Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How do bots know my Telebit domain? #180

Closed
Jaikant opened this issue Jan 26, 2025 · 5 comments
Closed

How do bots know my Telebit domain? #180

Jaikant opened this issue Jan 26, 2025 · 5 comments

Comments

@Jaikant
Copy link

Jaikant commented Jan 26, 2025

FWIW, the moment I connected telebit to my local server, there was a slew of requests trying to hack into my system here are the logs.
It cannot be some random web bot trying to get into my system as soon as it is connected the first time. It has to be telebit itself ... :(

Since I have already implemented a mechanism to block such requests ... I got to know.

info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"}
info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io:80","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"}
info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io","user-agent":"Go-http-client/1.1","content-length":"164","content-type":"application/x-www-form-urlencoded","accept-encoding":"gzip","connection":"close"}
info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io:80","user-agent":"Go-http-client/1.1","content-length":"164","content-type":"application/x-www-form-urlencoded","accept-encoding":"gzip","connection":"close"}
info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"}
info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io:80","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"}
info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"}
info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io:80","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"}
info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"}
info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io:80","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"}
Added IP to blocked list: ::ffff:127.0.0.1
info: Throttled request from IP: ::ffff:127.0.0.1, Country: Unknown
info: ThrottledExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/debug/default/view?panel=config"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/debug/default/view?panel=config"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/v2/_catalog"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/v2/_catalog"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/server-status"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/server-status"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/login.action"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/_all_dbs"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/login.action"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/.DS_Store"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/_all_dbs"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/.env"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/.DS_Store"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/.env"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/.git/config"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/s/335323e2435313e28333e2[12:18:54 PM] Starting compilation in watch mode...
@coolaj86
Copy link

Hello. I'm the maintainer of Telebit.

When you use Let's Encrypt, or any public certificate registry, the certificates are listed publicly, as soon as they're created.

The bots watch the certificate lists, and probe new sites for attack vectors.

How soon you get probed, or how many bots probe you is just the luck of the draw.

@anderspitman
Copy link
Owner

Thanks @coolaj86. This matches my experience with how these tools work. Going to close this. @Jaikant feel free to reopen if you have additional concerns.

@Jaikant Jaikant changed the title Dont trust telebit telebit Jan 28, 2025
@anderspitman anderspitman changed the title telebit How do bots know my Telebit domain? Jan 28, 2025
@Jaikant
Copy link
Author

Jaikant commented Jan 28, 2025

@coolaj86 Thanks for the explanation and sorry for judging your excellent work in telebit.

I have edited the title to just telebit, so folks skimming through should not get the wrong perception.

Apologies again as it was my lack of understanding of how these things happen.

@Jaikant
Copy link
Author

Jaikant commented Jan 29, 2025

@coolaj86 There is just one final thought which is nagging me. If you can help explain.

When a tunnel forwards requests transparently it forwards all associated request headers. Since applications set custom headers.

In the headers I received from the bot, it shows that the request originated from the local host using a client implemented in go.

Telebit is also implemented in go.

@coolaj86
Copy link

The version of telebit you have is written in node, and the server you're connecting to is node as well.

The next version is written in Go, but I haven't spent the time to create a migration path for existing users, so it's only used in a few private installations.

The telebit server looks at SNI headers and uses that to forward to the correct client.

The local client receives information about the remote connection, but depending on how it's handled you may or may not see that in what it's connected to.

Since the client connects from localhost to another localhost application, you'll often see localhost in the logs.

Also, there's an attack known as "domain fronting" in which the remote specifies false http headers to get access to things. Devs are split as to whether it's a feature or a bug. In any case, Telebit only uses SNI on the server side, so it doesn't validate http headers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@coolaj86 @Jaikant @anderspitman