[RESOLVED] ABE Nat Pinning Warning

[RD]

Hello,

I recently added the ABE rule for Nat Pinning (Thanks to Tom T).

# NAT Pinning blockage (blocks outbound HTTP traffic to unlikely ports)
Site ^https?://[^/]+:[0-35-7]
Deny

That rule triggered a warning on a couple of links today, and I was wondering if somebody could please verify if it was protecting me from an actual attack, or was it possibly a false positive.


Here's one example:
Go here -http://www.uploadc.com/11qvmd48tufm/Hirokin.2011.DVDRip
On the left, click the button "Slow Access".
On the following page, click the big yellow download button.
On the following page, click the red download button.
You should now get the ABE warning.




Thanks for any help,
RD.

[Guest]

Sorry, I included an image of the warning message in my post above, but it didn't show up.

Here you go: -http://postimage.org/image/63w9y04hv/

[Tom T.]

You're welcome.

That site doesn't have a very good reputation at mywot.com.
Quoting the first two reviewers:

If you click on slow option without paying they ask you to download a codex, which is probably a virus, also I believe the site is pulling a scam if you buy anything from these guys chances are you will never get it, avoid, avoid, avoid.

Too many pop-up ads to unsafe and possibly malicious attack sites.

I can't even get to the site to check it out. Something is blocking it, and it's not my Hosts file or ABE, as there is no ABE error, only standard Firefox:

Code: Select all

Server not found
Firefox can't find the server at www.uploadc.com.

Can't even ping it.

Code: Select all

C:\WINDOWS\system32>ping www.uploadc.com
Ping request could not find host www.uploadc.com. Please check the name and try again.

That's not conclusive, as some sites refuse to answer ping requests, to avoid being attacked by being "flooded" with them.
But the fact that the browser can't get there, either -- perhaps my ISP is blocking it?
Or they've been shut down by the authorities?

I find it odd that the domain is hosted in Germany

Code: Select all

IP address: 82.199.133.18
Host name: www.uploadc.com

Alias:
uploadc.com
www.uploadc.com
82.199.133.18 is from Germany(DE) in region Western Europe

but its ownership is in India.

Code: Select all

REGISTRANT CONTACT INFO 
rajneesh 
rajneesh ojha 
i block house no 574 
kanpur U.P 208022 
IN
Phone: +91.9455133913 
Email Address: rajneesh_ojha@yahoo.com

In any case, I would tend to run in the other direction -- fast -- and thank ABE.

What are the other URLs that get caught by this?


(Side note: That numeric IP is ping-able):

Code: Select all

C:\WINDOWS\system32>ping 82.199.133.18
Pinging 82.199.133.18 with 32 bytes of data:

Reply from 82.199.133.18: bytes=32 time=133ms TTL=46
Reply from 82.199.133.18: bytes=32 time=130ms TTL=46
Reply from 82.199.133.18: bytes=32 time=130ms TTL=46
Reply from 82.199.133.18: bytes=32 time=132ms TTL=46

Ping statistics for 82.199.133.18:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss
Approximate round trip times in milli-seconds:
    Minimum = 130ms, Maximum = 133ms, Average = 131ms

(so perhaps the ISP blocked it by domain name only -- quite plausible, as that's how we usually browse to places.)


ETA: I tried removing the ABE rule, and still got the same "can't find" message from Firefox.

[RD]

Hi Tom,

Thanks for taking the time to look into this .

What are the other URLs that get caught by this?

So far I've only recieved the alerts on a couple of file hosting sites.

Here's another: -http://www.vidhog.com/17vhpxbpjhvn
On the bottom right, click Free members download.
Wait for the 30 sec timer, then click Continue to the video.
On the next page, near the bottom, click Click Here to download this file.
You should now get an ABE warning similar to this one: -http://postimage.org/image/4ri42k885/

Note: If I remove the ABE rule, nothing strange happens and the file (752 MB) downloads as normal.


Thanks,
RD.

[Tom T.]

Hi RD,

I have only a little time, as I've spent the last hour or so talking to my ISP (or waiting on hold ).

Short answer: They're not blocking uploadc. At their suggestion, I even tried to go there in IE.
Didn't work.

They suggested the router's built-in firewall. So I hard-wired the machine to the modem. Still can't go there.
Something in my many layers of defense-in-depth is catching it. But I'd say that's a good thing.

Can't do a thorough investigation of the other site now, but it seems that they're all using a P2P port that may have been included in that ABE rule.
I'll try to get back within 24 hours or so. After investigating, I'll let Giorgio know the results. Perhaps the rule could be modified to allow those ports.

But I think ABE did you a favor.
Please checl www.mywot.com before using any other file-sharing sites, for your own safety.

- Tom

[Tom T.]

OK, I'm back.

Convenience tip: Rather than bother with screenshots, uploads, etc. you can open Error Console (Ctrl+Shift+J, or Firefox Tools > Web Developer > Error Console) and copy/paste the message in the blue "Messages" section. Look for those that begin with [ABE].

Code: Select all

[ABE] <^https?://[^/]+:[0-35-7] > Deny on {GET http://s14a.vidhogservers.com:182/d/ekdu73bmnjhr3p57tcqnc2b4r6mycylkfpndxhx7a6eutlm4lp6mwf4l/The.Grey.2011.720p.BluRay.x264.x264.YIFY.mp4 <<< http://www.vidhog.com/17vhpxbpjhvn - 6}
USER rule:
Site ^https?://[^/]+:[0-35-7] 
Deny

Much easier, no?

What caught my eye was

Code: Select all

vidhogservers.com:182

... which was the same port as in your first post.
Port 182 didn't sound like a "standard" or "likely" port off the top of my head.

Per http://www.grc.com/port_182.htm,

Port 182
Name: audit
Purpose: Unisys Audit SITP

Huh?

I will ask Giorgio whether:

1) This is indeed a non-standard port (though d/l sites seem to use it);
2) If so, should it be added to the "allowed" group in the anti-NAT-Pinning rule; or
3) Am I misreading this?

[Giorgio Maone]

1) This is indeed a non-standard port (though d/l sites seem to use it);

Yes it is.

2) If so, should it be added to the "allowed" group in the anti-NAT-Pinning rule; or

If someone has this specific problem, he or she can put the following rule before the NAT-Pinning one:

Code: Select all

Site .vidhogservers.com:182
Accept from  .vidhog.com
Deny

[Tom T.]

1) This is indeed a non-standard port (though d/l sites seem to use it);

Yes it is.

2) If so, should it be added to the "allowed" group in the anti-NAT-Pinning rule; or

If someone has this specific problem, he or she can put the following rule before the NAT-Pinning one:

Code: Select all

Site .vidhogservers.com:182
Accept from  .vidhog.com
Deny

Thank you, Giorgio. That does indeed seem better than unblocking that port universally in the ABE rule.
Any idea *why* two different d/l sites (at least) would choose that particular port?


@ All users: Note that Giorgio's ABE rule can serve as a pattern for any other file-sharing or download sites that use non-standard ports.
But the fact that this ABE rule was triggered was the only thing that caused OP to inquire, thus avoiding a possible attempted malware infection.

So, please investigate the reputation of all such sites before using them, regardless of ABE warnings. Per FAQ: "What Is A Trusted Site?",

NoScript offers a "Site Info" page which can help you to assess the trustworthyness of the web sites shown in your NoScript menu. You can access this service by middle-clicking or shift-clicking the relevant menu item.

[RD]

Hi Tom,

Sorry for the late reply.

Thanks so much for all your help with this, and apologies for taking up so much of your valuable time with such a minor issue. Learned a lot from this thread, great advice and tips .

Thank you too, Giorgio, for you're assistance, very much appreciated.

Best regards to you both,
RD.

[Tom T.]

Hi RD,

No apologies needed. That's what we're here for, and I learned something too, about d/l sites now using non-standard ports.
So if the issue comes up again, I'll know the answer already.
And it was by no means "minor". Becoming aware of a suspected malware site is valuable information.

Will mark this as Resolved, and you're very welcome.

[Thrawn]

Bringing more attention to the NAT Pinning rule was valuable too.

[Tom T.]

Bringing more attention to the NAT Pinning rule was valuable too.

Indeed. And it's not mentioned in the NoScript FAQ, even ABE FAQ, nor anywhere else AFAICT, except for the one blog post of almost two years ago. The blog is pretty much oriented to higher-tech users.

So, who would support asking Giorgio to include it in the default ABE rules -- perhaps with an exception for Port 182 if it proves to be more widely used for d/l sites (which could be removed by higher-tech users), or perhaps a special message triggered by matching :182, which alerts the user of what is happening and refers to an FAQ of what to do about it?


ETA: Congrats to Thrawn on becoming a "senior member".

[Thrawn]

Bringing more attention to the NAT Pinning rule was valuable too.

Indeed. And it's not mentioned in the NoScript FAQ, even ABE FAQ, nor anywhere else AFAICT, except for the one blog post of almost two years ago. The blog is pretty much oriented to higher-tech users.

So, who would support asking Giorgio to include it in the default ABE rules -- perhaps with an exception for Port 182 if it proves to be more widely used for d/l sites (which could be removed by higher-tech users), or perhaps a special message triggered by matching :182, which alerts the user of what is happening and refers to an FAQ of what to do about it?

Definitely! Would save me having to look it up whenever I configure a new profile...which has been happening a bit lately, for various reasons. Plus it's something that's valuable to have, and usually nonintrusive, but most people, even NS users, wouldn't know about or implement it by default. Not sure about the special message - which would mean extra code - but that's up to Giorgio. Maybe another entry in the ABE FAQ?

ETA: Congrats to Thrawn on becoming a "senior member".

Aww, thanks . I feel so now.

[Tom T.]

Definitely! Would save me having to look it up whenever I configure a new profile

You are aware that you can use import/export features for *all* NS settings, by choosing those buttons at the bottom of the NS GUI? -- and *not* the ones specific to the Whitelist tab, which import/export only whitelisted and Untrusted sites (which can still be useful).

Maybe another entry in the ABE FAQ?

The entire FAQ needs a thorough going-over, and Giorgio knows that, but as it's hoped to bring out NS 3.0 "soon", I understand the reluctance to do that when it will all have to be revised for NS 3.x anyway.

Still, just an FAQ on "What do I do if I get an ABE error message" would be helpful. -- at least, for those who read FAQs, and/or search them before posting.

[Thrawn]

You are aware that you can use import/export features for *all* NS settings, by choosing those buttons at the bottom of the NS GUI? -- and *not* the ones specific to the Whitelist tab, which import/export only whitelisted and Untrusted sites (which can still be useful).

I probably knew it in the back of my head somewhere...thanks. Some of the setup that I'm talking about is on different machines, but I guess I could put it on a USB drive.