[BlueOnyx:27406] Re: BlueOnyx SVN/Trac issues

Michael Stauber mstauber at blueonyx.it
Tue Jan 7 13:52:54 -05 2025 

Hi Taco,

> Is it an up-to-date version? Maybe they are trying to exploit a vulnerability.
> If you are able to infect a source (or repo) a hacker will get access to a lot of hosts obviously.

Yeah, this is of course always a concern. But there are precautions and 
checks and balances.

devel.blueonyx.it has the SVN repository and servers as toplevel mirror 
for the YUM/DNF mirrors. So all subsequent mirrors pull the RPMs (and 
other installation media) from it.

But it's not used to build or sign anything. It just distributes.

The RPM and install media building happens on dedicated build boxes, 
which are pretty well locked down on their own and the signing happens 
there as well.

Each build box has the parts of the SVN that are relevant of it stored 
locally and up to date. So if I change 5211R code, it happens on the 
5211R build box first and is then eventually committed to the SVN and 
built RPMs are signed and then uploaded to devel.blueonyx.it for pushing 
them to the other mirrors. Should anyone manage to manipulate the 
sources in SVN, then this is relatively easy to spot as the SVN code 
then differs from the commit on the build box.

Should someone somehow gain access to devel.blueonyx.it? Manipulation of 
the RPMs would fail the RPM signature test during YUM/DNF install.

ISOs have a sha256 checksum, too. While that could be tampered with? It 
isn't that easy, but it gives me an idea: I probably should publish the 
sha256 checksums of ISOs on www.blueonyx.it, too. Which is a separate 
box. Because right now they're only shown in a textfile within the mirrors.

As for devel.blueonyx.it's security? It has to be somewhat exposed, but 
it only has ports 80/TCP, 443/TCP and 873/TCP (for read-only RSYNC 
access to the distribution directory) open and the rest is firewalled 
off. SSH is entirely key based and only responds to selected IPs that 
require access for uploading. Like the 5210/5211R/5212R build boxes at 
this time, as well as build box for the Incus images and my office 
workstation.

The firewall on devel.blueonyx.it does GeoIP blocking and blocks all 
access from China, Russia and Iran, plus a long list of other bad actors 
aggregated from some best-practice blacklists and prior experiences.

Lastly: After the modernization of devel.blueonyx.it now uses a totally 
modern OS again, has only installed what it needs and all necessary 
security tweaks have been applied and/or adapted to the more modern 
environment. Which now also includes check-summing of the directory 
that's being served via RSYNC and web for downloads (and a couple of 
others). File changes (if any) are reported daily and I'll see if these 
coincide with whatever I have published.

The daily backup of devel.blueonyx.it also reports any file changes that 
may have happened since the last time the backup has run, so this adds 
another layer of accountability and records keeping.


As for the "attacks" (rather: "unusual activity") in the last few days?
========================================================================

I suspect this is a Huawei search engine/crawler of some sorts that does 
a pretty brutal, intensive and distributed indexing of web related 
content. They ignore robots.txt and they constantly rotate IPs. It takes 
a while until the same IP tries to index again after indexing a couple 
of dozen pages, because they use their distributed world wide cloud 
network for this. The same IP just fetches a a bunch of pages, then 
another IP that may even be from an entirely different geographical 
region continues. And this also overlaps in multiple layers, as several 
of these "bots" are harvesting at the same time.

But the way they jump around indexing Trac makes it clear that this 
isn't natural.

Now that I have blocked off all Huawei clouds that I could find and 
which weren't already blocked via Geo-blocking? Now I see the same 
behavior originating from CloudFlare IP address ranges.

The browser identification (user-agent) strings are kinda interesting as 
well. Accesses directly from the Huawei clouds had radomized user-agent 
strings for different OS's, browsers and versions. Accesses now from 
CloudFlare? They use mostly the same u-agent string only with only minor 
variations.

It's just web accesses, as anything else is locked down. And the URL 
parameters aren't "exploity looking" either.

Let me give you an example:

The IP 172.68.22.172 (CloudFlare, Seattle/Washington, address range: 
172.64.0.0/13) was among one of many CloudFlare IPs that connected 
today. This IP always reported to use this browser and OS:

-----------------------------------------------------------------------
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
-----------------------------------------------------------------------

This user-agent string? Chrome/130.0.0.0: The version number 130.0.0.0 
is unusual because it might indicate an alpha or beta build or some fake 
uagent shenanigans.

Here is an example from another box (the one that hosts www.blueonyx.it) 
and where the robots.txt allows indexing:

-----------------------------------------------------------------------
www.blueonyx.it 66.249.72.4 - - [07/Jan/2025:13:27:11 -0500] "GET 
/news/176/51/YUM-Update-sausalito-cce/d,Simplex%20News%20Detail 
HTTP/1.1" 301 269 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X 
Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/131.0.6778.204 Mobile Safari/537.36 (compatible; Googlebot/2.1; 
+http://www.google.com/bot.html)"
-----------------------------------------------------------------------

This reports to be "Chrome/131.0.6778.204 Mobile Safari/537.36", but at 
least tells us honestly: It's the Google-Bot.

Here are the URL-strings the CloudFlare IP 172.68.22.172 fetched from 
Trac on devel.blueonyx.it:

root at devel:~# cat /var/log/apache2/access.log|grep 172.68.22.172|awk 
'{print $7}'
/trac/log/BlueOnyx/5107R?rev=2861
/trac/log/BlueOnyx/5209R/ui?rev=4518
/trac/log/BlueOnyx/tmp/csrf/5209R/alpine.mod/web/.adm/scripts/touchpunch?rev=5485
/trac/browser/BlueOnyx/5211R/ui/base-shell.mod?rev=5266
/trac/browser/BlueOnyx/docs?rev=2142&desc=1
/trac/browser/BlueOnyx/ui/gallery/libImage?rev=1731&desc=1
/trac/browser/BlueOnyx/ui/base-console.mod?rev=3341&order=size
/trac/log/BlueOnyx/5311R/platform/palette/sbin/writeFile.pl?rev=4867
/trac/browser/BlueOnyx/5209R/utils?rev=3871&desc=1
/trac/browser/BlueOnyx/5210R/ui?rev=2934&order=name
/trac/browser/BlueOnyx/5207R/utils/cmu/rpms?rev=1991
/trac/browser/BlueOnyx/5209R/ui/base-phpmyadmin.mod/ui?rev=3212&desc=1
/trac/browser/BlueOnyx/5209R/ui/base-swupdate.mod?rev=3703
/trac/browser/BlueOnyx/5207R/ui/base-shell.mod?rev=2639&order=size
/trac/browser/BlueOnyx/5310R?rev=4621&order=author
/trac/browser/BlueOnyx/tmp?rev=1768&order=size
/trac/browser/BlueOnyx/5210R/platform/base-admserv.mod?rev=4438
/trac/browser/BlueOnyx/5107R/ui/base-power.mod?rev=604
/trac/browser/BlueOnyx/5210R/utils/cce/sessionmgr?rev=4207&order=date
/trac/browser/BlueOnyx/tmp/csrf?rev=4856&order=size
/trac/browser/BlueOnyx/5106R/swatch/swatch.cron?rev=294&order=author
/trac/browser/BlueOnyx/utils/cmu/man/cmuConfig.groff?rev=4976
/trac/browser/BlueOnyx/5106R/ui/base-ssl.mod/glue?rev=631
/trac/browser/BlueOnyx/5210R/ui/base-ftp.mod?rev=3945
/trac/browser/BlueOnyx/5106R/ui/base-raid.mod/locale/de?rev=318
/trac/browser/BlueOnyx?rev=4656&order=author&desc=1
/trac/log/BlueOnyx/5310R?rev=4238
/trac/browser/BlueOnyx/5209R/utils?rev=2214
/trac/browser/BlueOnyx/utils/cce/conf?rev=3133&order=size
/trac/log/BlueOnyx/5207R/ui/base-vsite.mod/glue?rev=1016
/trac/log/BlueOnyx/5211R/ui?rev=4472
/trac/browser/BlueOnyx/5207R/ui/base-import.mod/packing_list?rev=1140
/trac/browser/BlueOnyx/utils?rev=5290
/trac/browser/BlueOnyx/5311R/platform/alpine.mod/ci4/app/Libraries/uifc2/CompositeFormField.php?rev=4872&order=date
/trac/log/BlueOnyx/ui/base-disk.mod/locale/ja_JP/disk.po?rev=833
/trac/log/BlueOnyx/5207R/ui/palette/locale/ja/palette.euc?rev=980
/trac/browser/BlueOnyx/5207R/ui/base-shell.mod?rev=4700
/trac/log/BlueOnyx/5310R?rev=3933
/trac/browser/BlueOnyx/utils/cce?rev=5417
/trac/browser/BlueOnyx/5207R/ui/base-mailman.mod?rev=1759&order=size
/trac/browser/BlueOnyx/5106R/alpine.mod/web/intro.html.ja?rev=1390
/trac/log/BlueOnyx/tmp/devel-tools/scripts/Makefile
/trac/browser/BlueOnyx/5209R/ui/base-phpmyadmin.mod/locale/nl_NL?rev=4437
/trac/browser/BlueOnyx/5210R/ui/base-console.mod?rev=4857
/trac/log/BlueOnyx/5209R/ui/base-user.mod/glue?rev=3888
/trac/log/BlueOnyx/ui/base-snmp.mod/glue/handlers/snmp.pl?rev=5212
/trac/browser/BlueOnyx/ui/gallery/locale/da_DK/Merlot.mo?rev=4869
/trac/log/BlueOnyx/5209R?rev=3133
/trac/log/BlueOnyx/ui/base-console.mod?rev=4625
/trac/browser/BlueOnyx/ui/base-phpsysinfo.mod/locale?rev=3519&desc=1
/trac/changeset/2887/BlueOnyx/5210R/ui/base-time.mod/templates
/trac/browser/BlueOnyx/5107R/ui/palette?rev=423&desc=1
/trac/browser/BlueOnyx/5207R/ui/base-services.mod?rev=1364&desc=1
/trac/browser/BlueOnyx/ui/base-network.mod?rev=1932&desc=1
/trac/browser/BlueOnyx/5207R/platform?rev=1163&order=size
/trac/browser/BlueOnyx/5107R/devel-tools?rev=4053
/trac/browser/BlueOnyx/5209R/utils/dns-toolbox?rev=4054&desc=1
/trac/browser/BlueOnyx/5106R/ui/palette?rev=573&order=author
/trac/browser/BlueOnyx/5107R/cmu/Makefile.in?rev=550&order=name&desc=True
/trac/log/BlueOnyx/5210R/platform/alpine.mod/web/.adm/styles/plugins/uniform?rev=4593
/trac/log/BlueOnyx/5211R/ui/base-network.mod/glue/handlers/no_duplicates.pl?rev=4532
/trac/browser/BlueOnyx/5106R/ui?rev=676&desc=1
/trac/browser/BlueOnyx/5209R/ui/base-telnet.mod?rev=4901&order=size
/trac/browser/BlueOnyx/archive?rev=5212&order=date&desc=1
/trac/log/BlueOnyx/5207R/ui/base-mysql.mod?rev=1088
/trac/browser/BlueOnyx/5310R?rev=4357&order=name
/trac/browser/BlueOnyx/5207R/ui/base-istat.mod/locale?rev=1527&order=name
/trac/log/BlueOnyx/5207R/ui/base-disk.mod/glue/schemas/disk.schema?rev=1622
/trac/browser/BlueOnyx/ui/palette?rev=1288&order=name
/trac/browser/BlueOnyx/ui/base-ftp.mod/Makefile?rev=5070&desc=1
/trac/browser/BlueOnyx/5107R/alpine.mod/constructor?rev=2760
/trac/browser/BlueOnyx/5106R/ui/base-swupdate.mod?rev=565
/trac/changeset/3553/BlueOnyx/5210R/ui/base-subdomains.mod/glue/conf
/trac/browser/BlueOnyx/tmp/csrf?rev=4435&order=date
/trac/browser/BlueOnyx/5107R/TAR-ball-installer?rev=539&order=size
/trac/log/BlueOnyx/5211R/ui/base-swupdate.mod?rev=4235
/trac/browser/BlueOnyx/utils/swatch?rev=3009
/trac/browser/BlueOnyx/5311R/ui/base-ddns.mod?rev=5076&order=size&desc=True
/trac/browser/BlueOnyx/5210R/ui/base-email.mod/glue/Makefile?rev=4002&order=name
/trac/log/BlueOnyx/5107R?rev=4652
/trac/browser/BlueOnyx/5209R/platform/alpine.mod/manuals?rev=2441&order=name
/trac/browser/BlueOnyx/5209R/platform/alpine.mod?rev=4187&order=size
/trac/log/BlueOnyx/5211R/utils/swatch/conf/statecodes?rev=4412
/trac/browser/BlueOnyx/5106R/cce/common?rev=437
/trac/browser/BlueOnyx/5211R/ui/base-swupdate.mod/doc?rev=4244
/trac/browser/BlueOnyx/5210R/ui/base-ftp.mod/ui?rev=3293&order=name&desc=True
/trac/browser/BlueOnyx/5209R/ui/base-import.mod/locale?rev=3264&order=size
/trac/browser/BlueOnyx/ui/base-squirrelmail.mod/glue/handlers?rev=1302
/trac/log/BlueOnyx/utils/cce?rev=3106
/trac/log/BlueOnyx/ui?rev=4443
/trac/log/BlueOnyx/5207R/ui/base-am.mod?rev=5414
/trac/browser/BlueOnyx/5211R?rev=4360&order=size
/trac/browser/BlueOnyx/5107R/cmu?rev=480&desc=1
/trac/browser/BlueOnyx/ui/gallery?rev=809
/trac/browser/BlueOnyx/5210R/utils/cce/include/cscp_fsm.h?rev=3942
/trac/browser/BlueOnyx/tmp?rev=2276&order=author
/trac/browser/BlueOnyx/5209R/ui/base-sitestats.mod?rev=4806&order=name
/trac/browser/BlueOnyx/ui/base-memory.mod/Makefile?rev=1147
/trac/browser/BlueOnyx/5107R/ui/base-time.mod/locale?rev=535&desc=1
/trac/browser/BlueOnyx/5311R/ui/base-organizer.mod/locale?rev=4855&order=date
/trac/browser/BlueOnyx/5210R/platform/alpine.mod/ci/application/helpers/selector_helper.php?rev=3207&format=txt
/trac/browser/BlueOnyx/5311R/platform/alpine.mod/constructor?rev=4984
/trac/browser/BlueOnyx/5311R/platform/alpine.mod/ci4/app?rev=4943&order=author
/trac/browser/BlueOnyx/ui/base-vsite.mod?rev=5070&order=name&desc=True
/trac/browser/BlueOnyx/5211R/ui/base-podman.mod/templates?rev=4374
/trac/browser/BlueOnyx/ui/base-api.mod?rev=3206&order=name
/trac/log/BlueOnyx/ui.deprecated?rev=3724
/trac/browser/BlueOnyx/ui/base-vsite.mod/locale?rev=1210&order=author
/trac/browser/BlueOnyx/5107R/common/base-phpsysinfo.mod/ui/web/.phpsysinfo/includes/os/class.OS.inc.php?rev=540
/trac/browser/BlueOnyx/utils/cce/client/templates/spec.tmpl?rev=826
/trac/browser/BlueOnyx/5207R/ui?rev=3900
/trac/browser/BlueOnyx/ui/base-mailman.mod?rev=3568&order=size&desc=True
/trac/browser/BlueOnyx/5209R/ui?rev=2112
/trac/browser/BlueOnyx/5210R/ui/base-snmp.mod?rev=4287
/trac/browser/BlueOnyx/5209R/ui/base-console.mod/constructor?rev=4137&order=author
/trac/browser/BlueOnyx/tmp?rev=2711&desc=1
/trac/log/BlueOnyx/5209R/ui?rev=1933
/trac/log/BlueOnyx/utils/cce-shell-tools?rev=4554
/trac/log/BlueOnyx/ui/base-email.mod/ui?rev=1700
/trac/browser/BlueOnyx/utils/TAR-ball-installer?rev=2697
/trac/browser/BlueOnyx/ui/base-ssh.mod/packing_list?rev=1765
/trac/browser/BlueOnyx/5210R/ui/base-sitestats.mod/glue/ccewrap?rev=3207&order=size
/trac/browser/BlueOnyx/5210R/utils/cce-shell-tools/qube3?rev=4063&order=date
/trac/browser/BlueOnyx/5211R/utils/cmu/code_sample/ReMap.pm?rev=4542&format=txt
/trac/browser/BlueOnyx/utils/cce/README?rev=3565
/trac/browser/BlueOnyx/5210R?rev=4078&order=size
/trac/browser/BlueOnyx/5207R/ui/sauce-basic.mod?rev=3102&order=date
/trac/browser/BlueOnyx/5211R/ui/base-ftp.mod/packing_list?rev=4395&order=date
/trac/browser/BlueOnyx/5211R/ui/base-disk.mod/locale?rev=4592
/trac/browser/BlueOnyx/5107R/TAR-ball-installer/BlueOnyx-5106R-CentOS5-i386?rev=378&order=size&desc=True
/trac/log/BlueOnyx/ui/base-ftp.mod?rev=760
/trac/browser/BlueOnyx/5310R/platform/alpine.mod/web/.adm/images/plugins/selectbox/index.html?rev=5151
/trac/browser/BlueOnyx/5107R/base-apache.mod?rev=4969&order=date
/trac/browser/BlueOnyx/5107R/ui/base-phpmyadmin.mod?rev=518
/trac/browser/BlueOnyx/utils?rev=3732&order=size
/trac/browser/BlueOnyx/ui/base-phpsysinfo.mod/locale/fr_FR?rev=3281&order=size
/trac/browser/BlueOnyx?rev=2548
/trac/browser/BlueOnyx/5106R/base-apache.mod?rev=2562&order=date
/trac/log/BlueOnyx/5107R/ui/base-snmp.mod/templates?format=changelog&rev=474&limit=100&mode=stop_on_copy
/trac/browser/BlueOnyx/ui/base-power.mod/templates?rev=980&order=date
/trac/browser/BlueOnyx/5210R/utils/cmu/cpan_orig?rev=4209
/trac/browser/BlueOnyx/5207R?rev=3654
/trac/browser/BlueOnyx/ui/base-vsite.mod/locale?rev=914
/trac/log/BlueOnyx/5211R/platform/alpine.mod/src/base-alpine-ci4-vendor/base-alpine-ci4-vendor/vendor/codeigniter4/framework/system/Cookie/CloneableCookieInterface.php?rev=4400
/trac/browser/BlueOnyx/5211R/utils/cmu/specs/conflict.spec?rev=5278&order=size&desc=1
/trac/browser/BlueOnyx/5107R/devel-tools?rev=2203&order=size
/trac/browser/BlueOnyx/5209R/ui/base-wizard.mod/glue?rev=4194
/trac/log/BlueOnyx/5207R/ui?format=rss&rev=2768&limit=100&mode=stop_on_copy
/trac/log/BlueOnyx/5106R/common/base-java.mod/ui/web/status.php?format=changelog&limit=100&mode=stop_on_copy&rev=731
/trac/browser/BlueOnyx/archive/5211R/ui/base-remote.mod/locale/da_DK?rev=5421&order=size
/trac/log/BlueOnyx/5107R/alpine.mod?rev=3282
/trac/browser/BlueOnyx/5209R/platform/alpine.mod/ci/system/libraries/Log.php?rev=3125
/trac/log/BlueOnyx/ui/base-dns.mod?rev=5428
/trac/browser/BlueOnyx/5207R/ui/palette/hack_specific.mk?rev=1102&format=txt
/trac/browser/BlueOnyx/5207R/ui?rev=1226&order=name
/trac/browser/BlueOnyx/5210R/ui/base-documentation.mod/ui/chorizo/web/models?rev=2861
/trac/log/BlueOnyx/tmp/5207r5107rDiff/ui/base-vsite.mod/glue/handlers?rev=1976
/trac/browser/BlueOnyx/utils?rev=4496&order=name&desc=True
/trac/browser/BlueOnyx/5107R/cmu?rev=467&order=name&desc=True
/trac/browser/BlueOnyx/5106R/i18n/docs?rev=5270&desc=1
/trac/browser/BlueOnyx/5210R/ui/base-wizard.mod/glue?rev=4205&desc=1
/trac/browser/BlueOnyx/5107R/base-apache.mod/glue?rev=4835&desc=1
/trac/browser/BlueOnyx/5311R/ui/base-vsite.mod/Makefile?rev=4805&format=txt
/trac/log/BlueOnyx/5107R/ui/base-subdomains.mod/glue/schemas?rev=431
/trac/browser/BlueOnyx/ui.deprecated?rev=2769&order=size
/trac/browser/BlueOnyx/5211R/ui/base-services.mod/ui?rev=4467
/trac/browser/BlueOnyx/5211R/platform/alpine.mod/ci/application/libraries/uifc/Form.php?rev=4348
/trac/browser/BlueOnyx/5207R/ui/base-memcache.mod?rev=4140&desc=1
/trac/browser/BlueOnyx/5106R/cce/include?rev=707
/trac/browser/BlueOnyx/5310R/ui/base-email.mod/src/Makefile?rev=5174
/trac/log/BlueOnyx/5207R/ui/base-remote.mod/glue?rev=1389
/trac/browser/BlueOnyx/5210R/ui/base-backupcontrol.mod/TODO?rev=3727
/trac/browser/BlueOnyx/5207R/utils?rev=1640&order=size
/trac/browser/BlueOnyx/5209R/ui/base-istat.mod/templates?rev=4242&order=date
/trac/browser/BlueOnyx?rev=2735&order=size&desc=1
/trac/log/BlueOnyx/5207R?rev=1861
/trac/browser/BlueOnyx/5207R/ui/base-istat.mod?rev=2466&order=name
/trac/browser/BlueOnyx/5207R/ui/base-network.mod?rev=2705&order=name&desc=True
/trac/browser/BlueOnyx/5107R/i18n/php?rev=2390&order=name
/trac/log/BlueOnyx/ui/base-snmp.mod?rev=5046
/trac/browser/BlueOnyx/docs/README?rev=4532&desc=1
/trac/browser/BlueOnyx/5106R/common/alpine.mod/web/redirector.php?rev=402
/trac/browser/BlueOnyx/5106R/i18n/Makefile?rev=2171
/trac/log/BlueOnyx/utils/cce-shell-tools?rev=1765
/trac/browser/BlueOnyx/5107R/ui/base-mailman.mod/packing_list?rev=628
/trac/log/BlueOnyx/5209R/ui/base-raid.mod/ui/web/raid_amdetails.php?rev=2983
/trac/browser/BlueOnyx/ui/base-phpmyadmin.mod/packing_list?rev=4791&order=date&desc=1
/trac/browser/BlueOnyx/ui/base-mailman.mod/glue?rev=3054&order=date
/trac/log/BlueOnyx/5106R/ui/base-swupdate.mod?rev=731
/trac/browser/BlueOnyx/ui/base-user.mod/ui/web?rev=1246&order=author
/trac/browser/BlueOnyx/5107R/base-apache.mod?rev=2034
/trac/browser/BlueOnyx/tmp/base-email.merge/base-email.mod/src/base-email-am/am_pop.exp?rev=2024&order=name
/trac/browser/BlueOnyx/ui/sauce-basic.mod/locale/it_IT?rev=1680
/trac/browser/BlueOnyx/5207R/ui/base-phpsysinfo.mod/ui?rev=2675
/trac/browser/BlueOnyx/5207R/ui/base-email.mod/glue/conf/email.conf?annotate=blame&rev=2021
/trac/browser/BlueOnyx/tmp?rev=4062&order=size
/trac/browser/BlueOnyx/5106R/alpine.mod?rev=4357&order=author
/trac/log/BlueOnyx/5210R/ui/base-console.mod?rev=4674
/trac/browser/BlueOnyx/5207R/ui/base-phpmyadmin.mod/ui/web?rev=1659
/trac/log/BlueOnyx/5210R/ui/base-netdata.mod/src?rev=3232
/trac/log/BlueOnyx/5107R/ui/base-am.mod?rev=504
/trac/log/BlueOnyx/5211R/platform/alpine.mod/src/base-alpine-ci4-vendor/base-alpine-ci4-vendor/vendor/fzaninotto/faker/src/Faker/Provider/cs_CZ?rev=5147
/trac/browser/BlueOnyx/utils?rev=4632&order=author&desc=1
/trac/log/BlueOnyx/5207R?rev=1344
/trac/log/BlueOnyx/ui/base-ssl.mod/locale/ja_JP?format=changelog&rev=974&limit=100&mode=stop_on_copy
/trac/log/BlueOnyx/5210R/ui?rev=3023
/trac/browser/BlueOnyx/5209R/ui/base-vsite.mod/TODO?rev=4333
/trac/browser/BlueOnyx/5107R/i18n/src?rev=4100&order=size
/trac/log/BlueOnyx/tmp?rev=2056
/trac/log/BlueOnyx/ui/base-system.mod/locale?rev=5388
/trac/browser/BlueOnyx/ui/base-mysql.mod?rev=2778
/trac/browser/BlueOnyx/5106R/cmu/perl_modules/Resolve.pm?rev=661
/trac/browser/BlueOnyx/5207R/ui/base-disk.mod?rev=2853&order=size
/trac/browser/BlueOnyx/5209R/utils/cce?rev=1817
/trac/log/BlueOnyx/5207R/ui/base-mailman.mod?rev=2012
/trac/browser/BlueOnyx/5207R/ui/palette?rev=981&order=date
/trac/browser/BlueOnyx/5106R/cmu?rev=259
/trac/browser/BlueOnyx/5211R/ui/base-backupcontrol.mod/Makefile?annotate=blame&rev=4357
/trac/changeset/5162/BlueOnyx/5310R/platform/base-admserv.mod/glue/etc/admserv/conf.modules.d/01-cgi.conf
/trac/browser/BlueOnyx/5207R/utils?rev=1156
/trac/browser/BlueOnyx/utils/cce/server/include?rev=1695
/trac/log/BlueOnyx/utils/cce-shell-tools/Makefile.in?rev=1755
/trac/browser/BlueOnyx?rev=1226&order=name
/trac/browser/BlueOnyx/ui/sauce-basic.mod/Makefile?rev=1682&desc=1
/trac/browser/BlueOnyx/5107R/base-apache.mod/perl/Httpd.pm?rev=3831&order=size
/trac/log/BlueOnyx/5211R/ui/sauce-basic.mod/src/perl-handler-utils/Makefile?rev=4340
/trac/browser/BlueOnyx/ui/base-phpmyadmin.mod/locale?rev=4489
/trac/browser/BlueOnyx/5207R/ui/base-remote.mod/src?rev=5479
/trac/browser/BlueOnyx/ui/base-services.mod?rev=4855
/trac/changeset/5492/BlueOnyx/5210R/utils
/trac/log/BlueOnyx/5106R/cce/ed?rev=230
/trac/log/BlueOnyx/tmp/csrf/5210R/alpine.mod/ci/application/libraries/uifc/NetAddress.php?rev=4014
/trac/browser/BlueOnyx/5106R/Makefile?rev=4801&order=date
/trac/browser/BlueOnyx/ui/base-shell.mod?rev=2378&order=author
/trac/log/BlueOnyx/5210R/platform/base-admserv.mod/templates?rev=3728
/trac/browser/BlueOnyx/5209R/ui?rev=4159&order=name
/trac/browser/BlueQuartz/5106R/trunk/ui/base-ssl.mod/ui/extensions/SSL.php.defaults.Vsite?rev=97
/trac/browser/BlueQuartz/5100WG/tags/OSS_1_4/ui/base-pptp.mod/locale/fr/pptp.po?rev=113&order=author&desc=1
/trac/browser/BlueOnyx/5311R/platform/alpine.mod/src/base-alpine-ci4-vendor/base-alpine-ci4-vendor/vendor/fzaninotto/faker/src/Faker/Provider/ro_MD/PhoneNumber.php?rev=4799
/trac/browser/BlueOnyx/5207R/ui/base-email.mod/ui/chorizo?rev=1888
/trac/browser/Temp/base-wizard.mod/locale?rev=97&order=name
/trac/browser/BlueOnyx/5211R?rev=4309&desc=1
/trac/browser/BlueOnyx/5311R/ui/base-vsite.mod/glue/schemas/vsite_caps.schema?desc=1&order=size
/trac/browser/BlueOnyx/5311R/ui/base-import.mod?rev=4987&order=author
/trac/browser/BlueOnyx/5311R/ui/base-organizer.mod/ui?rev=5048&order=date&desc=1
/trac/browser/BlueOnyx/5311R/ui/base-ssl.mod/src/blueonyx-le-acme/acme/notify/postmark.sh?rev=4799&order=author&desc=1
/trac/browser/BlueOnyx/5207R/ui?rev=2256&order=name&desc=True
/trac/browser/BlueOnyx/5210R-Postfix/utils/cmu/code_sample/ipc3?annotate=blame&rev=3871
/trac/browser/BlueOnyx/ui/base-dns.mod?rev=3220
/trac/browser/BlueOnyx/5107R/ui/base-phpsysinfo.mod/templates?rev=525&order=size
/trac/browser/BlueOnyx/5209R?rev=4893&order=date
/trac/browser/BlueOnyx/ui.deprecated?rev=5139&order=name
/trac/browser/BlueOnyx/5207R/ui/base-sitestats.mod/templates?rev=4976
/trac/log/BlueOnyx/ui?rev=3334
/trac/browser/BlueQuartz/5200R/trunk/ui/base-user.mod/ui/menu?order=date
/trac/browser/BlueOnyx/5207R/ui/base-raid.mod/glue?rev=1590&order=date
/trac/log/BlueOnyx/ui/base-raid.mod/glue?rev=4832
/trac/log/BlueOnyx/ui.deprecated?rev=5436
/trac/browser/BlueOnyx/5209R/utils/cmu?rev=4192
/trac/log/BlueOnyx/5107R/alpine.mod?rev=1727
/trac/log/BlueOnyx/tmp/csrf?rev=4677
/trac/browser/BlueOnyx/5210R/ui/base-mysql.mod?rev=3222&desc=1
/trac/browser/BlueOnyx/5107R/ui/base-sitestats.mod/glue?rev=444&order=author&desc=1
/trac/browser/BlueOnyx/ui/base-ssl.mod/ui?rev=3942&desc=1
/trac/browser/BlueOnyx/5106R/ui/base-phpsysinfo.mod/constructor?rev=596&order=author
/trac/browser/BlueOnyx/5210R/ui/base-documentation.mod/ui?rev=3395
/trac/browser/BlueOnyx/5311R/ui/base-power.mod/src?rev=4815&order=author
/trac/browser/BlueOnyx/5209R/ui/base-console.mod/locale?rev=4838&order=size&desc=1
/trac/browser/BlueOnyx/ui/base-ups.mod?rev=1184
/trac/browser/BlueOnyx/ui/base-telnet.mod/glue/schemas?rev=1669&order=author
/trac/browser/BlueOnyx/utils/cmu/ignore?rev=4583
/trac/browser/BlueOnyx/5210R/ui/base-dns.mod?rev=3729&order=size
/trac/browser/BlueOnyx/5106R/base-java.mod/templates?rev=5485&desc=1
/trac/browser/BlueOnyx/5310R/platform/alpine.mod/web/.adm/fa/svgs/index.html?rev=5151
/trac/browser/BlueOnyx/5107R/base-blueonyx.mod?rev=3947
/trac/browser/BlueOnyx/5310R/platform/alpine.mod/web/.adm/images/icons/small/grey?rev=5151
/trac/browser/BlueOnyx/5106R/ui/base-services.mod?rev=562
/trac/browser/BlueOnyx/5207R?rev=2109
/trac/browser/BlueOnyx/utils/cmu?rev=1233
/trac/browser/BlueOnyx/utils/cmu/cobalt-cmu.spec.in?rev=2835&order=name&desc=True
/trac/browser/BlueOnyx/ui.deprecated?rev=2615&order=date&desc=1
/trac/browser/BlueOnyx/5210R?rev=4854
/trac/browser/BlueOnyx/ui/base-swupdate.mod.rickard/locale?rev=944&desc=1
/trac/browser/BlueOnyx/5209R/utils/TAR-ball-installer?rev=2888&desc=1
/trac/browser/BlueOnyx/5106R?rev=717&order=author
/trac/browser/BlueOnyx/5106R/base-apache.mod?rev=1398&order=name
/trac/log/BlueOnyx/5106R/ui/alpine.mod/manuals?rev=289
/trac/browser/BlueOnyx/5209R/ui/base-disk.mod/src?rev=2998
/trac/browser/BlueOnyx/5107R/ui/base-documentation.mod/pkgs?rev=531&order=size
/trac/log/BlueOnyx/5107R/Makefile?rev=1675
/trac/browser/BlueOnyx/5210R/ui/base-ssl.mod/ui/chorizo/web/models?rev=3207
/trac/browser/BlueOnyx/5107R/common?rev=495
/trac/log/BlueOnyx/ui/base-mysql.mod/ui/chorizo/web/views?format=rss&rev=5409&limit=100&mode=stop_on_copy
/trac/browser/BlueOnyx/5107R/base-apache.mod?rev=2732&desc=1
/trac/browser/BlueOnyx?rev=957&order=size
/trac/browser/BlueOnyx/5207R/ui/base-import.mod?rev=4506&order=date
/trac/browser/BlueOnyx/ui/base-api.mod/ui/chorizo/extensions?rev=2419&order=author
/trac/browser/BlueOnyx/5211R/platform/alpine.mod/ci4/vendor/codeigniter4/framework/system/Modules/Modules.php?rev=4348&format=txt
/trac/browser/BlueOnyx/5107R/ui/alpine.mod?rev=394
/trac/browser/BlueOnyx/5209R/ui/base-support.mod/templates?rev=4323&order=size
/trac/log/BlueOnyx/5209R/utils/cmu/code_sample/fileIn?format=rss&rev=1744&limit=100&mode=stop_on_copy
/trac/log/BlueOnyx/5211R/platform/alpine.mod/src/base-alpine-ci4-vendor/base-alpine-ci4-vendor/vendor/fzaninotto/faker/src/Faker/Provider/fr_CA/Address.php?rev=4400
/trac/browser/BlueOnyx/ui/base-network.mod/packing_list?rev=3717
/trac/browser/BlueOnyx/5107R?rev=2806&order=name&desc=True
/trac/browser/BlueOnyx/tmp?rev=3457&order=date&desc=1
/trac/browser/BlueOnyx/5211R/ui/base-telnet.mod?rev=5059&order=author
/trac/browser/BlueOnyx/5210R-Postfix/platform/i18n/cracklib?rev=3838&order=author
/trac/browser/BlueOnyx/5207R/ui/base-ssl.mod/ui?rev=5011&order=author
/trac/browser/BlueOnyx/5210R/ui/base-telnet.mod?rev=4454
/trac/browser/BlueOnyx/5210R/ui/base-backupcontrol.mod/TODO?rev=4528&order=size
/trac/browser/BlueOnyx/5207R/utils/cce/cscp/Makefile?annotate=blame&rev=1451
/trac/browser/BlueOnyx/5210R/ui/base-import.mod?rev=3318&order=author
/trac/browser/BlueOnyx/5107R/ui/base-email.mod/glue/conf?rev=647&order=name&desc=True
/trac/browser/BlueOnyx/5207R/ui/base-shell.mod?rev=1909&order=date
/trac/browser/BlueOnyx/5210R/utils/cmu/specs?rev=4613&order=author
/trac/browser/BlueOnyx/tmp/5210R-alpine-fix/alpine.mod/ci/application/libraries?rev=3758&order=size
/trac/browser/BlueOnyx/5209R/ui/base-dns.mod?rev=4091&order=author
/trac/browser/BlueOnyx/5207R/ui/base-dns.mod?rev=4030&order=size
/trac/browser/BlueOnyx?rev=3229&order=author
/trac/browser/BlueOnyx/5106R/base-apache.mod/src?rev=3484&order=author
/trac/browser/BlueOnyx/5106R/alpine.mod/ui?rev=4588
/trac/browser/BlueOnyx/5211R/ui/base-time.mod/glue?rev=4331&order=author
/trac/browser/BlueOnyx/5207R/platform?rev=2793&desc=1
/trac/browser/BlueQuartz/5200R/trunk/ui/base-email.mod/src/base-email-am?rev=1&order=size&desc=1
/trac/log/BlueOnyx?rev=2053
/trac/browser/BlueOnyx/ui/base-network.mod/packing_list?rev=4948&order=author
/trac/browser/BlueOnyx/5207R/ui/base-support.mod/Makefile?rev=2592
/trac/browser/BlueOnyx/ui/base-network.mod/locale?rev=1186&desc=1
/trac/browser/BlueOnyx/ui/base-memory.mod/locale?rev=1410&order=date&desc=True
/trac/browser/BlueOnyx/ui/base-backupcontrol.mod?rev=3923
/trac/log/BlueOnyx/5210R/ui/base-services.mod/ui/chorizo/menu?rev=5326
/trac/browser/BlueOnyx/ui/base-squirrelmail.mod?rev=2159&order=author
/trac/browser/BlueOnyx/5311R/ui/base-sitestats.mod/log_traffic?rev=4837&order=size
/trac/browser/BlueOnyx/5209R/utils/cce.debug/ccewrap/ccewrap_conf.h?rev=1738&format=txt
/trac/browser/BlueOnyx/5107R/ui/palette/conf?rev=395
/trac/browser/BlueOnyx/5211R/platform/alpine.mod/ci4/vendor/sebastian/environment/phpunit.xml?rev=4348&format=txt
/trac/browser/BlueOnyx/5211R/utils?rev=5061&order=author
/trac/browser/BlueOnyx/utils/cce-shell-tools/perl?rev=4806&order=author&desc=1
/trac/browser/BlueOnyx/5211R?rev=4566
/trac/browser/BlueOnyx/5207R/ui/base-remote.mod/locale?rev=2660&order=name
/trac/browser/BlueOnyx/5107R/devel-tools/templates?rev=4694&desc=1
/trac/browser/BlueOnyx/ui/sauce-basic.mod/locale/fr_FR?rev=1282&order=size
/trac/browser/BlueOnyx/5207R/ui/sauce-basic.mod?rev=1130&order=date
/trac/log/BlueOnyx/5211R/ui/base-shell.mod?rev=4729
/trac/browser/BlueOnyx/ui/base-apache-bandwidth.mod?rev=3584
/trac/browser/BlueOnyx/5210R/ui/sauce-basic.mod/locale?rev=2863&order=date

That's 346 accesses from that IP alone and there are 9032 other similar 
CloudFlare originating accesses from the 172.64.0.0/13 address range in 
the last hour and a half, too. In itself that's negligible, but in the 
big picture with everything else going on? It's stupid and unecessary.

As you can see from the GET requests above? This is not "human" behavior 
from the way these unrelated URLs are called in sequence.

Because: There is no rhyme or reason behind it. It jumps all over the 
place, from one module's toplevel file of revision X straight to the 
Trac page of a specific file from another BlueOnyx version of yet 
another totally unrelated BlueOnyx module and SVN revision number.

So it's not like a single IP is starting somewhere and then traversion 
along the links of the first page to anything else that is directly 
linked to that.

Going back to the (probably) fake or at least unusual "Chrome/130.0.0.0" 
user-agent:

root at devel:~# cat access_log|grep "Chrome/130.0.0.0"|wc -l
3246994

Here is a funny one: Trac accesses with u-agent "Chrome/130.0.0.0" 
originating at CloudFlare, Santa Clara, California. Just the IPs that 
were used:

[root at zebra httpd]# cat /tmp/ips-sorted.txt |grep 162.158.167
162.158.167.2
162.158.167.5
162.158.167.6
162.158.167.7
162.158.167.9
162.158.167.10
162.158.167.11
162.158.167.12
162.158.167.13
162.158.167.14
162.158.167.15
162.158.167.16
162.158.167.17
162.158.167.18
162.158.167.19
162.158.167.20
162.158.167.23
162.158.167.24
162.158.167.25
162.158.167.29
162.158.167.30
162.158.167.31
162.158.167.32
162.158.167.33
162.158.167.34
162.158.167.35
162.158.167.39
162.158.167.40
162.158.167.41
162.158.167.42
162.158.167.45
162.158.167.46
162.158.167.47
162.158.167.48
162.158.167.49
162.158.167.50
162.158.167.51
162.158.167.52
162.158.167.53
162.158.167.54
162.158.167.55
162.158.167.56
162.158.167.57
162.158.167.58
162.158.167.61
162.158.167.62
162.158.167.63
162.158.167.64
162.158.167.65
162.158.167.66
162.158.167.67
162.158.167.68
162.158.167.69
162.158.167.70
162.158.167.71
162.158.167.72
162.158.167.73
162.158.167.74
162.158.167.77
162.158.167.78
162.158.167.79
162.158.167.80
162.158.167.82
162.158.167.83
162.158.167.84
162.158.167.85
162.158.167.86
162.158.167.87
162.158.167.88
162.158.167.89
162.158.167.90
162.158.167.93
162.158.167.94
162.158.167.95
162.158.167.96
162.158.167.99
162.158.167.100
162.158.167.103
162.158.167.104
162.158.167.105
162.158.167.106
162.158.167.107
162.158.167.108
162.158.167.109
162.158.167.110
162.158.167.111
162.158.167.112
162.158.167.113
162.158.167.114
162.158.167.115
162.158.167.116
162.158.167.117
162.158.167.118
162.158.167.119
162.158.167.120
162.158.167.121
162.158.167.122
162.158.167.123
162.158.167.124
162.158.167.125
162.158.167.127
162.158.167.128
162.158.167.131
162.158.167.132
162.158.167.133
162.158.167.134
162.158.167.135
162.158.167.136
162.158.167.141
162.158.167.142
162.158.167.143
162.158.167.144
162.158.167.145
162.158.167.146
162.158.167.147
162.158.167.148
162.158.167.149
162.158.167.150
162.158.167.151
162.158.167.152
162.158.167.153
162.158.167.154
162.158.167.155
162.158.167.156
162.158.167.159
162.158.167.160
162.158.167.161
162.158.167.162
162.158.167.163
162.158.167.164
162.158.167.165
162.158.167.166
162.158.167.167
162.158.167.168
162.158.167.169
162.158.167.170
162.158.167.171
162.158.167.172
162.158.167.173
162.158.167.174
162.158.167.175
162.158.167.176
162.158.167.177
162.158.167.178
162.158.167.179
162.158.167.180
162.158.167.181
162.158.167.182
162.158.167.183
162.158.167.184
162.158.167.185
162.158.167.186
162.158.167.187
162.158.167.188
162.158.167.189
162.158.167.190
162.158.167.191
162.158.167.192
162.158.167.193
162.158.167.194
162.158.167.195
162.158.167.196
162.158.167.197
162.158.167.198
162.158.167.199
162.158.167.200
162.158.167.201
162.158.167.202
162.158.167.203
162.158.167.204
162.158.167.205
162.158.167.206
162.158.167.207
162.158.167.208
162.158.167.209
162.158.167.210
162.158.167.211
162.158.167.212
162.158.167.213
162.158.167.214
162.158.167.215
162.158.167.216
162.158.167.217
162.158.167.218
162.158.167.219
162.158.167.220
162.158.167.221
162.158.167.222
162.158.167.223
162.158.167.224
162.158.167.225
162.158.167.226

For making 213025 accesses to Trac they used 192 different originating 
IPs? You gotta be kidding me! \o/

Ergo:

It's a centrally orchestrated havesting/crawling done by geopgrahically 
distributed agents. For what purpose? I don't know, but it must be a 
pretty stupid one.

Right now? The server can handle it, but I'll probably start to block 
CloudFlare as well if this continues. If those fuckers can't honor 
robots.txt OR anounce they're a bot? Then there is the door and it's 
locked. :p

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list