github-starred/awesome-tunneling
2
0
Fork 0
mirror of https://github.com/anderspitman/awesome-tunneling.git synced 2026-03-11 18:24:16 -05:00
Code Issues 51 Packages Projects Releases Wiki Activity

How do bots know my Telebit domain? #91

New Issue
Closed
opened 2025-11-10 13:54:06 -06:00 by GiteaMirror · 5 comments
GiteaMirror commented 2025-11-10 13:54:06 -06:00
Owner
Copy Link

Originally created by @Jaikant on GitHub (Jan 26, 2025).

FWIW, the moment I connected telebit to my local server, there was a slew of requests trying to hack into my system here are the logs.
It cannot be some random web bot trying to get into my system as soon as it is connected the first time. It has to be telebit itself ... :(

Since I have already implemented a mechanism to block such requests ... I got to know.

info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"}
info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io:80","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"}
info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io","user-agent":"Go-http-client/1.1","content-length":"164","content-type":"application/x-www-form-urlencoded","accept-encoding":"gzip","connection":"close"}
info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io:80","user-agent":"Go-http-client/1.1","content-length":"164","content-type":"application/x-www-form-urlencoded","accept-encoding":"gzip","connection":"close"}
info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"}
info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io:80","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"}
info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"}
info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io:80","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"}
info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"}
info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io:80","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"}
Added IP to blocked list: ::ffff:127.0.0.1
info: Throttled request from IP: ::ffff:127.0.0.1, Country: Unknown
info: ThrottledExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/debug/default/view?panel=config"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/debug/default/view?panel=config"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/v2/_catalog"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/v2/_catalog"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/server-status"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/server-status"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/login.action"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/_all_dbs"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/login.action"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/.DS_Store"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/_all_dbs"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/.env"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/.DS_Store"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/.env"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/.git/config"}
info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/s/335323e2435313e28333e2[12:18:54 PM] Starting compilation in watch mode...
Originally created by @Jaikant on GitHub (Jan 26, 2025). FWIW, the moment I connected telebit to my local server, there was a slew of requests trying to hack into my system here are the logs. It cannot be some random web bot trying to get into my system as soon as it is connected the first time. It has to be telebit itself ... :( Since I have already implemented a mechanism to block such requests ... I got to know. ``` info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"} info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io:80","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"} info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io","user-agent":"Go-http-client/1.1","content-length":"164","content-type":"application/x-www-form-urlencoded","accept-encoding":"gzip","connection":"close"} info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io:80","user-agent":"Go-http-client/1.1","content-length":"164","content-type":"application/x-www-form-urlencoded","accept-encoding":"gzip","connection":"close"} info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"} info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io:80","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"} info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"} info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io:80","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"} info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"} info: HttpExceptionFilter: 404. Headers: {"host":"chilly-lion-28.telebit.io:80","user-agent":"Go-http-client/1.1","accept-encoding":"gzip","connection":"close"} Added IP to blocked list: ::ffff:127.0.0.1 info: Throttled request from IP: ::ffff:127.0.0.1, Country: Unknown info: ThrottledExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/debug/default/view?panel=config"} info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/debug/default/view?panel=config"} info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/v2/_catalog"} info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/v2/_catalog"} info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application"} info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application"} info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/server-status"} info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/server-status"} info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/login.action"} info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/_all_dbs"} info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/login.action"} info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/.DS_Store"} info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/_all_dbs"} info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/.env"} info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/.DS_Store"} info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/.env"} info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/.git/config"} info: BlockedExceptionFilter: {"statusCode":403,"message":"Forbidden","path":"/s/335323e2435313e28333e2[12:18:54 PM] Starting compilation in watch mode... ```
GiteaMirror commented 2025-11-10 13:54:07 -06:00
Author
Owner
Copy Link

@coolaj86 commented on GitHub (Jan 27, 2025):

Hello. I'm the maintainer of Telebit.

When you use Let's Encrypt, or any public certificate registry, the certificates are listed publicly, as soon as they're created.

The bots watch the certificate lists, and probe new sites for attack vectors.

How soon you get probed, or how many bots probe you is just the luck of the draw.

@coolaj86 commented on GitHub (Jan 27, 2025): Hello. I'm the maintainer of Telebit. When you use Let's Encrypt, or any public certificate registry, the certificates are listed publicly, as soon as they're created. The bots watch the certificate lists, and probe new sites for attack vectors. How soon you get probed, or how many bots probe you is just the luck of the draw.
GiteaMirror commented 2025-11-10 13:54:07 -06:00
Author
Owner
Copy Link

@anderspitman commented on GitHub (Jan 28, 2025):

Thanks @coolaj86. This matches my experience with how these tools work. Going to close this. @Jaikant feel free to reopen if you have additional concerns.

@anderspitman commented on GitHub (Jan 28, 2025): Thanks @coolaj86. This matches my experience with how these tools work. Going to close this. @Jaikant feel free to reopen if you have additional concerns.
GiteaMirror commented 2025-11-10 13:54:07 -06:00
Author
Owner
Copy Link

@Jaikant commented on GitHub (Jan 28, 2025):

@coolaj86 Thanks for the explanation and sorry for judging your excellent work in telebit.

I have edited the title to just telebit, so folks skimming through should not get the wrong perception.

Apologies again as it was my lack of understanding of how these things happen.

@Jaikant commented on GitHub (Jan 28, 2025): @coolaj86 Thanks for the explanation and sorry for judging your excellent work in telebit. I have edited the title to just telebit, so folks skimming through should not get the wrong perception. Apologies again as it was my lack of understanding of how these things happen.
GiteaMirror commented 2025-11-10 13:54:08 -06:00
Author
Owner
Copy Link

@Jaikant commented on GitHub (Jan 29, 2025):

@coolaj86 There is just one final thought which is nagging me. If you can help explain.

When a tunnel forwards requests transparently it forwards all associated request headers. Since applications set custom headers.

In the headers I received from the bot, it shows that the request originated from the local host using a client implemented in go.

Telebit is also implemented in go.

@Jaikant commented on GitHub (Jan 29, 2025): @coolaj86 There is just one final thought which is nagging me. If you can help explain. When a tunnel forwards requests transparently it forwards all associated request headers. Since applications set custom headers. In the headers I received from the bot, it shows that the request originated from the local host using a client implemented in go. Telebit is also implemented in go.
GiteaMirror commented 2025-11-10 13:54:08 -06:00
Author
Owner
Copy Link

@coolaj86 commented on GitHub (Jan 29, 2025):

The version of telebit you have is written in node, and the server you're connecting to is node as well.

The next version is written in Go, but I haven't spent the time to create a migration path for existing users, so it's only used in a few private installations.

The telebit server looks at SNI headers and uses that to forward to the correct client.

The local client receives information about the remote connection, but depending on how it's handled you may or may not see that in what it's connected to.

Since the client connects from localhost to another localhost application, you'll often see localhost in the logs.

Also, there's an attack known as "domain fronting" in which the remote specifies false http headers to get access to things. Devs are split as to whether it's a feature or a bug. In any case, Telebit only uses SNI on the server side, so it doesn't validate http headers.

@coolaj86 commented on GitHub (Jan 29, 2025): The version of telebit you have is written in node, and the server you're connecting to is node as well. The next version is written in Go, but I haven't spent the time to create a migration path for existing users, so it's only used in a few private installations. The telebit server looks at SNI headers and uses that to forward to the correct client. The local client receives information about the remote connection, but depending on how it's handled you may or may not see that in what it's connected to. Since the client connects from localhost to another localhost application, you'll often see localhost in the logs. Also, there's an attack known as "domain fronting" in which the remote specifies false http headers to get access to things. Devs are split as to whether it's a feature or a bug. In any case, Telebit only uses SNI on the server side, so it doesn't validate http headers.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/awesome-tunneling#91
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?