[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Analyzing TOR-exitnodes for anomalies

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Analyzing TOR-exitnodes for anomalies
From: Jan Stolzenburg <jan.stolzenburg@xxxxxxxx>
Date: Sat, 07 Oct 2006 16:08:13 +0200
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Sat, 07 Oct 2006 10:08:24 -0400
In-reply-to: <1160223460.3672.272776038@webmail.messagingengine.com>
Openpgp: id=27D8EE41
References: <45226626.90203@Gmx.net> <20061003154813.GA31075@deadbox.ath.cx> <20061003161048.GA9281@gmx.de> <20061004163314.GB23881@gmx.de> <rknwz71qez8h.xowlj2nmtp3q$.dlg@40tude.net> <20061005154105.GA29448@gmx.de> <1160203523.1714.7234.camel@localhost.localdomain> <1160223460.3672.272776038@webmail.messagingengine.com>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.7 (X11/20060922)

Hello,
I don't have Vidalia, so I wasn't able to find out which exit-node I
used, but I found something really interesting. "wiki.noreply.org"
and "wiki.ubuntuusers.de" got replaced by
"http://wiki.noreply.org/frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com%3fa_id%3d1637%26domainname%3dnoreply.org%26adultfilter%3doff%26popunder%3doff&r=SUSPECTED+UNDESIRABLE+BOT";
and
"http://wiki.ubuntuusers.de/frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com%3fa_id%3d1637%26domainname%3dubuntuusers.de%26adultfilter%3doff%26popunder%3doff&r=SUSPECTED+UNDESIRABLE+BOT";.
I just saw a empty page, but the sourcecode was:
---------------------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//EN">

<html xmlns="http://www.w3.org/1999/xhtml"; >
<head><script>function
PrivoxyWindowOpen(){return(null);}</script><title>
	ubuntuusers.de
</title></head>
<frameset id="FrameSet">
	<frame name='main'
src='http://landing.domainsponsor.com?a_id=1637&domainname=ubuntuusers.de&adultfilter=off&popunder=off'
scrolling='no' frameborder='0' marginwidth='0' marginheight='0'
noresize='noresize' />
	<noframes>
		This page requires frames.
	</noframes>
</frameset>
<script>function PrivoxyWindowOpen(a, b, c){return(window.open(a, b,
c));}</script></html>
---------------------
Because I use NoScript with Firefox it was an empty page for me. But
the page "forum.ubuntuusers.de", "www.ubuntuusers.de" and
"www.noreply.org" weren't modified in any (visible) way. Some more
tests: https to the corrupted pages resulted in the 404 error. Going
to "www." instead of "wiki." resulted in the normal pages. And after
a while, I got advertising instead of empty pages. The URL was no
longer changed but exactly what I typed in("http://wiki.noreply.org";
and "http://wiki.noreply.org";). The site for noreply.org had
advertising fo the keywords "homes, for, sale, apartments, dating,
services, chat, rooms, airline, tickets" and the one for ubuntuusers
with the keywords "ubuntu, dedicated, linux, server, training,
operating, system, fedora, web, hosting". My Firefox made all
DNS-Requests through TOR. After a while, "wiki.noreply.org" appeared
normal but "wiki.ubuntuusers.de" was still advertising for a while.

What information are important for you to figure out what's going
on? (If it happens again)

Jan Stolzenburg

Follow-Ups:
- Re: Analyzing TOR-exitnodes for anomalies
  - From: Tim McCormack

References:
- More bad tor server?
  - From: News Assi
- Re: More bad tor server?
  - From: nile
- Re: More bad tor server?
  - From: Alexander W. Janssen
- Analyzing TOR-exitnodes for anomalies
  - From: Alexander W. Janssen
- Re: Analyzing TOR-exitnodes for anomalies
  - From: Claude LaFrenière
- Re: Analyzing TOR-exitnodes for anomalies
  - From: Alexander W. Janssen
- Re: Analyzing TOR-exitnodes for anomalies
  - From: George Shaffer
- Re: Analyzing TOR-exitnodes for anomalies
  - From: clifnor

Prev by Author: "Practical onion hacking: finding the real address of Tor clients"
Next by Author: Re: Tor not working
Previous by thread: Re: Analyzing TOR-exitnodes for anomalies
Next by thread: Re: Analyzing TOR-exitnodes for anomalies
Index(es):
- Author
- Thread