c30a0efd1e51c307b087f47b.png        327947
...

But so far nothing much... Still running the search...

prologic

twtxt.net

25 Jul 24 16:30 UTC

Anyway, I'm gonna have to go to bed... We'll continue this on the weekend. Still trying to hunt down some kind of suspected mult-GB avatar using @stigatle 's pod's cache:


$ (echo "URL Bytes"; sort -n -k 2 -r < avatars.txt | head) | column -t
URL                                                                                                       Bytes
https://birkbak.neocities.org/avatar.jpg                                                                  667640
https://darch.neocities.org/avatar.png                                                                    652960
http://darch.dk/avatar.png                                                                                603210
https://social.naln1.ca/media/0c4f65a4be32ff3caf54efb60166a8c965cc6ac7c30a0efd1e51c307b087f47b.png        327947
...

But so far nothing much... Still running the search...

stigatle

yarn.stigatle.no

25 Jul 24 18:29 UTC+0200

@prologic @abucci my /tmp is fine now, no avatars there. I have to drive my daughter to a birthday party now, but I keep things running and I'll check when I get back.

prologic

twtxt.net

Out of interest, are you able to block whole ASN(s)? I blocked the entirely of teh AWS and Facebook ASN(s) recently.

prologic

twtxt.net

Out of interest, are you able to block whole ASN(s)? I blocked the entirely of teh AWS and Facebook ASN(s) recently.

prologic

twtxt.net

@abucci Oh 🤣 Well my IP is a known subnet and static, so if you need to know what it is, Email me 😅

prologic

twtxt.net

@abucci Oh 🤣 Well my IP is a known subnet and static, so if you need to know what it is, Email me 😅

prologic

twtxt.net

25 Jul 24 16:23 UTC

@abucci Seems to be okay now hmmm

prologic

twtxt.net

25 Jul 24 16:23 UTC

@abucci Seems to be okay now hmmm

prologic

twtxt.net

25 Jul 24 16:22 UTC

@abucci Hmm I can see your twts on my pod now 🤔

prologic

twtxt.net

25 Jul 24 16:22 UTC

@abucci Hmm I can see your twts on my pod now 🤔

abucci

anthony.buc.ci

25 Jul 24 16:15 UTC

@stigatle Sweet, thank you! I've been shooting myself in the foot over here and want to make sure the situation is getting fixed!

stigatle

yarn.stigatle.no

25 Jul 24 18:13 UTC+0200

@abucci yeah I can see it :)

abucci

anthony.buc.ci

25 Jul 24 16:10 UTC

@stigatle @prologic testing 1 2 3 can either of you see this?

abucci

anthony.buc.ci

25 Jul 24 16:06 UTC

Hmm, I wonder if I banned too many IPs and caused these issues for myself 😆

abucci

anthony.buc.ci

25 Jul 24 16:03 UTC

twts are taking a very long time to post from yarn after the latest upgrade. Like a good 60 seconds.

abucci

anthony.buc.ci

25 Jul 24 16:02 UTC

@prologic I don't know if this is new, but I'm seeing:


Jul 25 16:01:17 buc yarnd[1921547]: time="2024-07-25T16:01:17Z" level=error msg="https://yarn.stigatle.no/user/stigatle/twtxt.txt: client.Do fail: Get \\"https://yarn.stigatle.no/user/stigatle/twtxt.txt\\": dial tcp 185.97.32.18:443: i/o timeout (Client.Timeout exceeded while awaiting headers)" error="Get \\"https://yarn.stigatle.no/user/stigatle/twtxt.txt\\": dial tcp 185.97.32.18:443: i/o timeout (Client.Timeout exceeded while awaiting headers)"

I no longer see twts from @stigatle at all.

@jo

comam.es

25 Jul 24 18:00 UTC+0200

[47°09′21″S, 126°43′24″W] Reading: 1.12 Sv

abucci

anthony.buc.ci

25 Jul 24 15:59 UTC

@prologic Have you been seeing any of my replies?

prologic

twtxt.net

25 Jul 24 15:54 UTC

@abucci / @abucci Any interesting errors pop up in the server logs since the the flaw got fixed (_unbounded receieveFile()_)? 🤔

prologic

twtxt.net

25 Jul 24 15:54 UTC

@abucci / @abucci Any interesting errors pop up in the server logs since the the flaw got fixed (_unbounded receieveFile()_)? 🤔

prologic

twtxt.net

25 Jul 24 15:53 UTC

Hmmm 🧐


for url in $(jq -r '.Twters[].avatar' cache.json | sed '/^$/d' | grep -v -E '(twtxt.net|anthony.buc.ci|yarn.stigatle.no|yarn.mills.io)' | sort -u); do echo "$url $(curl -I -s -o /dev/null -w '%header{content-length}' "$url")"; done
...

😅 Let's see... 🤔

prologic

twtxt.net

25 Jul 24 15:53 UTC

Hmmm 🧐


for url in $(jq -r '.Twters[].avatar' cache.json | sed '/^$/d' | grep -v -E '(twtxt.net|anthony.buc.ci|yarn.stigatle.no|yarn.mills.io)' | sort -u); do echo "$url $(curl -I -s -o /dev/null -w '%header{content-length}' "$url")"; done
...

😅 Let's see... 🤔

abucci

anthony.buc.ci

25 Jul 24 15:52 UTC

It shows up in my twtxt feed so that's good.

lyse

lyse.isobeef.org

25 Jul 24 17:45 UTC+0200

@movq My issue is, now that we have the chance of getting something fast, people artificially slow it down again. Wether they think it's cool that they added some slow animation or just lack of knowledge or whatever. The absolute performance does not translate to the relative performance that I observe. Completely wasted potential. :-(

In today's economy, nobody optimizes something if it can be just called good enough with the next generation hardware. That's especially the mindset of big coorporations.

Anyway, getting sidetracked from the original post. :-)

stigatle

yarn.stigatle.no

25 Jul 24 17:44 UTC+0200

@prologic will do, thanks for the tip!

abucci

anthony.buc.ci

25 Jul 24 15:43 UTC

This is a test. I am not seeing twts from @stigatle and it seems like @prologic might not be seeing twts from me. Do people see this?

abucci

anthony.buc.ci

25 Jul 24 15:41 UTC

@prologic I am not seeing twts from @stigatle anymore. Are you seeing twts from me?

prologic

twtxt.net

25 Jul 24 15:37 UTC

@stigatle The one you sent is fine. I'm inspecting it now. I'm just saying, do yourself a favor and nuke your pod's garbage cache 🤣 It'll rebuild automatically in a much more prestine state.

prologic

twtxt.net

25 Jul 24 15:37 UTC

@stigatle The one you sent is fine. I'm inspecting it now. I'm just saying, do yourself a favor and nuke your pod's garbage cache 🤣 It'll rebuild automatically in a much more prestine state.

stigatle

yarn.stigatle.no

25 Jul 24 17:34 UTC+0200

@prologic you want a new cache from me - or was the one I sent OK for what you needed?

prologic

twtxt.net

That was also a source of abuse that also got plugged (_being able to fill up the cache with garbage data_)

prologic

twtxt.net

That was also a source of abuse that also got plugged (_being able to fill up the cache with garbage data_)

prologic

twtxt.net

Ooof


$ jq '.Feeds | keys[]' cache.json | wc -l
4402

If you both don't mind dropping your caches. I would recommend it. Settings -> Poderator Settings -> Refresh cache.

prologic

twtxt.net

Ooof


$ jq '.Feeds | keys[]' cache.json | wc -l
4402

If you both don't mind dropping your caches. I would recommend it. Settings -> Poderator Settings -> Refresh cache.

prologic

twtxt.net

Ooof


$ jq '.Feeds | keys[]' cache.json | wc -l
4402

If you both don't mind dropping your caches. I would recommend it. Settings -> Poderator Settings -> Reset cache.

abucci

anthony.buc.ci

@prologic


./tools/dump_cache.sh: line 8: bat: command not found
No Token Provided

I don't have bat on my VPS and there is no package for installing it. Is cat a reasonable alternate?

stigatle

yarn.stigatle.no

25 Jul 24 17:30 UTC+0200

@prologic No worries, thanks for working on the fix for it so fast :)

lyse

lyse.isobeef.org

25 Jul 24 17:30 UTC+0200

@prologic Yup. Didn't regret climbing these three hundred odd meters of elevation. :-)

prologic

twtxt.net

25 Jul 24 15:27 UTC

@stigatle Thank you! 🙏

prologic

twtxt.net

25 Jul 24 15:27 UTC

@stigatle Thank you! 🙏

abucci

anthony.buc.ci

25 Jul 24 15:27 UTC

@prologic Try hitting this URL:

https://twtxt.net/external?nick=nosuchuser&uri=https://foo.com

Change nosuchuser to any phrase at all.

If you hit https://twtxt.net/external?nick=nosuchuser , you're given an error. If you hit that URL above with the uri parameter, you can a legitimate-looking page. I think that is a bug.

stigatle

yarn.stigatle.no

25 Jul 24 17:26 UTC+0200

@prologic here you go:
https://drive.proton.me/urls/XRKQQ632SG#LXWehEZMNQWF

prologic

twtxt.net

25 Jul 24 15:22 UTC

@stigatle Ta. I hope my theory is right 😅

prologic

twtxt.net

25 Jul 24 15:22 UTC

@stigatle Ta. I hope my theory is right 😅

abucci

anthony.buc.ci

25 Jul 24 15:21 UTC

@prologic Hitting that URL returns a bunch of HTML even though there is no user named lovetocode999 on my pod. I think it should 404, and maybe with a delay, to discourage whatever this abuse is. Basically this can be used to DDoS a pod by forcing it to generate a hunch of HTML just by doing a bogus GET like this.

stigatle

yarn.stigatle.no

25 Jul 24 17:21 UTC+0200

@prologic thank you. I run it now as you said, I'll get the files put somewhere shortly.

prologic

twtxt.net

25 Jul 24 15:18 UTC

But just have a look at the yarnd server logs too. Any new interesting errors? 🤔 No more multi-GB tmp files? 🤔

prologic

twtxt.net

25 Jul 24 15:18 UTC

But just have a look at the yarnd server logs too. Any new interesting errors? 🤔 No more multi-GB tmp files? 🤔

prologic

twtxt.net

25 Jul 24 15:17 UTC

@stigatle You want to run backup_db.sh and dump_cache.sh They pipe JSON to stdout and prompt for your admin password. Example:


URL=<your_pod_url> ADMIN=<your_admin_user> ./tools/dump_cache.sh > cache.json

prologic

twtxt.net

25 Jul 24 15:17 UTC

@stigatle You want to run backup_db.sh and dump_cache.sh They pipe JSON to stdout and prompt for your admin password. Example:


URL=<your_pod_url> ADMIN=<your_admin_user> ./tools/dump_cache.sh > cache.json

abucci

anthony.buc.ci

25 Jul 24 15:15 UTC

I'm seeing GETs like this over and over again:


"GET /external?nick=lovetocode999&uri=https://vuf.minagricultura.gov.co/Lists/Informacin%20Servicios%20Web/DispForm.aspx?ID=8375144 HTTP/1.1" 200 35861 17.077914ms

always to nick=lovetocode999, but with different uris. What are these calls?

lyse

lyse.isobeef.org

25 Jul 24 17:15 UTC+0200

@stigatle Worky, worky now! :-)

Mate, these are some really nice gems! What a stunning landscape. I love it. Holy cow, that wooden church looks really sick. Even though, I'm not a scroll guy and prefer simple, straight designs, I have to say, that the interior craftmanship is something to admire.

stigatle

yarn.stigatle.no

25 Jul 24 17:13 UTC+0200

@prologic so, if I'm correct the dump tool made a pods.txt and a stats.txt file, those are the ones you want? or do you want the output that it spits out in the console window?

stigatle

yarn.stigatle.no

25 Jul 24 17:13 UTC+0200

@prologic so, if I'm correct the dump tool made a pods.txt and a stats.txt file, those are the ones you want?

prologic

twtxt.net

25 Jul 24 15:10 UTC

Just thinking out loud here... With that PR merged (_or if you built off that branch_), you _might_ hopefully see new errors popup and we might catch this problematic bad feed in the act? Hmmm 🧐

prologic

twtxt.net

25 Jul 24 15:10 UTC

Just thinking out loud here... With that PR merged (_or if you built off that branch_), you _might_ hopefully see new errors popup and we might catch this problematic bad feed in the act? Hmmm 🧐

prologic

twtxt.net

25 Jul 24 15:08 UTC

@slashdot I _thought_ Sunday was the hottest day on Earth 🤦‍♂️ wtf is wrong with Slashdot these days?! 🤣

prologic

twtxt.net

25 Jul 24 15:08 UTC

@slashdot I _thought_ Sunday was the hottest day on Earth 🤦‍♂️ wtf is wrong with Slashdot these days?! 🤣

prologic

twtxt.net

if we can figure out wtf is going on here and my theory is right, we can blacklist that feed, hell even add it to the codebase as an "asshole".

prologic

twtxt.net

if we can figure out wtf is going on here and my theory is right, we can blacklist that feed, hell even add it to the codebase as an "asshole".

prologic

twtxt.net

@stigatle The problem is it'll only cause the attack to stop and error out. It won't stop your pod from trying to do this over and over again. That's why I need some help inspecting both your pods for "bad feeds".

prologic

twtxt.net

stigatle

yarn.stigatle.no

25 Jul 24 17:01 UTC+0200

@prologic I'm running it now. I'll keep an eye out for the tmp folder now (I built the branch you have made). I'll let you know shortly if it helped on my end.

stigatle

yarn.stigatle.no

25 Jul 24 17:01 UTC+0200

@prologic Ok, I'm running it now. I'll keep an eye out for the tmp folder now (I built the branch you have made). I'll let you know shortly if it helped on my end.

prologic

twtxt.net

25 Jul 24 15:01 UTC

@abucci / @stigatle Please git pull, rebuild and redeploy.

There is also a shell script in ./tools called dump_cache.sh. Please run this, dump your cache and share it with me. 🙏

prologic

twtxt.net

25 Jul 24 15:01 UTC

@abucci / @stigatle Please git pull, rebuild and redeploy.

There is also a shell script in ./tools called dump_cache.sh. Please run this, dump your cache and share it with me. 🙏

prologic

twtxt.net

25 Jul 24 15:00 UTC

I'm going to merge this...

prologic

twtxt.net

25 Jul 24 15:00 UTC

I'm going to merge this...

prologic

twtxt.net

25 Jul 24 14:58 UTC

@abucci Yeah I've had to block entire ASN(s) recently myself from bad actors, mostly bad AI bots actually from Facebook and Caude AI

prologic

twtxt.net

25 Jul 24 14:58 UTC

@abucci Yeah I've had to block entire ASN(s) recently myself from bad actors, mostly bad AI bots actually from Facebook and Caude AI

abucci

anthony.buc.ci

25 Jul 24 14:57 UTC

@stigatle I used the following hack to keep my VPS from running out of space: watch -n 60 rm -rf /tmp/yarn-avatar-*, run in tmux so it keeps running.

abucci

anthony.buc.ci

25 Jul 24 14:55 UTC

The vast majority of this traffic was coming from a single IP address. I blocked that IP on my VPS, and I sent an abuse report to the abuse email of the service provider. That ought to slow it down, but the vulnerability persists and I'm still getting traffic from other IPs that seem to be doing the same thing.

prologic

twtxt.net

25 Jul 24 14:55 UTC

Or if y'all trust my monkey-ass coding skillz I'll just merge and you can do a git pull and rebuild 😅

prologic

twtxt.net

25 Jul 24 14:55 UTC

Or if y'all trust my monkey-ass coding skillz I'll just merge and you can do a git pull and rebuild 😅

prologic

twtxt.net

25 Jul 24 14:54 UTC

@stigatle / @abucci My current working theory is that there is an asshole out there that has a feed that both your pods are fetching with a multi-GB avatar URL advertised in their feed's preamble (metadata). I'd love for you both to review this PR, and once merged, re-roll your pods and dump your respective caches and share with me using https://gist.mills.io/

prologic

twtxt.net

25 Jul 24 14:54 UTC

stigatle

yarn.stigatle.no

25 Jul 24 16:53 UTC+0200

@prologic yeah I still do have that issue.

stigatle

yarn.stigatle.no

25 Jul 24 16:53 UTC+0200

@prologic yeah I still do have that issue, I compiled latest main, did not apply any patches or anything like that.

prologic

twtxt.net

25 Jul 24 14:52 UTC

@stigatle I'm wondering whether you're having the same issue as @abucci still? mulit-GB yarnd-avatar-*1 files piling up in /tmp/? 🤔

prologic

twtxt.net

25 Jul 24 14:52 UTC

@stigatle I'm wondering whether you're having the same issue as @abucci still? mulit-GB yarnd-avatar-*1 files piling up in /tmp/? 🤔

stigatle

yarn.stigatle.no

25 Jul 24 16:48 UTC+0200

@prologic yeah, I ran out of space again. also have the activitypub stuff turned off (just so you know).

prologic

twtxt.net

25 Jul 24 14:47 UTC

@abucci So... The only way I see this happening at all is if your pod is fetching feeds which have multi-GB sized avatar(s) in their feed metadata. So the PR I linked earlier will plug that flaw. But now I want to confirm that theory. Can I get you to dump your cache to JSON for me and share it with me?

prologic

twtxt.net

25 Jul 24 14:47 UTC

prologic

twtxt.net

25 Jul 24 14:45 UTC

@abucci Yeah that should be okay, you get so much crap on the web 🤦‍♂️

prologic

twtxt.net

25 Jul 24 14:45 UTC

@abucci Yeah that should be okay, you get so much crap on the web 🤦‍♂️

prologic

twtxt.net

25 Jul 24 14:44 UTC