Web Deploy: Majority of installations fail (Source file not found)

[linder]

And here is an interesting one... See attached screenshot. Different IP addresses from the same Web Install?????

And there are more suspicious items in your LOG.

Friedrich

[instrumentally]

And directly after the "download issue" we see /wp-login.php requests with "404" results.

Hackers will sniff for the existence of files on all public web sites. You need to look at LOG files more often. You'll get all kind of crazy GET requests for non-existent files all the time on a public server. Some hacker/sniffer is looking for doorway pages or login pages. That's why you see a 404 for /wp-login.php We don't use WordPress on our server, but some hacker is looking for a login page so that they can try hacking in.

[instrumentally]

And here is an interesting one... See attached screenshot. Different IP addresses from the same Web Install?????

My guess on this one is that some anti-virus site has been given my EXE to analyze. Sites like VirusTotal.com accept user's EXE uploads or URLs to files they wish to have verified for a virus. My guess is that one of these anti-virus sites is analyzing the contents of the installation package.

When I do a tracert on the IP in question, it traces to google.com It could very well be that Google is checking an email that I sent out to one of its users. The email I sent would have had a direct link to the EXE. I would not be surprised if Google isn't downloading and testing the file for viruses before delivering the email to its users.

[instrumentally]

directly after the "download issue" we see /wp-login.php requests with "404" results. Can you shed some light on this?

The wp-login.php request is coming from a different IP address that the stub EXE attempt to download the associated .bin files. That wp-login.php attempt isn't related to the SetupBuilder matter.

[instrumentally]

And of course, again a /wp-login.php (404).

The wp-login.php attempt is from 191.248.106.65. The .bin file requests are from 47.13.117.202. These are totally unrelated.

[instrumentally]

What does "Download File..." stores in %_SB_ERRORCODE% after such an unsuccessful action?

My dummy test EXE with a Download of an unknown file type did not generate an error code in the program/installer. The install completed without displaying any error.

On the server, the LOG file showed a 404 error for the unknown file type:

2019-03-25 22:33:32 192.168.1.15 GET /testing.123 - 80 - 192.168.1.1 SB8 - 404 3 50 15

"testing.123" was the file I instructed the installer to download.

[linder]

The wp-login.php request is coming from a different IP address that the stub EXE attempt to download the associated .bin files. That wp-login.php attempt isn't related to the SetupBuilder matter.

Okay, but it is very often directly after a "terminated" Web Install. IMO, it is related.

You started this support thread with "Web Deploy: Majority of installations fail (Source file not found)". So let me ask you, did you receive complains from (potential) customers? Did they send you screenshots from "Source file not found" error messages? Or did you start this support thread solely on the basis of the "aborted" Web installations LOG entries?

You sent the LOG yesterday and before that I assumed your customers reported massive "Source file not found" errors. Based on the information you provided, I brought the "404 error" and "server does not respond" into play. But as far as I can see from your server LOGs, automated processes start your Web Installation in a sandbox (even from different IPs) and then terminate it. And you are absolutely right: there is not any SetupBuilder related error code (e.g. 404) in your LOGs because the SetupBuilder Web Installation never failed.

Friedrich

[linder]

Perfect. Thanks for the confirmation. My "404" theory was based on your "Source file not found" statement.

Friedrich

[linder]

My guess is that ALL aborted/terminated Web Installations in your LOGs come from suspicious IP addresses and are automated downloads executed from within a sandbox.

For example, the 185.220.70.152 IP in your server LOG which I already mentioned in one of my screenshots (I have attached it again). It has been reported 6 times (Abuse IPDB) and 7 times in Stop Spam.

And please note the "/WP-login.php" attempts directly after the terminated Web Installs (on two different days). See attached screenshot. You said it's totally unrelated because it comes from another IP, but I really think it is related.

IMO, it is time to close this "Source file not found" support thread, wouldn't you agree? SetupBuilder is not responsible for the "8 out of 8 different users failed to complete the web deployment" issue you mentioned in your original post. The automated (hacker/sniffer/whatever) tools started and terminated these Web Installations - the "failed" installation attempts you see in your server LOGs are not real user downloads.

See: http://www.lindersoft.com/forums/sho...0181#post90181

Friedrich

[linder]

You won't find any 404 return codes from the server with regards to the _0000#.bin files.

Correct. After spending many hours on this and after analysing your LOG files, I came to the conclusion that there were NO 404 errors. All SetupBuilder Web Installation GET requests succeeded!

So you are trying to tell me my problem is with my server returning error 404 codes and yet my server is not returning error 404 codes for the .bin files.

Well, the good news for you is, that you do not have a server problem. And the good news for us is, there is no SetupBuilder Web Installer problem.

On 2019-03-24, the last .bin file that the stub attempted to download was _00005.bin which returned code 200. The remaining 390+ other .bin files were never downloaded despite no 404 messages occurring.

This download came from IP 185.220.70.152. It's listed several times in abuse and spam databases.

The same thing happened for 2019-03-22. _00005.bin was the last .bin attempted, and the LOG file shows code 200 was returned, not 404.

This download came from IP 178.62.228.82 and belongs to Digital Ocean in Amsterdam, The Netherlands. I bet it's some kind of spider-bot.

For 2019-03-20, _00003.bin and _00054.bin were the last .bin files downloaded, again, with code 200.

This download came from IP 66.102.6.183 and belongs to Google LLC.

For 2019-03-19, _00001.bin, _00005.bin, _00053.bin and _00054.bin were the last .bin files downloaded, again, all stopping with code 200.

This download came from IP 35.161.55.221 which belongs to Amazon.com Inc (amazonaws.com) and it's listed in abuse and spam databases.

To cut a long story short, all mentioned "downloads" stopped with code 200 because "The Machines" simply terminated (killed) the sandbox executed Web Installations after a specific number of downloaded cluster files. There were no human beings behind the downloads. All Web Installs "stopped/terminated" intentionally.

Friedrich