[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Someone manipulating Tor routing?

From: Peter Palfrader Date: Fri, 17 Feb 2006 16:28:10 +0100

On Fri, 17 Feb 2006, Mike Zanker wrote:

> On 17/02/2006 09:06, Sebastian Wiesinger wrote:
> > is also a real POP3 server.
> Yes - that was the same IP address mine connected to.

That's a Tor server, or at least tries to be.

Feb 17 15:19:55.308 [info] connection_read_to_buf(): tls error. breaking (nickname $3AE0FCB8B1A8C9AB66B149C15EEED0EEC6EED262, address

No, it _really_ is a POP server:

Z:\csrrt-malware>echo USER guest | nc -v -v -w 5 110 inverse host lookup failed:  : Operation not permitted
(UNKNOWN) [] 110 (pop3) open
+OK ready
+OK Password required for guest.
sent 13, rcvd 47

 Although it was at one stage a tor node or client:

G:\WINNT\Internet Logs>grep "200.222.72" ZALog.txt
FWIN,2005/12/27,13:42:28 +0:00 GMT,,,TCP (flags:S)

And a little while later..

FWIN,2006/01/06,04:56:01 +0:00 GMT,,,ICMP (type:3/subtype:3)
FWIN,2006/01/06,10:50:11 +0:00 GMT,,,ICMP (type:3/subtype:3)
FWIN,2006/01/06,11:56:36 +0:00 GMT,,,ICMP (type:3/subtype:3)

It's also got some kind of webmail app on port 80.

It's likely that the operator set a ORPort of 110 and it tries to check if it's
reachable. Which it isn't. Hopefully the owner will look into their log some

But if it isn't listed in the directory, how come someone's trying to route to it?

I've seen it happen before, to other destination hosts. One on cox.net, another which was iirc a domestic dsl line in germany. Again, not listed in the directory. Strange. Here's the cox.net one:

G:\WINNT\Internet Logs>grep "" ZALog.txt
PE,2005/11/16,12:46:11 +0:00 GMT,tor.exe,,N/A
PE,2005/11/16,12:46:11 +0:00 GMT,tor.exe,,N/A
PE,2005/11/23,09:22:57 +0:00 GMT,tor.exe,,N/A

Which /is/ listed as a tor node on one web page I found

-> http://sv2ch.baila6.jp/torlist.txt

02/18/06 18:12:04 dig @
Dig ...
Non-authoritative answer
Recursive queries supported by this server
Query for type=255 class=1 PTR (Pointer) ip68-110-196-110.ri.ri.cox.net

..but doesn't seem to be there any more. I'm still not sure what's going on.