Try to detect a fake server, sending bogus search results
|
|
| AraldoL |
Dec 25 2006, 21:21
 
|
|
Group: Members Posts: 77 Joined: 23-August 05  |
since some days I noticed on nearly every search I get one single fake search result (obviously a dangerous executable) with a very high number of sources so it's always on first position on the search results. The filename is always built of my search term and "_ShareAccelerator.exe", i.e. if I do a global search on "schafkopf" (a german cards game, there are several freeware versions floating around) I get "schafkopf_Shareaccelerator.exe" with about 6500 full sources. There must be at least one bogus server that builds this filename from my search term.
Of course I use a big and weekly updated ipfilter.dat! And I use a self compiled version of current CVS with an self made addition to prevent adding any servers which are located in the United States according to ip2country. So I have no US servers in my list. To investigate which server it is I tried to find the location in source where the server results are added to the list. I wanted to write a debug line with the server's ip to the debug log to find out which server it is as a first step. Can someone point me to the proper file and function in source where both server ip and filename from global search results are available? Araldo |
   |
Post
#1
|
   |
Replies
| AraldoL |
Dec 27 2006, 18:34
|
|
Group: Members Posts: 77 Joined: 23-August 05 |
Now I think BiG BanG 12 was a false alert. Seems like things are running asynchronous so my debug lines don't show the correct server
 Now on an installation without BB12 I get a debug log that BB5 is sending this filename.I need to take a deeper look into the code to get it working properly (in UDPSocket.cpp I get server name and IP as Aw3 showed me above and store it, in CSearchList::AddToList I check the filename and report the last stored server name but seems like this doesn't correspondend. So I would say that BB12 is innocent and I have to search again which one it is. I'll be back when I get it working. Araldo |
|
|
Post
#2
|
Posts in this topic
AraldoL Try to detect a fake server Dec 25 2006, 21:21
Aw3 sw... Dec 25 2006, 22:50 AraldoL Thank you Aw3! Now I know I always searched in... Dec 26 2006, 09:48
Fuxie - DK Some of the VERY popular movies (e.g. Lord of the ... Dec 26 2006, 14:24 AraldoL In total, yes. But not so much complete sources on... Dec 26 2006, 15:11 Vladimir (SV) instead of dropping, have you considered the possi... Dec 26 2006, 15:29 muleteer
No, because the fake result shows a filename that... Dec 26 2006, 17:09 Vladimir (SV)
No, because the fake result shows a filename that... Dec 26 2006, 19:26 AraldoL Back again with results:
It's "BiG BanG ... Dec 27 2006, 10:22 Fuxie - DK How can you be sure??
BiG BanG-servers have alway... Dec 27 2006, 15:18 muleteer Thanks. Nice proof of concept, to show that it can... Dec 27 2006, 13:04 Captain_Shiner Mmm... I was interesting in this result about BigB... Dec 27 2006, 14:54 Vladimir (SV) Captain_Shiner, sometimes, server behaviours are b... Dec 27 2006, 15:36 AraldoL I was surprised too. To validate it without my cod... Dec 27 2006, 15:36 muleteer Good move. ;) Downloading the dubious exe is askin... Dec 27 2006, 16:27 AraldoL Something new on the subject:
1. Dropping those b... Jan 7 2007, 18:29 Fuxie - DK
Try doing a search for "exe" in the nam... Jan 8 2007, 05:14 AraldoL
The search packet is only dropped if you get more... Jan 8 2007, 08:38 Aw3 Just add the following guys to your ipfilter and d... Jan 8 2007, 05:53 Aw3 One more guy for the ipfilter: 069.046.023.148 Jan 19 2007, 02:12 AraldoL Currently I'm not filtering the whole server b... Jan 19 2007, 10:52 Aw3 You don't know what those servers do -- better... Jan 19 2007, 14:00 Aw3 One more: 212.025.103.162 Jan 25 2007, 02:14 muleteer I think I'll start a thread listing these in t... Jan 25 2007, 05:06 Aw3 There's a similar thread on eMule forum, those... Jan 25 2007, 05:29 MaxWilder
I looked at that thread, and it had no solution ... Jan 26 2007, 00:41 LUCA TONI to eliminate the problem of spy servers i exclusiv... Feb 1 2007, 20:16 WiZaRd The problem cannot be solved by ipfiltering becaus... Feb 18 2007, 13:12 muleteer I have had reports of bad results from KAD searche... May 3 2007, 18:40 Vladimir (SV) I think there's a way to detect fake files on ... Dec 20 2007, 13:09 muleteer What if the user does a global search without spec... Dec 20 2007, 15:14 Aw3 What server version and capabilities (in server to... Dec 20 2007, 15:41 Vladimir (SV)
I know it's not perfect, but it could avoi... Dec 20 2007, 16:30 muleteer Basically, if the results returned by a server con... Dec 20 2007, 16:39 Vladimir (SV) No, if the results returned by a server contains i... Dec 20 2007, 17:09 zegg hi
my searches produces those crappy results too a... Feb 27 2008, 23:31 muleteer Ouch! Suggest you select them all and delete t... Feb 27 2008, 23:50 zegg the default autoupdate server list at startup also... Feb 28 2008, 00:20 muleteer
That is exactly what I have been trying to tell y... Mar 1 2008, 07:57 Lastwebpage Sorry,
but I don't see the point why eMule sho... Feb 28 2008, 17:06 muleteer Its a personal choice - zegg doesn't seem to m... Feb 28 2008, 18:44 Lastwebpage last one should be catched from the IPFilter.dat, ... Feb 29 2008, 14:52 muleteer
True, but ipfilters are not always up to date - a... Feb 29 2008, 16:30 Lastwebpage
This would assume that this fakeserver list get ... Mar 1 2008, 07:27 Lastwebpage You said "The Ipfilter.dat is nice, but it... Mar 1 2008, 12:02 muleteer If the list of servers contained names, we'd h... Mar 1 2008, 13:21 zegg here i am quoting the thing i had wrote in the cha... Mar 3 2008, 12:56 zegg like
*search* (at client start)
*search* (1 hour... Mar 3 2008, 13:10 zegg *search* means 3-5 different searches each like ... Mar 3 2008, 13:20 muleteer IMO the first thing that needs to be done here is ... Mar 3 2008, 13:27 zegg yes thats the exact another different approach, bu... Mar 3 2008, 14:20 zegg its really good too, maybe adding it as a heuristi... Mar 3 2008, 14:24 muleteer You're missing the point. Right now, when we s... Mar 3 2008, 14:58 muleteer There is also the problem of people who are connec... Mar 3 2008, 15:05 zegg oh iam sorry my bad.i didnt know the meaning for s... Mar 4 2008, 00:08 zegg ops :D i now undertand what spruous is.it is crapy... Mar 4 2008, 00:14 zegg i think we should also filter out servers who do n... Mar 4 2008, 23:00 zegg :rolleyes: ehe trying smileys.they are enjoying :... Mar 4 2008, 23:02 muleteer Actually, they can fake anything they like, except... Mar 5 2008, 03:03 zegg
not the wholoe community uses emuleplus, and we c... Mar 8 2008, 22:26 muleteer ??? I thought you were studying physics, not philo... Mar 9 2008, 01:06 zegg ehehe :rolleyes:
:happy: happy to hear some goo... Mar 9 2008, 15:20 zegg additionally to a main fighting algorithm, we can ... Mar 17 2008, 21:10 muleteer Yes, yes, we know all that, but the problem is dif... Mar 17 2008, 21:23 zegg okay i see.but what i dont understand is that ... Mar 17 2008, 22:02 muleteer In an ideal world, we could send out 10 requests a... Mar 17 2008, 22:53 zegg so for the results, servers respond and talk to us... Mar 17 2008, 23:24 muleteer We just haven't bothered to keep track of it. ... Mar 17 2008, 23:54 slejpner When you get a search result, is it possible to se... Jul 6 2008, 10:16 muleteer As evident from the previous discussion in the ear... Jul 6 2008, 11:02 slejpner That would be absolutely & amazingly superb... Nov 22 2008, 18:25 |
| Lo-Fi Version | Time is now: 22nd May 2013 - 08:13 |
Powered by Invision Power Board © 2013 IPS, Inc.