[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Fwd: [sorbs.net #51340] Need help with 81.169.156.174 (support form)



SORBS lists tor entry nodes as "trojaned machines" in their black lists.

My reply to them:

I do not think that you understand how tor works.

tor is an anonymous proxy network. Each node lets users connect to the
network, then routes packets around the network in a random and encrypted
fashion and then an exit node makes a connect to the service.

Even if I blocked NNTP and IRC on my node, a connect to my node would yield a
successful IRC and NNTP connect as long as any node on tor has NNTP and IRC
open. That is how tor is designed to work.

Anyway, my node is neither trojaned nor a zombie. Please unlist my tor nodes
IP from your blacklist and make sure it does not get on it again. This is a
managed tor node with a listed contact address and requests for blocked exit
IPs are honored.

Kristian

----------  Forwarded Message  ----------

Subject: [sorbs.net #51340] Need help with 81.169.156.174 (support form)
Date: Monday 31 October 2005 00:31
From: "SORBS Support (Matthew Sullivan)" <support@xxxxxxxxx>
To: kris@xxxxxxxxxxxx

> [kris@xxxxxxxxxxxx - Fri Oct 28 16:21:57 2005]:
>
> Name: Kristian KÃhntopp
> IP: 81.169.156.174
> rDNS: [TTL 0] NXDOMAIN
> Domain: any pointing to the above ip, e.g. koehntopp.de, k7p.de and
> others.
> Type: person
> Primary OS: unix
> Skill Level: admin
> DB: hacked/vulnerable server database
> Additional Information:
>
> Your support system will not show me the "evidence" you have that made
> you listing my machine as hacked or trojaned, so I can only guess why
> you are doing this.
>
> The machine is running
>
> h3118:~ # lsof -i -n -P| awk '/LISTEN/ { print $1, $(NF-2) }'| sort |
> uniq -c | sort -rn
>      65 tor TCP

I can almost certainly say it's the Tor Node.

You have 2 choices (assuming you want to continue running tor):

1/ Seperate your mailserver from your Tor node.
2/ Stop Tor access to IRC, and NNTP as well as SMTP.


The SORBS servers look for open proxy servers and IRC bound trojans.  We
test to SMTP and NNTP on the standard ports, as well as listening to IRC
server connections for trojans.

Regards,

Mat