News archive February 2023 - Koos van den Hout

I noticed a strange peak in web traffic today and when digging in to it found out it was a web vulnerability scan. What made me look further was the fact that the source IPv4 addresses were randomized over quite a range, so any automatic firewalling wouldn't block the attempts.

This turned out to originate from cloudflare IPv4 space. Interesting how the source IP addresses clearly spread out (which would circumvent a lot of automatic web application firewalls).

172.70.251.143 - - [24/Feb/2023:09:52:22 +0100] "GET /index.php?s=%2Fadmin%2Fthink%5Capp%2FinvokeMethod&method%5B0%5D=think%5Cview%5Cdriver%5CPhp&method%5B1%5D=display&vars%5B0%5D=%3C%3Fphp+echo+md5%28%271f3870be274f6c49b3e31a0c6728957f%27%29%3B HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.16 - - [24/Feb/2023:09:52:24 +0100] "GET /index.php?s=%2Fuser%2Fthink%5Capp%2Finvokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=1f3870be274f6c49b3e31a0c6728957f HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.146 - - [24/Feb/2023:09:52:26 +0100] "GET /index.php?s=index%2Fuser%2F_empty HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.56 - - [24/Feb/2023:09:52:27 +0100] "GET /admin/auth/login HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.250.40 - - [24/Feb/2023:09:52:27 +0100] "GET /admin/public/login.html HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.250.41 - - [24/Feb/2023:09:52:28 +0100] "GET /index.php?s=%2Fadmin%2Fthink%5Capp%2FinvokeMethod&method%5B0%5D=think%5Cview%5Cdriver%5CPhp&method%5B1%5D=display&vars%5B0%5D=%3C%3Fphp+echo+md5%28%271f3870be274f6c49b3e31a0c6728957f%27%29%3B HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.56 - - [24/Feb/2023:09:52:28 +0100] "POST /_ignition/execute-solution HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.57 - - [24/Feb/2023:09:52:29 +0100] "GET /admin/auth/login HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.57 - - [24/Feb/2023:09:52:29 +0100] "GET /seller/login/reg HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.16 - - [24/Feb/2023:09:52:29 +0100] "GET /index.php?s=%2Fuser%2Fthink%5Capp%2FinvokeMethod&method%5B0%5D=think%5Cview%5Cdriver%5CPhp&method%5B1%5D=display&vars%5B0%5D=%3C%3Fphp+echo+md5%28%271f3870be274f6c49b3e31a0c6728957f%27%29%3B HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.247.24 - - [24/Feb/2023:09:52:31 +0100] "GET /index.php?s=%2Fadmin%2Fthink%5Capp%2Finvokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=1f3870be274f6c49b3e31a0c6728957f HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.16 - - [24/Feb/2023:09:52:31 +0100] "GET /index.php?s=%2Fapi%2Fthink%5Capp%2Finvokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=1f3870be274f6c49b3e31a0c6728957f HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.57 - - [24/Feb/2023:09:52:35 +0100] "GET /ch/upload/upload HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.16 - - [24/Feb/2023:09:52:35 +0100] "GET /index.php?s=index%2Fuser%2F_empty HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.132 - - [24/Feb/2023:09:52:36 +0100] "GET /admin/auth/login HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.146 - - [24/Feb/2023:09:52:36 +0100] "GET /admin/public/login.html HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.146 - - [24/Feb/2023:09:52:37 +0100] "GET /loginMe HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.57 - - [24/Feb/2023:09:52:39 +0100] "GET /_ignition/execute-solution HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.242.219 - - [24/Feb/2023:09:52:40 +0100] "GET /admin/auth/login HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.132 - - [24/Feb/2023:09:52:40 +0100] "GET /admin/other_cert/cert.php HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.17 - - [24/Feb/2023:09:52:41 +0100] "GET /index.php?case=admin&act=login&admin_dir=admin&site=default HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"

I checked with someone who uses cloudflare for sites and these IPv4 addresses match how cloudflare proxies sites. My current theory is that someone set up a cloudflare proxy with my site as 'backend' and scanned the 'frontend' to make it harder for me to find the origin.

At this moment the cloudflare abuse form doesn't work for me. I don't have a lot of trust in cloudflare doing things to stop abuse from cloudflare customers so I'm not going to jump through more hoops to get them to notice this, I expect a big dissapointment when I get an actual answer from them.

Vandaag kwam ik een artikel tegen Generaals b.d. Van Uhm en De Kruif beginnen podcast over oorlog en het leek me wel leuk om deze podcast eens te beluisteren.

Alleen geeft het artikel daar bijzonder weinig informatie over. Het enige wat er te vinden is:

De eerste aflevering van Veldheren wordt vrijdag op Spotify en Apple Podcast gelanceerd.

Maar ik wil allebei niet gebruiken om de podcast te beluisteren, ik wil deze podcast gewoon beluisteren in mijn podcast speler, te weten op dit moment 'Pocket Casts'. Zoals Dave Winer aangeeft in Podcasts are feeds - Dave Winer Scripting News is iets pas een podcast als het een RSS feed heeft. Dus ik zoek een URL van de RSS feed van deze podcast, dan kan ik de podcast toevoegen.

Diverse zoekopdrachten geprobeerd, en uiteindelijk kom ik terecht op Veldheren bij podcast24.nl / podcast24.co.uk waar nog steeds geen feed informatie staat. Maar de URL van de feed is wel uit de source te halen, omdat de podcast24.nl site ook gewoon op de feed gebaseerd is, maar dat zelf niet laat zien. In de source van de pagina zit nog informatie uit de feed en iets wat op een gemangelde url lijkt:

url:"https:\u002F\u002Frss.art19.com\u002Fveldheren"

En als ik daar eens aan snuffel lijkt het er wel op te gaan lijken:

$ curl -kI https://rss.art19.com/veldheren
HTTP/2 200 
x-frame-options: DENY
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
last-modified: Thu, 23 Feb 2023 14:50:22 GMT
cache-control: max-age=45, public
content-type: application/rss+xml; charset=utf-8
content-md5: NpD8EsLUoeqYLrvKp3UmZQ==
via: 1.1 haproxy, 1.1 varnish, 1.1 varnish
fastly-restarts: 1
accept-ranges: bytes
date: Thu, 23 Feb 2023 19:55:49 GMT
age: 0
x-served-by: cache-ams12743-AMS, cache-ams21063-AMS
x-cache: MISS, MISS
x-cache-hits: 0, 0
x-timer: S1677182149.621644,VS0,VE843
vary: Accept, Accept-Encoding, Accept-Language, Authorization,User-Agent,Origin
server: Fastly
strict-transport-security: max-age=300
content-length: 7164

application/rss+xml is het gewenste mime-type! En inderdaad als ik het bestand ophaal en inkijk:

<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:art19="https://art19.com/xmlns/rss-extensions/1.0" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0/" version="2.0">
  <channel>
    <title>Veldheren</title>
    <description>
      <![CDATA[<p>Veldheren is een podcast waarin twee ..

Het zou toch prettig zijn als het vinden van een podcast buiten spotify of apple om niet een halve hack is.

Verder weggestopt in de zoekresultaten, achter allerlei nieuwsartikelen die braaf hetzelfde herhalen kom ik uiteindelijk terecht op Veldheren podcast - Part of Corti Media Network waar wel verwijzingen naar de RSS feed staan, zowel in de pagina als in de metadata. Het kan wel, het is alleen nogal ondergesneeuwd.

Past weekend was the ARRL DX CW Contest and I planned to participate beforehand on the 20 meter band like I did in the ARRL DX CW Contest in 2022.

But this year the HF propagation was much better and I got contacts with stations in the United States of America and Canada on the 10 meter, 15 meter and 20 meter amateur bands. The contacts on 10 and 15 meters were most during the period of daylight in both parts, the contacts on 20 meters later in the day. In total I made 89 contacts:

Band   160   80   40   20   15   10
QSO's    0    0    0   16   37   36
Mult     0    0    0   11   19   17

Pts: 267  Mul: 47 Score: 12549     

Currently this gives me New Mexico as a new US state.

My search for new countries/entities continues and some interesting ones show up.

The big DXpedition for Januari was going to be the 3Y0J DXpedition to Bouvet Island. I hoped to get an opportunity to make that contact. In the end between the first rush of the high power stations and the early end of the expedition I have received signals from them for about 20 minutes before they stopped for dinner that day.

The day my new Yaesu FT-991A radio arrived I got Reunion Island in the log in FT8.

In the last weekend of the WRTC 2023 award I was trying to get those stations on the 15 meter band and when I had those in the log I looked for other interesting stations on that band. Which showed me an active station on French Guiana for that weekend only, busy in the R-E-F contest in morse. So I submitted my log for that contest with 1 entry.

In February I got Pakistan, Uzbekistan and Martinique as new countries in the log.

Past weekend was the Dutch PACC contest and I decided to participate at the radio club with the group and call CQ in morse. I sat at the radio together with another (very experienced) operator and we worked together. He was (lots) better at getting callsigns from the noise but at the understandable callsigns I typed fast and together we got a nice number of contacts in the log.

After about two hours fatigue was setting in so someone else took over. As an experience in morse contesting this was really nice for me. I also did some other stuff, there is always something to repair during a contest. And lots and lots of cables. This hobby isn't 100% wireless!

Two things to improve for the next time if I want to do this again: bring my own headset and make sure it's comfortable for long use and bring my own audio splitter and extension cable.

On my todo-list was a postgresql upgrade from 9.6 to 11, a lingering item from the earlier devuan upgrades from ascii to beowulf.

This is one of those upgrades where I am very happy to have lvm snapshots so I know I can get back to a working state if something really goes wrong.

With that snapshot and the instructions from From Stretch to Buster : How to upgrade a 9.6 PostgreSQL cluster to 11 ? - Samuel Forestier it all went fine. After the upgrade I tested all my database-driven websites and local tools to see if they worked. All worked fine so I could stop and delete the 9.6 main postgres cluster and continue running 11.

Final cleanup was deleting the snapshot. Which used as much space as the size of the database! Not unsurprising when thinking about how the upgrade works, but think about the snapshot size.

I run a desktop and a laptop with Ubuntu and both were at Ubuntu 20.04. The desktop is mostly used for things with amateur radio so I wanted to check whether anything broke on that upgrade. With the 18.04 to 20.04 upgrade I had to do some recovery to get the databases behind cqrlog working again,

Time to upgrade the laptop first with the same amateur radio software installed, configured and tested: cqrlog, wsjt-x, fldigi.

The whole do-release-upgrade took more than an hour. And it's still possible that somewhere during the upgrade process the user gets prompted whether or not to change a configuration file, so I came back after a few hours to a system with a prompt and not finished with the upgrade.

The upgrade told me firefox would be changed from an installed package to a 'snap'. The downside for me was that after the first start firefox thought it was a completely new browser with no history/bookmarks/settings. Maybe this was because the start of firefox was triggered by thunderbird starting and wanting to show me a page about donating. Restarting firefox didn't make the old profile show up again. With a bit of searching I found that firefox should import old non-snap settings when started as a 'snap' for the first time. So I stopped firefox, threw out the whole ~/snap/firefox directory and started it again. This time settings/bookmarks/cookies/history were imported.

Next step was to test cqrlog. There is no cqrlog build for ubuntu 22.04 yet, but the build for 20.04 works. All previously logged data was available fine. The upgrade of ubuntu has upgraded hamlib which means the radio IDs got renumbered, I had to update the settings to the new radio ID.

Silencing Ubuntu Pro adverts

In regular maintenance I noticed this gem:

$ sudo apt dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following security updates require Ubuntu Pro with 'esm-apps' enabled:
  libimage-magick-perl imagemagick libjs-jquery-ui libopenexr25
  libmagick++-6.q16-8 libmagickcore-6.q16-6-extra libimage-magick-q16-perl
  libmagickwand-6.q16-6 imagemagick-6.q16 libmagickcore-6.q16-6
  imagemagick-6-common
Learn more about Ubuntu Pro at https://ubuntu.com/pro
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

which is no better than an advertisment for Ubuntu Pro. Which is a new service by Canonical offering longer term support (10 years) and support for not just "Main" (which is what you got with Ubuntu before) but "Main" and "Universe". Ubuntu Pro costs a registration for private use at the moment. So 'The following security updates require Ubuntu Pro' isn't completely honest. But then again, it's advertising.

Anyway, I don't want to see this every time I check for updates. I searched for a solution, The following security updates require Ubuntu Pro with 'esm-apps' enabled - reddit.com r/linux

$ cd /etc/apt/conf.d
$ sudo mv 20apt-esm-hook.conf 20apt-esm-hook.conf.disabled
$ sudo touch 20apt-esm-hook.conf
$ sudo chattr +i 20apt-esm-hook.conf

De laatste ontwikkelingen rond Open Dutch Fiber die plannen heeft om hier ook glasvezel aan te leggen zijn dat volgens een bericht van Freedom er een voorkeursperiode is voor T-mobile, maar dat daarna Freedom Internet toch mogelijk zou moeten worden als ze de koppelingen om als provider op dat netwerk actief te zijn rondkrijgen.

Bron Wanneer komt Freedom op het Open Dutch Fiber netwerk? - Freedom Internet. Volgens dit bericht:

Helaas is er één probleem; ODF heeft met T-Mobile een overeenkomst waarin staat dat op elke locatie waar ODF een nieuw stuk netwerk realiseert, T-Mobile het eerste jaar exclusief - dus als enige provider - internetabonnementen mag leveren.

Dat staat dus niet heel opvallend in de berichtgeving van Open Dutch Fiber, die geven alleen maar aan dat je snel een abonnement bij T-Mobile kan nemen.

Kortom, afwachten en verkopers van T-Mobile die aan de deur gaan komen uitleggen wat ik wil. Want die verkopers verwacht ik.

I was doing some testing with freeradius and suddenly nothing worked with the following error in debug mode:

(7) eap_peap: ERROR: TLS Alert read:fatal:certificate expired
(7) eap_peap: TLS_accept: Need to read more data: error
(7) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired

I checked the certificate and renewed it. The normal autorenewal processes had not run since the previous tests with radius and 802.1x authentication on wifi so that wasn't unexpected but this still didn't solve it: I kept getting the error message.

After some deep searching why it worked before I saw I had requested that certificate in a different way where I had the chain with only ISRG Root X1 because sendmail gave me SSL verification failures after the DST Root CA expired. So I did the same as I did before: I configured dehydrated (my preferred ACME client) on the radius testmachine to use the LetsEncrypt issuer chain without the DST Root CA cross signature, with the following in /etc/dehydrated/config :

# Preferred issuer chain (default: <unset> -> uses default chain)
PREFERRED_CHAIN="ISRG Root X1"

I noticed lots of kernel modules for filesystem support were loaded after running update-grub. This was caused by running os-prober which searches for possible operating system installations on all partitions of the system.

On virtual and physical machines that only run linux and will never run anything else unless I am really changing something this only takes time and uses resources, so I searched for how to disable this. So now there is a line in /etc/default/grub:

# don't look high and low for other operating systems
GRUB_DISABLE_OS_PROBER=true

But now update-grub thinks it is necessary to warn me every time...

# update-grub
Generating grub configuration file ...
[..]
Warning: os-prober will not be executed to detect other bootable partitions.
Systems on them will not be added to the GRUB boot configuration.
Check GRUB_DISABLE_OS_PROBER documentation entry.
done

I know it will not be executed, I added it on purpose. It's not very likely I added GRUB_DISABLE_OS_PROBER=true by accident not knowing what I was doing. Stop nagging me about it. If I didn't know what I was doing on a computer I wouldn't be configuring linux distributions.