Bug 262537 - dns/dns2blackhole : dns2blackhole-update2 is downloading executable to make ddos
Summary: dns/dns2blackhole : dns2blackhole-update2 is downloading executable to make ddos
Status: Closed Not Accepted
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Daniel Engberg
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2022-03-14 00:03 UTC by Thibault Payet
Modified: 2023-06-19 05:16 UTC (History)
5 users (show)

See Also:
dns2blackhole1: maintainer-feedback+
joeb1: maintainer-feedback+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thibault Payet 2022-03-14 00:03:38 UTC
dns2blackhole-update2 is broken due to this domain http://rlwpx.free.fr/WPFF/ that will simply let you download script with executable bit that have the purpose to do some ddos. But of course you don't get any blacklist host file with it....
This is potentially a security risk
Comment 1 Daniel Engberg freebsd_committer freebsd_triage 2022-03-19 21:55:42 UTC
Thanks, seeing that this hasn't been updated in years I'd suggest that we sunset this port and point users to other solutions such as using a dns (proxy) with lists. Any objections?
Comment 2 joeb1 2022-03-21 16:30:29 UTC
update-2 uses the French .7z zipped file format. The p7zip pkg was scheduled for removal 1/1/2022. Do not run the update-2 any more. Tar will not handle .7z files. Looking for alternative or will remove update-2 all together in next release.
Comment 3 joeb1 2022-03-21 22:49:34 UTC
Drilled down to find the real problem.
First the 7-zip compression method has been set as deprecated 1/1/2022. So I chanced it to use tar on .7z files.

Digging deeper I find that on 2/23/2022 Russians against Putin's war in Ukraine hacked the site and loaded scripts that use wget and are intended to attach sites in Russia with a DOS attack. Its my understanding that all contact with the public internet from Russia has been disable already by the service provider. So they can not get out and we can not get in.

The point here is be aware that there are for sure other websites that have been hacked in this matter.  FREE UKRAINA, STOP THE WAR.

The fact is that what was done has no auto effect. You have to decide and take action before anything will happen outside the dns2blackhole port. Just the update-2 will not work as of now.

I think this is a temporary situation and the http://rlwpx.free.fr/WPFF/ site should fix itself when they do their normal quarterly update.

It may help to speed things up it somebody who reads french can find the contact info at http://rlwpx.free.fr/WPFF/ and let them know they have been hacked.


Have no intention to make any changes to dns2blackhole at this time. Going to wait and see what the upstream maintainer does.


One last thing. Just because a port has not had any updates in some time does not mean its not supported, not used or should be sunset. Only a fool who knows not what they are talking about would say something foolish like that. If you can't say something good then keep you mouth shut. And YES I object very strongly.
Comment 4 Thibault Payet 2022-03-22 06:09:40 UTC
I don't understand the logic, why do nothing when you could simply remove the update-2 script ? Then when it is fixed, simply add it back. It is unacceptable that a script that should download host files for malware dns blocking, would simply download executable instead (there are some scripts, but also binary ones that we don't know what their really do).
Comment 5 Mikael Urankar freebsd_committer freebsd_triage 2022-03-22 06:42:23 UTC
http://rlwpx.free.fr/WPFF/mel.htm
Comment 6 dns2blackhole1 2022-06-05 19:30:20 UTC
From the author. This has no effect on the port. First off very few people run the update2 script because it uses a large amount of memory. Comment #3 describes the real problem and I agree with it. In time the owners will update their site data and I think this is a temporary situation and the http://rlwpx.free.fr/WPFF/ site should fix itself when they do their normal update.
Comment 7 dns2blackhole1 2022-06-05 19:33:13 UTC
this bug report can be closed