aMule Forum

Please login or register.

Login with username, password and session length
Advanced search  

News:

We're back! (IN POG FORM)

Author Topic: Hacked search results  (Read 6928 times)

jewitt

  • Newbie
  • Karma: -1
  • Offline Offline
  • Posts: 3
Hacked search results
« on: July 06, 2007, 08:19:04 PM »

I've noticed (like a lot of you) that there's some hacked clients that return results no matter what I search for in Global Search. For example, if I search for "Foobar", I get results back like:

Download Foobar with the fastest BitTorrent downloader.zip
View Foobar with the ultimate player.zip
Find Foobar using emule multimedia toolbar.zip
... ad nauseum ...

One person said to remove all servers and only use DonkeyServer. I tried that but I still get these erroneous results.

I could think of some new features that would help with this:
* Filter files by hash
* If the protocol allows it, filter servers that are returning these false results
* Filter by number of sources. Very few searches that I do return results over 2000 sources. Some of these false files have close to 7500 sources.

Anyway, it's not a show stopper but it sure is annoying. If anyone has any other solutions that work, let us know.
Logged

skolnick

  • Global Moderator
  • Hero Member
  • *****
  • Karma: 24
  • Offline Offline
  • Posts: 1188
  • CentOS 6 User
Re: Hacked search results
« Reply #1 on: July 06, 2007, 08:26:19 PM »

This is caused for fake servers only. There are fake DonkeyServers. The correct ones are just 6, and they all are from the Netherlands. Their IPs start with 62 IIRC.

Regards.
Logged

peerates.net

  • Approved Newbie
  • *
  • Karma: 0
  • Offline Offline
  • Posts: 6
    • peerates.net
Re: Hacked search results
« Reply #2 on: July 09, 2007, 07:44:50 PM »

Hi,
These bad results are caused by some udp spammers servers :
All servers with www.wmule.com (US an IL)

to solve it, you should get a clean servers list.
++


Logged

HKM

  • Guest
Re: Hacked search results
« Reply #3 on: July 11, 2007, 11:34:50 AM »

Hi,
These bad results are caused by some udp spammers servers :
All servers with www.wmule.com (US an IL)

to solve it, you should get a clean servers list.
++




As he said first REMOVE all server from list. Then go to gruk.org/list.php? Then get top 3-4 server with the most users. Which is DonkeyServer 2, 1, 3, 5 at most given time. Then go on pref> server and disable auto update list from server and clients.
Logged

Charles Root

  • Newbie
  • Karma: 0
  • Offline Offline
  • Posts: 3
Re: Hacked search results
« Reply #4 on: July 25, 2007, 12:43:31 PM »

Greetings,
  I emptied my aMule folder and downloaded a clean node file (as mentioned in a different thread).
Then took the advice in this thread (getting safe servers from: http://gruk.org/list.php?).
Then firing up aMule again. But no joy. My searches are still polluted, and my log continues to
fill up with the following:
Code: [Select]
2007-07-25 03:06:20: ServerUDP: Got server search reply with additional packet.
2007-07-25 03:06:20: ServerUDP: Got server search reply with additional packet.
2007-07-25 03:06:20: ServerUDP: Got server search reply with additional packet.
2007-07-25 03:06:20: ServerUDP: Got server search reply with additional packet.
Sometimes thousands of them. :(
Also, since this spam has started, my returned search results are way down.
So it appears that searching the ed2k network is completely pointless. :(
On the bright side; the developer(s) can simply rip all the ed2k code out of aMule and
spend their time developing the kad stuff. So it'll perhaps be even better than ed2k ever was.
As it is, I'll never search the ed2k network. At least not with aMule. The only app that I've used
that doesn't have this problem is PHEX. OK, I can't be absolutely sure of this. 'Cause it has
some built in filters. So I just might not be exposed to the spam. Anyway, it really sux.
Be great if someone really knew what causes this - or better - had a cure. ;)

Thank you for all your time and consideration.
Logged
While a persons opinions change, their conviction
of their correctness never does.

Kry

  • Ex-developer
  • Retired admin
  • Hero Member
  • *****
  • Karma: -665
  • Offline Offline
  • Posts: 5795
Re: Hacked search results
« Reply #5 on: July 25, 2007, 04:13:53 PM »

Clean your servers from fake servers and you'll be "cured".
Logged

Charles Root

  • Newbie
  • Karma: 0
  • Offline Offline
  • Posts: 3
Re: Hacked search results
« Reply #6 on: July 25, 2007, 09:29:30 PM »

Greetings, and thank you for your reply.
I guess I must have mis-understood.
All the other posts regarding servers pointed to locations for "safe"  lists (http://gruk.org/list.php?
and <something>-info.de/nodes.dat, can;'t remember the first part at the moment). So I deleted:
Code: [Select]
clients.met
clients.met.BAK
known.met
known2.met
list
nodes.dat
server.met
server_met.old
and downloaded a copy of nodes.dat. Then started up aMule and loaded the proclaimed "safe"
servers from http://gruk.org/list.php? and waited for kad to find some nodes. I recieved a hiID
almost immediately. I then performed a search, only to be given the same search spam and UDP
noise I was recieving before I deleted what I was to understand were "safe" lists.
Pitty too, 'cause I was previously enjoying some 1995 ed2k servers and roughly the same kad nodes. :/
On ServerUDP responses; I read elsewhere that the responses I'm recieving (Got server search reply with additional packet.) is supposed to be an attempt to install a Trojan/Backdoor. Anybody else have
more info on this? I'm on a BSD boxen and scanned it. It returned clean. But that doesn't mean that
one doesn't get installed in aMule, or that aMule itself doesn't become a backdoor. Just thought I'd
see if others had any thoughts, or could confirm this.

Thank you very much for all your time and consideration in this matter.
Thanks again for your response.

@skolnick
Love your sig. How come my aMule doesn't look that pretty?
« Last Edit: July 25, 2007, 09:49:21 PM by Charles Root »
Logged
While a persons opinions change, their conviction
of their correctness never does.

Kry

  • Ex-developer
  • Retired admin
  • Hero Member
  • *****
  • Karma: -665
  • Offline Offline
  • Posts: 5795
Re: Hacked search results
« Reply #7 on: July 25, 2007, 11:09:19 PM »

On ServerUDP responses; I read elsewhere that the responses I'm recieving (Got server search reply with additional packet.) is supposed to be an attempt to install a Trojan/Backdoor. Anybody else have
more info on this?

That's bullshit. Taht message is just debug for me to know when a UDP search reply has a packet that has to be processed as well, as UDP packets from servers sometimes ahve additional info that has to be processed. It's perfectly normal.

I am surprised taht noone told you yet to disable the update servers from clients/servers from the preferences, ebcause that's what happening to you. Disable that, remove all servers, download a clean server list, and everything will be ok.
Logged

Charles Root

  • Newbie
  • Karma: 0
  • Offline Offline
  • Posts: 3
Re: Hacked search results
« Reply #8 on: July 26, 2007, 01:53:52 AM »

Greetings, and thank you for your response.
 I'm not at all surprised to hear that about the UDP packets. After all, UDP is really stupid. It has
no additional layers to deal with error handling, or even to insure it gets to it's intended destination.
But by that same token; it also makes it trivial to manipulate them in a dubious manner. So
I don't think it is truly out of the question to think they can be used for evil purposes.
Anyway, I haven't taken the time to capture all the UDP packets coming in, for later analysis. I
only did a search for the responses I was getting when doing an ed2k search. The only results I
was able to find indicated they were evil/fake servers injecting Trojan/Backdoors into the UDP
packets. So I thought I'd bring it up here.

About the preferences:
 I never mentioned anything about my prefs. So I am surprised to hear you mention/assume that I
have allow update(s) from either clients/servers. However, since you mention it; I do not allow
server updates from clients, only from servers. My reasoning behind allow from servers, is that
if I'm using a list from trusted servers, why would I not trust their updates? I mean; I downloaded
the server list(s) listed in the forum here as being safe and deleted all my previous .met and
.dat files before using the "new and safe" ones. Then started aMule up again. Have I overlooked
something?

Thank you again for all your time and consideration.

UPDATE:
 Noe I'm recieving these:
2007-07-25 17:23:09: ServerUDP: Sources received for unknown file
2007-07-25 17:23:10: ServerUDP: Sources received for unknown file
2007-07-25 17:23:10: ServerUDP: Sources received for unknown file
2007-07-25 17:23:10: ServerUDP: Sources received for unknown file
2007-07-25 17:23:10: ServerUDP: Sources received for unknown file
2007-07-25 17:23:12: ServerUDP: Sources received for unknown file
2007-07-25 17:23:12: ServerUDP: Sources received for unknown file
2007-07-25 17:23:12: ServerUDP: Sources received for unknown file
2007-07-25 17:23:12: ServerUDP: Sources received for unknown file
2007-07-25 17:23:12: ServerUDP: Sources received for unknown file
2007-07-25 17:23:18: ServerUDP: Sources received for unknown file
2007-07-25 17:23:18: ServerUDP: Sources received for unknown file
2007-07-25 17:23:18: ServerUDP: Sources received for unknown file
2007-07-25 17:23:18: ServerUDP: Sources received for unknown file
2007-07-25 17:23:18: ServerUDP: Sources received for unknown file
2007-07-25 17:23:19: ServerUDP: Sources received for unknown file
2007-07-25 17:23:19: ServerUDP: Sources received for unknown file
2007-07-25 17:23:19: ServerUDP: Sources received for unknown file
2007-07-25 17:23:19: ServerUDP: Sources received for unknown file
2007-07-25 17:23:19: ServerUDP: Sources received for unknown file
2007-07-25 17:23:19: ServerUDP: Sources received for unknown file
2007-07-25 17:23:20: ServerUDP: Sources received for unknown file
2007-07-25 17:23:20: ServerUDP: Sources received for unknown file
2007-07-25 17:23:20: ServerUDP: Sources received for unknown file
2007-07-25 17:23:20: ServerUDP: Sources received for unknown file
2007-07-25 17:23:20: ServerUDP: Sources received for unknown file
2007-07-25 17:23:20: ServerUDP: Sources received for unknown file
2007-07-25 17:23:20: ServerUDP: Sources received for unknown file
2007-07-25 17:23:20: ServerUDP: Sources received for unknown file
2007-07-25 17:23:20: ServerUDP: Sources received for unknown file
2007-07-25 17:23:22: ServerUDP: Sources received for unknown file
2007-07-25 17:23:22: ServerUDP: Sources received for unknown file
2007-07-25 17:23:22: ServerUDP: Sources received for unknown file
2007-07-25 17:23:22: ServerUDP: Sources received for unknown file
2007-07-25 17:23:22: ServerUDP: Sources received for unknown file

Anyone know? Or is it the same as the others (2007-07-25 17:23:28: ServerUDP: Got server search reply with additional packet.).

Thanks for your time.

UPDATE#2:
OK, seems lionel77 already answered "UPDATE"
here: http://forum.amule.org/index.php?topic=11802.0

 So I guess I'm just curious about the rest of my post here.
« Last Edit: July 26, 2007, 02:40:34 AM by Charles Root »
Logged
While a persons opinions change, their conviction
of their correctness never does.

Kry

  • Ex-developer
  • Retired admin
  • Hero Member
  • *****
  • Karma: -665
  • Offline Offline
  • Posts: 5795
Re: Hacked search results
« Reply #9 on: July 26, 2007, 04:36:38 AM »

I never mentioned anything about my prefs. So I am surprised to hear you mention/assume that I
have allow update(s) from either clients/servers. However, since you mention it; I do not allow
server updates from clients, only from servers. My reasoning behind allow from servers, is that
if I'm using a list from trusted servers, why would I not trust their updates? I mean; I downloaded
the server list(s) listed in the forum here as being safe and deleted all my previous .met and
.dat files before using the "new and safe" ones. Then started aMule up again. Have I overlooked
something?


Disable it?
Logged

skolnick

  • Global Moderator
  • Hero Member
  • *****
  • Karma: 24
  • Offline Offline
  • Posts: 1188
  • CentOS 6 User
Re: Hacked search results
« Reply #10 on: July 26, 2007, 03:59:12 PM »


@skolnick
Love your sig. How come my aMule doesn't look that pretty?

It's just a matter of configuration, nothing more. And the image was generated by wxCas (included with aMule). Also, disable also updates by servers, since they usually allow updates from any server, so you will end with fake servers anyway. Just disable it, and erase any server except for the 6 donkeyservers.

Regards.
Logged

rubyred

  • Approved Newbie
  • *
  • Karma: 0
  • Offline Offline
  • Posts: 12
Re: Hacked search results
« Reply #11 on: August 20, 2007, 10:38:37 AM »

Hi,
I have a further question about dealing with fake servers. I used to use e-mule but have recently changed to a Macbook and amule. Over at e-mle I was sent the following directions for changing your setting to combat fake servers. Just wondering are there similar options for amule?

Thanks

Fake Servers. Follow this steps
Go to Options/Server
Set number of errors allowed before removing the server to 9
Click Edit button that appears next to the option Auto update
In Notepad, that is opened, add the following lines in the beginning:
CODE
http://www.gruk.org/server.met.gz
http://peerates.net/peerates/trueservers.met
Save changes in notepad
Unmark the two following options Update list of servers
Click on Accept
Go to servers window
Remove all servers from static list
Remove all servers from list
In Update Server.met from URL, write any of the URL in point 4
Click on Update button
If you have selected Autoconnet only to servers on static list add the servers you want to static list
Double click on any server
Once you get enough known clients in ed2k after reconnecting, click bootstrap in Kad window
Logged

Kry

  • Ex-developer
  • Retired admin
  • Hero Member
  • *****
  • Karma: -665
  • Offline Offline
  • Posts: 5795
Re: Hacked search results
« Reply #12 on: August 20, 2007, 11:55:35 AM »

Basically the same, check http://www.amule.org/wiki/index.php/Fake_servers

The only thing you don't do in aMule is the notepad step.
Logged

rubyred

  • Approved Newbie
  • *
  • Karma: 0
  • Offline Offline
  • Posts: 12
Re: Hacked search results
« Reply #13 on: August 21, 2007, 12:38:53 AM »

Thanks for that.
I went to the link and tried deleting all servers excepting the 6 Donkey servers. However when I double clicked on one of the Donkey servers I got new servers in the servers window, none having any description, as per below??

ed2k://|server|193.138.205.25|5000|/
ed2k://|server|193.138.221.213|4242|/
ed2k://|server|193.138.221.214|4242|/
ed2k://|server|193.138.230.251|4242|/
ed2k://|server|193.164.133.53|8899|/
ed2k://|server|193.164.133.55|8899|/
ed2k://|server|194.146.227.227|4642|/
ed2k://|server|194.30.160.41|4661|/
ed2k://|server|194.30.160.81|4661|/
ed2k://|server|208.122.17.118|443|/
ed2k://|server|208.53.147.27|7366|/
ed2k://|server|217.91.58.88|4242|/
ed2k://|server|62.158.65.156|6771|/
Logged

skolnick

  • Global Moderator
  • Hero Member
  • *****
  • Karma: 24
  • Offline Offline
  • Posts: 1188
  • CentOS 6 User
Re: Hacked search results
« Reply #14 on: August 21, 2007, 05:32:42 AM »

Disable *all* the options to update servers (from clients and also from servers).

Regards.
Logged