Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rickroll? #17656

Closed
soapee01 opened this issue Sep 3, 2024 · 3 comments
Closed

Rickroll? #17656

soapee01 opened this issue Sep 3, 2024 · 3 comments
Labels
X-Needs-Info

Comments

@soapee01
Copy link

soapee01 commented Sep 3, 2024
edited
Loading

I've got an installed version of Synapse in my homelab, and I keep getting alerts from my arista (Untangle) firewall that synapse is trying to connect to a specific IP address (193.81.127.60) on port 443. This redirects to youtube playing Rick Astly's Never gonna give you up.

Does anyone have a clue what this might be about? The alerts happen several times per day. Here's what I get from Untangle:

System: Arista 

Event: WebFilterEvent

Event Time: 2024-09-03 13:58:18.876.

Event Summary:
Web Monitor flagged http://chat.ohaa.xyz/ (Phishing and Other Frauds)

Event Details:
app name                          = web_monitor
blocked                           = false
category                          = Phishing and Other Frauds
category id                       = 57
flagged                           = true
reason                            = BLOCK_CATEGORY
request line                      = GET http://chat.ohaa.xyz/
rule id                           = 57

<snip>

protocol name                    = TCP
remote addr                      = 193.81.127.60
s client addr                    = 1.2.3.4
s client port                    = 11809
s server addr                    = 193.81.127.60
s server port                    = 443
server country                   = AT
server intf                      = 1
server latitude                  = 47.2326
server longitude                 = 11.2466
session id                       = 113040251395856
tags string                      = 
time stamp                       = 2024-09-03 13:58:18.711
time stamp                        = 2024-09-03 13:58:18.876

This is an automated message sent because this event matched Alerts Rule "Phishing and Other Frauds website visit detected".
@erikjohnston
Copy link
Member

It night be someone trying to do a URL preview if you have them enabled? https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#url_preview_enabled

@spaetz
Copy link

spaetz commented Sep 21, 2024

Naah, there is simply a synapse running on that site: https://federationtester.matrix.org/#chat.ohaa.xyz

So, this is simply synapse trying to connect to another synapse instance.

@anoadragon453
Copy link
Member

In that case, this is expected behaviour if a local user is sharing a room with a user on chat.ohaa.xyz.

Looking at ohaa.xyz, this indeed looks to be someone's active matrix server. The rickroll redirect is probably just a joke.

I don't believe you have anything to worry about unless you actively see spam in Matrix rooms from that homeserver.

@anoadragon453 anoadragon453 closed this as not planned Won't fix, can't repro, duplicate, stale Oct 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
X-Needs-Info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@spaetz @soapee01 @anoadragon453 @erikjohnston