And here is an interesting one... See attached screenshot. Different IP addresses from the same Web Install?????
And there are more suspicious items in your LOG.
Friedrich
And here is an interesting one... See attached screenshot. Different IP addresses from the same Web Install?????
And there are more suspicious items in your LOG.
Friedrich
Hackers will sniff for the existence of files on all public web sites. You need to look at LOG files more often. You'll get all kind of crazy GET requests for non-existent files all the time on a public server. Some hacker/sniffer is looking for doorway pages or login pages. That's why you see a 404 for /wp-login.php We don't use WordPress on our server, but some hacker is looking for a login page so that they can try hacking in.And directly after the "download issue" we see /wp-login.php requests with "404" results.
My guess on this one is that some anti-virus site has been given my EXE to analyze. Sites like VirusTotal.com accept user's EXE uploads or URLs to files they wish to have verified for a virus. My guess is that one of these anti-virus sites is analyzing the contents of the installation package.And here is an interesting one... See attached screenshot. Different IP addresses from the same Web Install?????
When I do a tracert on the IP in question, it traces to google.com It could very well be that Google is checking an email that I sent out to one of its users. The email I sent would have had a direct link to the EXE. I would not be surprised if Google isn't downloading and testing the file for viruses before delivering the email to its users.
The wp-login.php request is coming from a different IP address that the stub EXE attempt to download the associated .bin files. That wp-login.php attempt isn't related to the SetupBuilder matter.directly after the "download issue" we see /wp-login.php requests with "404" results. Can you shed some light on this?
The wp-login.php attempt is from 191.248.106.65. The .bin file requests are from 47.13.117.202. These are totally unrelated.And of course, again a /wp-login.php (404).
My dummy test EXE with a Download of an unknown file type did not generate an error code in the program/installer. The install completed without displaying any error.What does "Download File..." stores in %_SB_ERRORCODE% after such an unsuccessful action?
On the server, the LOG file showed a 404 error for the unknown file type:
2019-03-25 22:33:32 192.168.1.15 GET /testing.123 - 80 - 192.168.1.1 SB8 - 404 3 50 15
"testing.123" was the file I instructed the installer to download.
Okay, but it is very often directly after a "terminated" Web Install. IMO, it is related.
You started this support thread with "Web Deploy: Majority of installations fail (Source file not found)". So let me ask you, did you receive complains from (potential) customers? Did they send you screenshots from "Source file not found" error messages? Or did you start this support thread solely on the basis of the "aborted" Web installations LOG entries?
You sent the LOG yesterday and before that I assumed your customers reported massive "Source file not found" errors. Based on the information you provided, I brought the "404 error" and "server does not respond" into play. But as far as I can see from your server LOGs, automated processes start your Web Installation in a sandbox (even from different IPs) and then terminate it. And you are absolutely right: there is not any SetupBuilder related error code (e.g. 404) in your LOGs because the SetupBuilder Web Installation never failed.
Friedrich
Last edited by linder; 05-16-2019 at 05:02 AM.
Perfect. Thanks for the confirmation. My "404" theory was based on your "Source file not found" statement.
Friedrich
My guess is that ALL aborted/terminated Web Installations in your LOGs come from suspicious IP addresses and are automated downloads executed from within a sandbox.
For example, the 185.220.70.152 IP in your server LOG which I already mentioned in one of my screenshots (I have attached it again). It has been reported 6 times (Abuse IPDB) and 7 times in Stop Spam.
And please note the "/WP-login.php" attempts directly after the terminated Web Installs (on two different days). See attached screenshot. You said it's totally unrelated because it comes from another IP, but I really think it is related.
IMO, it is time to close this "Source file not found" support thread, wouldn't you agree? SetupBuilder is not responsible for the "8 out of 8 different users failed to complete the web deployment" issue you mentioned in your original post. The automated (hacker/sniffer/whatever) tools started and terminated these Web Installations - the "failed" installation attempts you see in your server LOGs are not real user downloads.
See: http://www.lindersoft.com/forums/sho...0181#post90181
Friedrich
Correct. After spending many hours on this and after analysing your LOG files, I came to the conclusion that there were NO 404 errors. All SetupBuilder Web Installation GET requests succeeded!
Well, the good news for you is, that you do not have a server problem. And the good news for us is, there is no SetupBuilder Web Installer problem.
This download came from IP 185.220.70.152. It's listed several times in abuse and spam databases.
This download came from IP 178.62.228.82 and belongs to Digital Ocean in Amsterdam, The Netherlands. I bet it's some kind of spider-bot.
This download came from IP 66.102.6.183 and belongs to Google LLC.
This download came from IP 35.161.55.221 which belongs to Amazon.com Inc (amazonaws.com) and it's listed in abuse and spam databases.
To cut a long story short, all mentioned "downloads" stopped with code 200 because "The Machines" simply terminated (killed) the sandbox executed Web Installations after a specific number of downloaded cluster files. There were no human beings behind the downloads. All Web Installs "stopped/terminated" intentionally.
Friedrich
There are currently 1 users browsing this thread. (0 members and 1 guests)