Re: [tor-relays] Tor stop / reboot by itself + weird logs (hacking?)

Subject: Re: [tor-relays] Tor stop / reboot by itself + weird logs (hacking?)

From: niftybunny <abuse-contact@xxxxxxxxxxxxxxxxxxxxxxx>

Date: Thu, 7 Nov 2019 11:16:20 +0100

Delivery-date: Thu, 07 Nov 2019 10:46:24 -0500

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1573121781; s=strato-dkim-0002; d=to-surf-and-protect.net; h=Message-Id:In-Reply-To:To:References:Date:Subject:From: X-RZG-CLASS-ID:X-RZG-AUTH:From:Subject:Sender; bh=tPml3j7EUUz/o2bo0N6Xz2/MTn8QZF1l1dteZSvNhSM=; b=WYlctbm8P2CjFZM0ZWat2sYkr/gGFog9zuvX4WxgUFidRn6/WAUlp4D3w/OBBkYgSe yiOALMaUMLA0rQ5pHB0q7HMI4/eB5yF1ykwyDPrZOOaINUEAHrcpPGspeH098Di+YSWS G1WsMEof/+z4wlN+X2FiGL3D5tnii5OoMeBokiWPxU2/77u80PTpYqkY2phIEpmiYTBW xII5vm1U4llR2+0AF+LBHmmX/bqxtIm25PQj68t+oHYWsqvSgwfvHF+I5RZroJ16EMUP MWnRF7AwvAjTqq5phEae/vEicLCCgqzmwC4gTMxo3J94FvecgRaEDLXCuNV92VAmGqAq 3sjQ==

In-reply-to: <NmXmpMv8dHAvFZ-_E1fvgRa2Sft5UNyDl49eGqKUMfwiPIiF4LZoTyFdDMYVn823NM6QO8xyQrZEPtO59v7M9pXY7nN117xQGfTjYwewhCg=@protonmail.com>

List-archive: <http://lists.torproject.org/pipermail/tor-relays/>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

References: <NmXmpMv8dHAvFZ-_E1fvgRa2Sft5UNyDl49eGqKUMfwiPIiF4LZoTyFdDMYVn823NM6QO8xyQrZEPtO59v7M9pXY7nN117xQGfTjYwewhCg=@protonmail.com>

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

100% normal. Pick a strong pw or an SSH key and you are fine.

On 6. Nov 2019, at 19:44, David Strappazon <david.strappazon@xxxxxxxxxxxxxx> wrote:

Hello everyone,

i'm running a bridge on a raspberry Pi 3B+ on Kali Linux.

Everything looks fine but after checking the logs i noticed that the service rebooted by itself in the middle on the night:

Nov 06 03:51:09.000 [notice] Interrupt: we have stopped accepting new connections, and will shut down in 30 seconds. Interrupt again to exit now.
Nov 06 03:51:10.000 [notice] Delaying directory fetches: We are hibernating or shutting down.
Nov 06 03:51:39.000 [notice] Clean shutdown finished. Exiting.
etc...

Then after that, it works again (will check tonight /tomorrow if it reboots again).

I'm trying to find why it is rebooting but without success. I checked all logs possible and also notice this in journalctl -xe:

nov. 06 19:37:58 kali-pi sshd[15920]: Failed password for root from XXXXX port 37494 ssh2
nov. 06 19:38:03 kali-pi sshd[15920]: Failed password for root from XXXX port 37494 ssh2
nov. 06 19:38:08 kali-pi sshd[15920]: Failed password for root from XXXXX port 37494 ssh2
nov. 06 19:38:13 kali-pi sshd[15920]: Failed password for root from XXXXX port 37494 ssh2
nov. 06 19:38:18 kali-pi sshd[15920]: Failed password for root from XXXXX port 37494 ssh2
nov. 06 19:38:18 kali-pi sshd[15920]: error: maximum authentication attempts exceeded for root from 21>
nov. 06 19:38:18 kali-pi sshd[15920]: Disconnecting authenticating user root 2XXXX port 37494: >
nov. 06 19:38:18 kali-pi sshd[15920]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ss>
nov. 06 19:38:18 kali-pi sshd[15920]: PAM service(sshd) ignoring max retries; 6 > 3
nov. 06 19:38:21 kali-pi sshd[15950]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid>
nov. 06 19:38:22 kali-pi sshd[15953]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid>
nov. 06 19:38:23 kali-pi sshd[15950]: Failed password for root from XXXX port 64786 ssh2
nov. 06 19:38:23 kali-pi sshd[15953]: Failed password for root from XXXXX port 6739 ssh2

There's two different IP that i don't know. A whois says it's a Chinese provider...

Should i consider that someone is trying to break into my home network?

Sent with ProtonMail Secure Email.

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays