Powered by Invision Power Board

Welcome Guest ( Log In | Register )

[ Outline ] · Standard · Linear+

> Try to detect a fake server, sending bogus search results

Track this topic | Email this topic | Print this topic
AraldoL
Dec 25 2006, 21:21
+Quote Post





Group: Members
Posts: 77
Joined: 23-August 05
since some days I noticed on nearly every search I get one single fake search result (obviously a dangerous executable) with a very high number of sources so it's always on first position on the search results. The filename is always built of my search term and "_ShareAccelerator.exe", i.e. if I do a global search on "schafkopf" (a german cards game, there are several freeware versions floating around) I get "schafkopf_Shareaccelerator.exe" with about 6500 full sources. There must be at least one bogus server that builds this filename from my search term.

Of course I use a big and weekly updated ipfilter.dat! And I use a self compiled version of current CVS with an self made addition to prevent adding any servers which are located in the United States according to ip2country. So I have no US servers in my list.

To investigate which server it is I tried to find the location in source where the server results are added to the list. I wanted to write a debug line with the server's ip to the debug log to find out which server it is as a first step.

Can someone point me to the proper file and function in source where both server ip and filename from global search results are available?

Araldo
User is offlineProfile CardPM
Go to the top of the page
Post #1
 
 Reply to this topicStart new topicStart Poll
Replies
AraldoL
Jan 7 2007, 18:29
+Quote Post





Group: Members
Posts: 77
Joined: 23-August 05
Something new on the subject:

1. Dropping those bogus search results does work. I added the red code lines to SearchList.cpp function CSearchList::AddToList at line ~675:

CODE
                        delete pAddedFile;
                        return false;
                  }
            }
      }

      CString strServerFilename = pAddedFile->GetFileName();
      uint32 dwServerFullsources = pAddedFile->GetIntTagValue(FT_COMPLETE_SOURCES);
      if ((dwServerFullsources > 4000) && (strServerFilename.MakeLower().Find(".exe") > 0))
      {
            AddLogLine(false, RGB_LOG_ERROR_TXT _T("Bogus Server sends %u full sources for suspicious file %s - dropped!"),
               dwServerFullsources,strServerFilename);
            delete pAddedFile;
            return false;
      }

      CSearchFile            *pSearchFile;

      for (POSITION pos = list.GetHeadPosition(); pos != NULL; )


To allow logging I had to change SearchList.h as well at line 87:
CODE
class CSearchList : public CLoggable
{


As you see it's only dropped if it's an EXE file and server reports more than 4000 complete(!) sources. Now the file name changes, it's not only shareaccelerator any more. But it's always an EXE file with about 6500 full sources.

2. Detecting the server responsible for this results: Sorry, I wasn't able to find out the proper connection between server IPs and result packets, resulting in wrongly accusing a BigBang server. Perhaps someone can add it to the detection above to filter such a server.

Araldo

This post has been edited by AraldoL: Jan 7 2007, 18:30
User is offlineProfile CardPM
Go to the top of the page
Post #2
Fuxie - DK
Jan 8 2007, 05:14
+Quote Post





Group: Managers
Posts: 4800
Joined: 21-January 03
From: Copenhagen, Denmark
QUOTE(AraldoL @ Jan 7 2007, 19:29)
As you see it's only dropped if it's an EXE file and server reports more than 4000 complete(!) sources. Now the file name changes, it's not only shareaccelerator any more. But it's always an EXE file with about 6500 full sources.
*

Try doing a search for "exe" in the name-field and "4000" in availability-field..

I get two results:
eMule0.47c-Installer.exe <-- 12870 results...
ud.sarkilari_Web_Hottest_Videos_PersonalPlayer.exe <-- 4457 results...

So by excluding all exe-files simply because they have more than 4000 sources seems a bit dangerous for me...
User is offlineProfile CardPM
Go to the top of the page
Post #3
AraldoL
Jan 8 2007, 08:38
+Quote Post





Group: Members
Posts: 77
Joined: 23-August 05
QUOTE(Fuxie - DK @ Jan 8 2007, 07:14)
Try doing a search for "exe" in the name-field and "4000" in availability-field..

I get two results:
eMule0.47c-Installer.exe  <-- 12870 results...
ud.sarkilari_Web_Hottest_Videos_PersonalPlayer.exe  <-- 4457 results...

So by excluding all exe-files simply because they have more than 4000 sources seems a bit dangerous for me...
*

The search packet is only dropped if you get more than 4000 full sources from a single(!) server. So perhaps the first example is dropped from one or two biggest servers that really have 4000 complete sources connected. But even then your global search gets lots of additional results from servers with less than 4000 full sources which are not(!) dropped. It's unlikely that there are more than 4000 sources on a big server and none on the smaller ones. If one packet is dropped you would get 8000 instead of 12000 total sources, still enough I think. If such a download is started the remaining sources are found by source exchange.

Btw, the second example sounds exactly like those fake results! (currently I'm getting xxx_shareaccelerator.exe, xxx_web_hottest_videos_personalplayer.exe, xxx_direct_torrent_search_bar.exe, ...), you could download and launch it and tell me what it does biggrin.gif

Araldo
User is offlineProfile CardPM
Go to the top of the page
Post #4

Posts in this topic
AraldoL   Try to detect a fake server   Dec 25 2006, 21:21
Aw3           sw...   Dec 25 2006, 22:50
AraldoL   Thank you Aw3! Now I know I always searched in...   Dec 26 2006, 09:48
Fuxie - DK   Some of the VERY popular movies (e.g. Lord of the ...   Dec 26 2006, 14:24
AraldoL   In total, yes. But not so much complete sources on...   Dec 26 2006, 15:11
Vladimir (SV)   instead of dropping, have you considered the possi...   Dec 26 2006, 15:29
muleteer   No, because the fake result shows a filename that...   Dec 26 2006, 17:09
Vladimir (SV)   No, because the fake result shows a filename that...   Dec 26 2006, 19:26
AraldoL   Back again with results: It's "BiG BanG ...   Dec 27 2006, 10:22
Fuxie - DK   How can you be sure?? BiG BanG-servers have alway...   Dec 27 2006, 15:18
muleteer   Thanks. Nice proof of concept, to show that it can...   Dec 27 2006, 13:04
Captain_Shiner   Mmm... I was interesting in this result about BigB...   Dec 27 2006, 14:54
Vladimir (SV)   Captain_Shiner, sometimes, server behaviours are b...   Dec 27 2006, 15:36
AraldoL   I was surprised too. To validate it without my cod...   Dec 27 2006, 15:36
muleteer   Good move. ;) Downloading the dubious exe is askin...   Dec 27 2006, 16:27
AraldoL   Now I think BiG BanG 12 was a false alert. Seems l...   Dec 27 2006, 18:34
AraldoL   Something new on the subject: 1. Dropping those b...   Jan 7 2007, 18:29
Fuxie - DK   Try doing a search for "exe" in the nam...   Jan 8 2007, 05:14
AraldoL   The search packet is only dropped if you get more...   Jan 8 2007, 08:38
Aw3   Just add the following guys to your ipfilter and d...   Jan 8 2007, 05:53
Aw3   One more guy for the ipfilter: 069.046.023.148   Jan 19 2007, 02:12
AraldoL   Currently I'm not filtering the whole server b...   Jan 19 2007, 10:52
Aw3   You don't know what those servers do -- better...   Jan 19 2007, 14:00
Aw3   One more: 212.025.103.162   Jan 25 2007, 02:14
muleteer   I think I'll start a thread listing these in t...   Jan 25 2007, 05:06
Aw3   There's a similar thread on eMule forum, those...   Jan 25 2007, 05:29
MaxWilder   I looked at that thread, and it had no solution ...   Jan 26 2007, 00:41
LUCA TONI   to eliminate the problem of spy servers i exclusiv...   Feb 1 2007, 20:16
WiZaRd   The problem cannot be solved by ipfiltering becaus...   Feb 18 2007, 13:12
muleteer   I have had reports of bad results from KAD searche...   May 3 2007, 18:40
Vladimir (SV)   I think there's a way to detect fake files on ...   Dec 20 2007, 13:09
muleteer   What if the user does a global search without spec...   Dec 20 2007, 15:14
Aw3   What server version and capabilities (in server to...   Dec 20 2007, 15:41
Vladimir (SV)   I know it's not perfect, but it could avoi...   Dec 20 2007, 16:30
muleteer   Basically, if the results returned by a server con...   Dec 20 2007, 16:39
Vladimir (SV)   No, if the results returned by a server contains i...   Dec 20 2007, 17:09
zegg   hi my searches produces those crappy results too a...   Feb 27 2008, 23:31
muleteer   Ouch! Suggest you select them all and delete t...   Feb 27 2008, 23:50
zegg   the default autoupdate server list at startup also...   Feb 28 2008, 00:20
muleteer   That is exactly what I have been trying to tell y...   Mar 1 2008, 07:57
Lastwebpage   Sorry, but I don't see the point why eMule sho...   Feb 28 2008, 17:06
muleteer   Its a personal choice - zegg doesn't seem to m...   Feb 28 2008, 18:44
Lastwebpage   last one should be catched from the IPFilter.dat, ...   Feb 29 2008, 14:52
muleteer   True, but ipfilters are not always up to date - a...   Feb 29 2008, 16:30
Lastwebpage   This would assume that this fakeserver list get ...   Mar 1 2008, 07:27
Lastwebpage   You said "The Ipfilter.dat is nice, but it...   Mar 1 2008, 12:02
muleteer   If the list of servers contained names, we'd h...   Mar 1 2008, 13:21
zegg   here i am quoting the thing i had wrote in the cha...   Mar 3 2008, 12:56
zegg   like *search* (at client start) *search* (1 hour...   Mar 3 2008, 13:10
zegg   *search* means 3-5 different searches each like ...   Mar 3 2008, 13:20
muleteer   IMO the first thing that needs to be done here is ...   Mar 3 2008, 13:27
zegg   yes thats the exact another different approach, bu...   Mar 3 2008, 14:20
zegg   its really good too, maybe adding it as a heuristi...   Mar 3 2008, 14:24
muleteer   You're missing the point. Right now, when we s...   Mar 3 2008, 14:58
muleteer   There is also the problem of people who are connec...   Mar 3 2008, 15:05
zegg   oh iam sorry my bad.i didnt know the meaning for s...   Mar 4 2008, 00:08
zegg   ops :D i now undertand what spruous is.it is crapy...   Mar 4 2008, 00:14
zegg   i think we should also filter out servers who do n...   Mar 4 2008, 23:00
zegg   :rolleyes: ehe trying smileys.they are enjoying :...   Mar 4 2008, 23:02
muleteer   Actually, they can fake anything they like, except...   Mar 5 2008, 03:03
zegg   not the wholoe community uses emuleplus, and we c...   Mar 8 2008, 22:26
muleteer   ??? I thought you were studying physics, not philo...   Mar 9 2008, 01:06
zegg   ehehe :rolleyes: :happy: happy to hear some goo...   Mar 9 2008, 15:20
zegg   additionally to a main fighting algorithm, we can ...   Mar 17 2008, 21:10
muleteer   Yes, yes, we know all that, but the problem is dif...   Mar 17 2008, 21:23
zegg   okay i see.but what i dont understand is that ...   Mar 17 2008, 22:02
muleteer   In an ideal world, we could send out 10 requests a...   Mar 17 2008, 22:53
zegg   so for the results, servers respond and talk to us...   Mar 17 2008, 23:24
muleteer   We just haven't bothered to keep track of it. ...   Mar 17 2008, 23:54
slejpner   When you get a search result, is it possible to se...   Jul 6 2008, 10:16
muleteer   As evident from the previous discussion in the ear...   Jul 6 2008, 11:02
slejpner   That would be absolutely & amazingly superb...   Nov 22 2008, 18:25

« Next Oldest · Development · Next Newest »
 

Reply to this topicTopic OptionsStart new topic
 

Lo-Fi Version Time is now: 18th May 2013 - 10:12
Powered by Invision Power Board © 2013  IPS, Inc.