[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Someone manipulating Tor routing?



From: Peter Palfrader Date: Fri, 17 Feb 2006 16:28:10 +0100

On Fri, 17 Feb 2006, Mike Zanker wrote:

> On 17/02/2006 09:06, Sebastian Wiesinger wrote:
>
> > 200.222.72.146 is also a real POP3 server.
>
> Yes - that was the same IP address mine connected to.

That's a Tor server, or at least tries to be.

[..]
Feb 17 15:19:55.308 [info] connection_read_to_buf(): tls error. breaking (nickname $3AE0FCB8B1A8C9AB66B149C15EEED0EEC6EED262, address 200.222.72.146).

No, it _really_ is a POP server:

Z:\csrrt-malware>echo USER guest | nc -v -v -w 5 200.222.72.146 110
200.222.72.146: inverse host lookup failed:  : Operation not permitted
(UNKNOWN) [200.222.72.146] 110 (pop3) open
+OK ready
+OK Password required for guest.
sent 13, rcvd 47

 Although it was at one stage a tor node or client:

G:\WINNT\Internet Logs>grep "200.222.72" ZALog.txt
FWIN,2005/12/27,13:42:28 +0:00 GMT,200.222.72.146:2843,82.18.35.54:9001,TCP (flags:S)


And a little while later..

FWIN,2006/01/06,04:56:01 +0:00 GMT,200.222.72.146:0,82.18.35.54:0,ICMP (type:3/subtype:3)
FWIN,2006/01/06,10:50:11 +0:00 GMT,200.222.72.146:0,82.18.35.54:0,ICMP (type:3/subtype:3)
FWIN,2006/01/06,11:56:36 +0:00 GMT,200.222.72.146:0,82.18.35.54:0,ICMP (type:3/subtype:3)


It's also got some kind of webmail app on port 80.

It's likely that the operator set a ORPort of 110 and it tries to check if it's
reachable. Which it isn't. Hopefully the owner will look into their log some
time.

But if it isn't listed in the directory, how come someone's trying to route to it?


I've seen it happen before, to other destination hosts. One on cox.net, another which was iirc a domestic dsl line in germany. Again, not listed in the directory. Strange. Here's the cox.net one:

G:\WINNT\Internet Logs>grep "68.110.196.110" ZALog.txt
PE,2005/11/16,12:46:11 +0:00 GMT,tor.exe,68.110.196.110:110,N/A
PE,2005/11/16,12:46:11 +0:00 GMT,tor.exe,68.110.196.110:110,N/A
PE,2005/11/23,09:22:57 +0:00 GMT,tor.exe,68.110.196.110:110,N/A

Which /is/ listed as a tor node on one web page I found

http://www.google.co.uk/search?hl=en&hs=mcq&lr=&client=firefox-a&rls=org.mozilla:en-US:official&q=%2268.110.196.110%22
-> http://sv2ch.baila6.jp/torlist.txt

02/18/06 18:12:04 dig 68.110.196.110 @ 194.168.4.100
Dig 110.196.110.68.in-addr.arpa@xxxxxxxxxxxxx ...
Non-authoritative answer
Recursive queries supported by this server
Query for 110.196.110.68.in-addr.arpa type=255 class=1
 110.196.110.68.in-addr.arpa PTR (Pointer) ip68-110-196-110.ri.ri.cox.net

..but doesn't seem to be there any more. I'm still not sure what's going on.

      DaveK