Jump to content
Not connected, Your IP: 34.234.207.100
Psamathe

Verifying that you are not a robot ...

Recommended Posts

Recently on a couple of occasions when browsing my own website I've clicked on an internal link and got a reCaptcha "Verifying you are not a robot ..." display (attached screenshot).

I've checked my own site and it's not anything (I don't use reCapcha as I hate the things). Hosting company has checked their servers and it's not them so all I can think of is AirVPN. It's only happened a couple of times and I only use AirVPN. It's only happened a couple of times so may be equally likely on any web site (I've been working and tweaking my own site a lot so more likely as more browsing activity on my site.

I don't use CDNs or anything (Cloudflare seem to do that sort of thing a lot and not part of DDOS (hosting company has checked it's not them) and my manual browsing should not be setting off any DDOS alarms anyway.

Nothing in the html to indicate where it's come from. It's a pretty feeble check as do nothing (no mouse, no input) but instead just refresh the page and it browses the page properly. It's a bt of a "pain" so trying to trace down where it's coming from - as whoever is doing t it's a rubbish detection algorithm and would be totally ineffective.

Any ideas (AirVPN is the last stop in tracing back through things).
Partial screenshot (nothing relevant cut out) attached
 

Verify Not A Robot.png

Share this post


Link to post

Which webapp is this? Is it FOSS, if yes, where is the code hosted?
 

55 minutes ago, Psamathe said:

Nothing in the html to indicate where it's come from.


You wouldn't put that into HTML. JavaScript is by far the most probable answer; DDoS checks usually use that to check for JS capability of a user agent.
 
57 minutes ago, Psamathe said:

AirVPN is the last stop in tracing back through things


I believe you left out the app itself. CAPTCHAs are reactive mechanisms; they don't get shown just like that. Obviously, they conditionally follow after a check of some sort, and this check must come from the application. So, same question: What app is this and are there sources one can look at?

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

Website is running Wordpress and none of the plug-ins have reCaptcha enabled (only one that supports it is the Contact Form but it's disabled). I'v checked the Wordpress logs and nothing, hosting company checked the web server logs and nothing and nothing in their server does this. My own ISP is in effect bypassed as I'm running through AirVPN. It's just a browser browsing a web site so "app" at my end is web browser and "app" at web server end is Wordpress (or have I misunderstood)

When I mentioned the html I was looking at the page displaying the "Verifying your not ..." (think I got it all but had to fetch it from the report to the hosting company support report (so it's been cut and pasted twice so possible something at start of end suffered finger trouble).

      Bot Verification  function onSubmit() { document.getElementById('lsrecaptcha-form').submit(); }  var onloadCallback = function() { var cont = grecaptcha.render('recaptchadiv', { 'sitekey': '6Lfmz14UAAAAAOOCaTqmWmCAD3z2nmNmMANMvSAd', 'callback': onSubmit,  }); grecaptcha.execute(cont); };   body { height: 100%; } .panel { padding: 30px; max-width: 425px; margin: 10% auto; box-shadow: 0 0 2px 2px rgba(0, 0, 0, 0.2); } .title { font-size: 1.5em; font-weight: 100; margin-top: 10px; text-align: center; } .recaptcha-center { margin-top: 35px; margin-bottom: 20px; margin-left: 13%; margin-right: 13%; display: block; }     Verifying that you are not a robot...              Bot Verification  function onSubmit() { document.getElementById('lsrecaptcha-form').submit(); }  var onloadCallback = function() { var cont = grecaptcha.render('recaptchadiv', { 'sitekey': '6Lfmz14UAAAAAOOCaTqmWmCAD3z2nmNmMANMvSAd', 'callback': onSubmit,  }); grecaptcha.execute(cont); };   body { height: 100%; } .panel { padding: 30px; max-width: 425px; margin: 10% auto; box-shadow: 0 0 2px 2px rgba(0, 0, 0, 0.2); } .title { font-size: 1.5em; font-weight: 100; margin-top: 10px; text-align: center; } .recaptcha-center { margin-top: 35px; margin-bottom: 20px; margin-left: 13%; margin-right: 13%; display: block; }      Bot Verification   function onSubmit() { document.getElementById('lsrecaptcha-form').submit(); }  var onloadCallback = function() { var cont = grecaptcha.render('recaptchadiv', { 'sitekey': '6Lfmz14UAAAAAOOCaTqmWmCAD3z2nmNmMANMvSAd', 'callback': onSubmit,  }); grecaptcha.execute(cont); };   body { height: 100%; } .panel { padding: 30px; max-width: 425px; margin: 10% auto; box-shadow: 0 0 2px 2px rgba(0, 0, 0, 0.2); } .title { font-size: 1.5em; font-weight: 100; margin-top: 10px; text-align: center; } .recaptcha-center { margin-top: 35px; margin-bottom: 20px; margin-left: 13%; margin-right: 13%; display: block; }      Bot Verification  function onSubmit() { document.getElementById('lsrecaptcha-form').submit(); }  var onloadCallback = function() { var cont = grecaptcha.render('recaptchadiv', { 'sitekey': '6Lfmz14UAAAAAOOCaTqmWmCAD3z2nmNmMANMvSAd', 'callback': onSubmit,  }); grecaptcha.execute(cont); };   body { height: 100%; } .panel { padding: 30px; max-width: 425px; margin: 10% auto; box-shadow: 0 0 2px 2px rgba(0, 0, 0, 0.2); } .title { font-size: 1.5em; font-weight: 100; margin-top: 10px; text-align: center; } .recaptcha-center { margin-top: 35px; margin-bottom: 20px; margin-left: 13%; margin-right: 13%; display: block; }     Verifying that you are not a robot...           Verifying that you are not a robot...          Verifying that you are not a robot...              Bot Verification  function onSubmit() { document.getElementById('lsrecaptcha-form').submit(); }  var onloadCallback = function() { var cont = grecaptcha.render('recaptchadiv', { 'sitekey': '6Lfmz14UAAAAAOOCaTqmWmCAD3z2nmNmMANMvSAd', 'callback': onSubmit,  }); grecaptcha.execute(cont); };   body { height: 100%; } .panel { padding: 30px; max-width: 425px; margin: 10% auto; box-shadow: 0 0 2px 2px rgba(0, 0, 0, 0.2); } .title { font-size: 1.5em; font-weight: 100; margin-top: 10px; text-align: center; } .recaptcha-center { margin-top: 35px; margin-bottom: 20px; margin-left: 13%; margin-right: 13%; display: block; }     Verifying that you are not a robot...        

Share this post


Link to post

Wordpress 5.5 (not yet upgraded to 5.5.1). Theme is called Visual https://wptheming.com/2013/03/visual-theme/ - actually a child theme though the child changes are trivial (and no reCaptcha stuff, no changes to js as I don't know js) - both theme and child have been stable and unchanged for over a year without this issue. Theme is old and had no updates since Oct 2017. There is a paid version of the theme but I'm using the free version (so it is open).

One other plug-in that has a fair bit of js is OSM (OpenStreetMap) https://en-gb.wordpress.org/plugins/osm/ running version 5.4.1 (again with a couple of minor CSS tweaks). But again, that has been stable (no updates) from before WP 5.5 update (long before this issue started a couple of days ago and this issue is rare - impossible to reproduce on demand).

The reCaptcha is not frequent; happened a couple of times and I've been working on the site so most of my activity has been on my site so most likely to happen on that but it may be because that's by far the most browsing activity.

The other aspect is that the web server/Wordpress (Lightspeed) use caching (the native Lightspeed server caching) so relatively few requests actually get through to the Wordpress app (the caching seems to work well).

I've been on 5.5 for a long time now (since release) but this issue has only started in the last couple of days.

Thanks for looking at it but I do wonder if as this is a very recent issue is it more likely to correspond to some recent change somewhere? The Wordpress site and configuration has been stable since 5.5. upgrade except for some minor CSS appearance tweaks.

Share this post


Link to post

I should add that this isn't a real disaster issue. I'd rather it didn't happen but it's not "driving me up the wall" as it's rare and only started a couple of days ago. I'd rather stop it but not to the point of getting somebody else to spend hours of their time pouring through loads of code written by others ...

Investigation is certainly appreciated but issues do have to be prioritised so please don't spend an age on what is currently not a massive issue (it it becomes one then maybe patterns causing it might emerge?). I posted here to check if AirVPN could be "intercepting" (in the same way e.g. Cloudflare does sometimes) - help is definitely appreciated but I can't expect AirVPN to be debugging Wordpress/WP themes/etc.

Share this post


Link to post
4 minutes ago, Psamathe said:

I'd rather stop it but not to the point of getting somebody else to spend hours of their time pouring through loads of code written by others ...


Acually, even you can do a git grep, the code is there and git offers its help. :) The trickier part by far is to find and understand the logic leading up to this… I kinda hope I can find something using git, to be honest. :D
Truth is, you could be the one person who noticed it, but according to the 90-9-1 principle, nine others who are reading this don't show themselves, hoping for enlightenment because they too use WordPress and face this issue. So let's get this out of the way of all AirVPN users.
You see, I might be spending time on your issue, but I also extend my own git expertise. You wouldn't do such analysis on your own code, because, well, you are supposed to know it in and out (if you don't, your project is kind of doomed). Everyone profits here, actually.

 
5 minutes ago, Psamathe said:

I posted here to check if AirVPN could be "intercepting" (in the same way e.g. Cloudflare does sometimes)


Think about why this sentence doesn't make any sense at all. If Cloudflare is intercepting, you get a Cloudflare browser check, correct? So how do you deduce that a Google CAPTCHA comes from AirVPN? Unless AirVPN is co-hosting Google reCaptcha itself, which I highly doubt, because a) it's Google and Google is muuuch bigger than AirVPN, so it probably won't rely on AirVPN's but on their own infrastructure, and b) it's closed source, certainly an anti-feature to AirVPN.
 
10 minutes ago, Psamathe said:

help is definitely appreciated but I can't expect AirVPN to be debugging Wordpress/WP themes/etc.


And AirVPN is not doing anything here, because I'm not an AirVPN representative, let alone a team member. :)

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

I'm certainly no expert but my thinking/supposition was about AirVPN "watching" activity from each client side connection and if it thought that activity was too BOT like instead of fetching the requested page it instead returns a reCaptcha which (if happy) forwards on to the requested page.

i.e. AirVPN is "in the middle" and when a page is requested it could return something different (e.g. reCaptcha) rather than fetching what was requested.

e.g. I request https://bogus.com/important-page.html but the software "in the middle" (on AirVPN servers) thinks "hang-on, things from client IP 1.2.3.4 have been a bit BOTty recently so instead of returning the requested page it does a sort of 302'ish divert to a reCaptcha page (set to jump on to the actually requested page once satisfied).

I've no idea if that is possible but I can see a possibility that would not require logging/tracing or anything that might break any of the anonymity aspects of a good VPN.

I tend to use Safari and whenever I've tried to look at the HTTP Headers I've always done it before requesting the page so the info is there. Next time I get one of these I'll check if the HTTP Headers are available and what they say (unless the source is identified first).

Share this post


Link to post
1 minute ago, Psamathe said:

I'm certainly no expert but my thinking/supposition was about AirVPN "watching" activity from each client side connection and if it thought that activity was too BOT like instead of fetching the requested page it instead returns a reCaptcha which (if happy) forwards on to the requested page.

i.e. AirVPN is "in the middle" and when a page is requested it could return something different (e.g. reCaptcha) rather than fetching what was requested.


This would completely obliterate trust in AirVPN. It's a violation of the Net Neutrality principle and the mission statement where it's referred to, leading to the conclusion that AirVPN is in fact lying. Also consider these:
  • We would've seen this much more often, and not only with Google.
  • It's rather nonsensical for AirVPN to DDoS-protect websites and services the users use while connected. It's a completely different business and the model of Cloudflare in the first place – people pay them so that Cloudflare is attacked, not them. If AirVPN was such a middle man, it would offer the VPN servers as protection against bad clients, which is almost certainly not their purpose, as you know.
No, no. Your problem stems from your browser trying to fetch a Google resource, and because VPN addresses are more likely to be shown CAPTCHAs, this is why you see them. Others connecting to your website might see this as well, and I can probably proof it to you by connecting to the same server you get a CAPTCHA from, then trying to browse to the same resource you are viewing in the screenshot.


Meanwhile, I've found a few references to multiple Google resources, including classics like AJAX and Fonts, which are part of a default installation. Humble example:

src/wp-includes/script-loader.php:708:  $scripts->add( 'prototype', 'https://ajax.googleapis.com/ajax/libs/prototype/1.7.1.0/prototype.js', array(), '1.7.1' );
src/wp-includes/script-loader.php:709:  $scripts->add( 'scriptaculous-root', 'https://ajax.googleapis.com/ajax/libs/scriptaculous/1.9.0/scriptaculous.js', array( 'prototype' ), '1.9.0' );
src/wp-includes/script-loader.php:710:  $scripts->add( 'scriptaculous-builder', 'https://ajax.googleapis.com/ajax/libs/scriptaculous/1.9.0/builder.js', array( 'scriptaculous-root' ), '1.9.0' );
src/wp-includes/script-loader.php:711:  $scripts->add( 'scriptaculous-dragdrop', 'https://ajax.googleapis.com/ajax/libs/scriptaculous/1.9.0/dragdrop.js', array( 'scriptaculous-builder', 'scriptaculous-effects' ), '1.9.0' );
src/wp-includes/script-loader.php:712:  $scripts->add( 'scriptaculous-effects', 'https://ajax.googleapis.com/ajax/libs/scriptaculous/1.9.0/effects.js', array( 'scriptaculous-root' ), '1.9.0' );
src/wp-includes/script-loader.php:713:  $scripts->add( 'scriptaculous-slider', 'https://ajax.googleapis.com/ajax/libs/scriptaculous/1.9.0/slider.js', array( 'scriptaculous-effects' ), '1.9.0' );
src/wp-includes/script-loader.php:714:  $scripts->add( 'scriptaculous-sound', 'https://ajax.googleapis.com/ajax/libs/scriptaculous/1.9.0/sound.js', array( 'scriptaculous-root' ), '1.9.0' );
src/wp-includes/script-loader.php:715:  $scripts->add( 'scriptaculous-controls', 'https://ajax.googleapis.com/ajax/libs/scriptaculous/1.9.0/controls.js', array( 'scriptaculous-root' ), '1.9.0' );
[…]
src/wp-includes/script-loader.php:1369:         $open_sans_font_url = "https://fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,300,400,600&subset=$subsets&display=fallback";


The context grep shows that in the line above a comment basically says "we don't bundle Prototype anymore but use external sources" and it was added in a commit replacing all those lines below it with versions pulled from Google (and removing the bundled libraries from /wp-includes/). It is a possibility, but then again, I don't know what exactly you are viewing, to be honest. Might also come from there.
Also, if it's really the culprit, the workaround would be to serve those libraries locally. No idea about Safari, but on Firefox, Chrome and Opera Decentraleyes can do this.

Your theme is mostly PHP, though. There's a reference to the Railway font from Fonts API, which is unlikely to be the problem. You'd see the CAPTCHA right after browsing to your site.

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

Many thanks. I'll have a look and see if those js scripts are being loaded (I don't remember seeing them before). Raleway is being used from Google but the Open Sans font is not so there may be some conditionality around it (I don't have sliders or special effects but I assume that does not mean some other function is not used. Never noticed a ot of what is being referenced. FYI site is https://psamathe.net

Again thanks for your time investigating. I'll have a check around tomorrow now.

(I didn't mean to accuse or suggest AirVPN was doing anything unscrupulous)

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...