@OutsourcedGuru
I mean, I am using CloudFlare to manage my outbound/inbound connections, at least though my domain name. I've been having some issues with people just poking at my Public IP for months now, and I really don't want to have to change my public IP. Even if they block access to my own printer, they aren't always remote, and I can easily get physical access to my machines whenever. They literally sit right next to me while I am at home.
@foosel
See above; I will look into doing safe mode from CLI and check out that guide for Safe Remote Access. Nothing on the internet is safe. If need be, I will post any more issues and errors, in an attempt to help you guys squash vulnerabilities like this.
I've updated OctoPrint. Not much has changed. One of my instances is perfectly fine. One of my instances is bugged. I will change haproxy to point to the webcam, which will indeed break my abilities to upload directly from Slic3r and Cura, but I guess I will have to deal with that for now.
But for the love of all that is holy please don't just hang stuff online without additional securing. Whitelisting, not blacklisting, and aggressive automatic banning. Non standard port numbers can also do wonders.
Erm, to what? You were already running latest stable with 1.3.9. Are you now on 1.3.10rc2?
Just for the record, so far there's no vulnerability visible here. You have a bunch of entries there that originate from some clients automatically scanning your server and poking around for potentially vulnerable PHP based admin interfaces (good luck with that here), and you have what based on the request pattern seems to be yourself accessing the web interface and running into the aforementioned 403s.
Running in safe mode will at least rule out any kind of plugin issues here, but I'm actually now more leaning towards these ip change shenanigans being at the bottom of this. Would be interesting to know what happens when you access the instance via your LAN, not via your public address.
Years ago, I owned and ran a datacenter so I was responsible for making those safe from the Internet. There were many times when I saw innovative attacks and I had to often write software in realtime to block the bad guys.
That said, when you see so many hosts all attacking you all at once, it's time for drastic measures.
I'm fairly sure that I would know if a new version had been released, and I would definitely know if 1.4.0 was released. I write that stuff.
I have no idea what you are running there now. Best case it is a current development build from the devel branch since you somehow managed to switch to commit tracking and also manually switched your branch. Worst case it's god knows what. Combined with the break-in attempts at this point I'd actually recommend to make a backup of your settings, do a fresh install, and then double check that you are still on stable releases.
foosel: Remember that time this guy put his OctoPrint on the Internet and then hackers totally owned him? /months-later
Just messing with you, dude. But honestly, the Internet is a harsh place.
Somewhere in the setup is the location where new versions are publicized. I suspect that if you received a false notification for an upgrade then that's been compromised. I'm reviewing mine now...
I'm not seeing anything in the config.yaml file that could be re-directed to an evil site.
If it's not in config.yaml it's still pointing to the correct values (config.yaml only contains overrides). Still, I have no idea what happened there and frankly the fact that it claimed to have an update to 1.4.0 and then did something which we still have no information on which apparently in the end was a no-op makes me question that instance enough that at this point all I want to recommend is a reinstall. Not necessarily because something did get owned, but rather because there are too many things that appear non standard here that make anything else just a horrible trip to fix.
From experience, it feels to me like someone is trying to make a point. I'm surprised that the notification didn't say something juvenile like "p0wn!!!!" or something.
The only thing non-standard here is my twin instances. Other than that, everything is pretty standard.
@OutsourcedGuru
You may be right. I know a guy who was a security nut, who used my IP a while back to do some testing, and then we had a falling out. Not saying it was him, but it does make me question motives.
I'm still not convinced that this was a faked notification. I'd want logs for that first. I'm rather leaning towards some serious hiccups in the updater caused by whatever is wrong with that instance.
Constant 403s and switching client IPs are non standard. Update notifications that claim there are new releases are non standard. Having such an instance on the net is non standard.
