Re: [harbour-users] My most persistent attacker from Poland: Never stops :(

207 views
Skip to first unread message

Francesco Perillo

unread,
Apr 27, 2021, 6:25:49 PMApr 27
to harbou...@googlegroups.com

it seems really strange to me. it presents itself as a browser in a mobile phone.

did you try to serve a redirect to a massive download file?

block the ip at network/firewall level?




Mel Smith

unread,
Apr 27, 2021, 11:20:34 PMApr 27
to Harbour Users
Hi:
   Yes, I've now got *two* separate attackers from (ostensibly) Poland being blocked now (but maybe its the same person using two different sites/IP addresses).  I can easily determine from the logs that they are simply trying to disrupt my server. And now, very quickly I '403' their attempts.
What a wasteful task on their part. 
   In another interesting accss, I have the Beijing Science and Education Centre downloading !   However, its xharbour and the old Borland 5.5.1 package. :))
-Mel
Message has been deleted

Baxajaun

unread,
Apr 28, 2021, 4:00:16 AMApr 28
to Harbour Users
Hi Mel !

You must check IPs on https://www.abuseipdb.com/check

Best regards,

El miércoles, 28 de abril de 2021 a las 5:36:11 UTC+2, Mel Smith escribió:
More attacker info:
Site: OSK.OLSZYNKA.PL
IP: 89.64.85.111
-Mel

Mel Smith

unread,
Apr 28, 2021, 10:32:53 AMApr 28
to Harbour Users
Hi Felix:
   I did a check on the abuse web site, and the IP returned was different than the one I posted. but *is* a person from Poland who registered a few years ago, but who has never been active in our ng.
Anyway, I 'Denied Access'  to this different IP from Poland.  But I did *not* report Abuse to the abuse site -- yet !
Thanks,
-Mel

Andrzej P. Wozniak

unread,
Apr 28, 2021, 8:05:20 PMApr 28
to Harbour Users mailing list
From: Mel Smith <meds...@gmail.com>
Sent: Saturday, April 24, 2021 6:35 PM

> You all wonder why I require an IP Address and Name in order to
> download from my site.

Mel, your assumptions are wrong.

> Below is my latest attacker's assaults on my web site this morning.

It's NOT an attack, it's a normal way of browser using. Sorry to
disappoint you. Some user just wanted to download some files.

> This person probably attacks from a 'proxy' in Poland.

It's not a proxy. Read logs more carefully and check facts with your
search engine, please.

> I have decided to '403' this person so he gets "Access denied". But,
> I wonder *why* he spends all of his time attacking. Doesn't he have
> anything better to do with his time ?

Do you haven't anything better to do with your time, Mel? Why don't you
spend time on searching and learning?

> Anyway, below is my latest log of his attacks.

And here it's all clear:

> ip-185-189-215-36.fibreo.pl

Fibreo.pl is a local broadband Internet provider in Poland. Fibreo stands
for FIBRE Optics, so it's probably some home WiFi router in a small town
connected to fiber from the ISP.

> [24/Apr/2021:09:31:57 -0600] "GET
> /0805/hb3432_con_mingw_1903191612.zip

Trying to download a zip file using the following web browser:

> "Mozilla/5.0 (Linux; U; Android 10;
> pl-pl; POCOPHONE F1 Build/QKQ1.190828.002) AppleWebKit/537.36 (KHTML,
> like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36
> XiaoMi/MiuiBrowser/12.3.5-g"

As you can see, it's a default browser on Xiaomi Poco smartphone.

Attackers would somehow hide their identity. Lazy attacker would use Tor
browser and open url to your site in many tabs (every tab connected via
another IP). Smarter attacker would change User-Agent to more popular
browser, possibly some non-branded Google Chrome version. Even more smart
attacker would use javascript code to repeatedly download _many_ _small_
files using more and more connections. That's how DDoS (Distributed Deny
of Service) works.

> [24/Apr/2021:09:31:57 -0600] "GET
> /0805/hb3464_bin_mingw_1712201340.zip

And here's another zip file requested…

> [24/Apr/2021:09:31:58 -0600] "GET
> /0805/hb3464_src_mingw_1712201340.zip

> [24/Apr/2021:09:33:36 -0600] "GET
> /0805/hb3432_con_mingw_1903191612.zip

And retries follow…

> [24/Apr/2021:09:33:36 -0600] "GET
> /0805/hb3432_con_mingw_1903191612.zip

> [24/Apr/2021:09:33:36 -0600] "GET
> /0805/hb3464_bin_mingw_1712201340.zip

And more and more retries, because there is NO info on your page that some
special requirements are needed in order to download files… Or maybe that
info is a popup which can be blocked by some adblock extension or the
browser itself.

And there is no info about limited availability also in your announcements
with subject "New Harbour 3.x build is available" (or similar). You just
declare that "It is available for download at whosaway.com".

I can report more problems with your website and suggest some solutions,
if you really want to do something more useful than writing questionable
complaints.
Just send an email message to me.

APW

--
Regards from Poland
Andrzej P. Woźniak

Andrzej P. Wozniak

unread,
Apr 28, 2021, 9:26:49 PMApr 28
to Harbour Users mailing list
From: Mel Smith <meds...@gmail.com>
Sent: Wednesday, April 28, 2021 5:36 AM

> Yes, I've now got *two* separate attackers from (ostensibly) Poland
> being blocked now (but maybe its the same person using two different
> sites/IP addresses).

Mel, you have got enough time to learn, but you haven't done anything
useful.

There were NO attacks.
The second user was me. User, not attacker. After your first message I
visited your site, downloaded 652722629 bytes in 39 files and started
download for 3 other files.
Do you still call it attacking? It's just a normal use. Do you think that
Microsoft should ban all Windows Update users? How do you name Windows
users who download current Windows 10 build (5+ GB) in order to reinstall
badly broken system?

> I can easily determine from the logs that they
> are simply trying to disrupt my server. And now, very quickly I '403'
> their attempts.
> What a wasteful task on their part.

On your part. Sorry to disappoint you once again. If your server isn't
ready to provide gigabytes of files to download, don't do it. You can make
archives smaller using 7zip format and/or provide links to external file
hosting services. You can just upload the files to your Google drive,
don't you?

> More attacker info:
> Site: OSK.OLSZYNKA.PL
> IP: 89.64.85.111

There's definitely something wrong with tools you use. Maybe you don't
know how to use them properly or you don't understand the results.

Site osk.olszynka.pl has _static_ IP address 84.10.60.130.

Open command line (console) window and run the following command:
ping -a osk.olszynka.pl
You should see IP 84.10.60.130.

IP 89.64.85.111 is used for _dynamic_ addresses.
Now run the following command:
ping -a 89.64.85.111
You should see DNS address 89-64-85-111.dynamic.chello.pl
As you can see, it's dynamic.

I really don't know what to say about your complaints.
Maybe you should put a huge banner "Trespassers will be prosecuted" on
your site… Or at least a piece of broken board which has: ‘TRESPASSERS W’
on it.

Pete

unread,
Apr 29, 2021, 3:49:35 AMApr 29
to Harbour Users
On Thursday, 29 April 2021 at 04:26:49 UTC+3 Andrzej P. Wozniak wrote:

Site osk.olszynka.pl has _static_ IP address 84.10.60.130.


seemingly, this site has something strange...

regards,
Pete

José Orozco

unread,
Sep 3, 2021, 10:47:02 PMSep 3
to harbou...@googlegroups.com
Hola,

Buenas noches..

Donde puedo descarga la ultima version de Harbour 3.4 ( ya compilado
para x86 y x64)=?


Harbour 3.4.0dev (7974ddf5ec) (2018-04-30 16:41)
Copyright (c) 1999-2018, https://github.com/vszakats/harbour-core/

--------------------------------------------


Hello,

Good evening.

Where can I download the latest version of Harbour 3.4 (already compiled
for x86 and x64)=?

Harbour 3.4.0dev (7974ddf5ec) (2018-04-30 16:41)
Copyright (c) 1999-2018, https://github.com/vszakats/harbour-core/

Reply all
Reply to author
Forward
0 new messages