[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: hack attempts of Tor?



More data...
JAP isn't the only one:

> grep "Identity key not as expected for router claiming" warnings.log 
| awk '{print $16;}' | sort | uniq -c | sort -n
      1 'jimmythegreek'
      1 'Stillwater'
      2 'fscktor'
      2 'wntorproxy'
      3 'airstripjp'
      3 'tormato'
      3 'veritas'
      4 'LicketySplit'
      7 'torstusoft02'
     10 'phobostest'
     14 'helpinguout'
     53 'HarrisonWest'
     54 'UoW'
     57 'mindcop'
     64 'kossutor'
     69 'LongBeachThreatLab'
     85 'PetesPlace'
    160 'JAP'

For JAP, there were 131 unique addresses out of the 160 log messages..
Total of 152 unique addresses for 593 log messages of this type.

Some of those messages go back to January of this year.  The first
message about JAP was from Apr 12th.  So, this isn't really new
behavior, just the references to JAP are new..

Here is a summary of the messages marked "connection_tls_finish_handshake":

    595 Identity key not as expected for router claiming to be '[HOST]'
([IP]:[PORT])
    189 Other side ([IP]:[PORT]) has a cert without a valid nickname.
Closing.
     25 Other side, which claims to be router '[HOST]' ([IP]:[PORT]),
has a cert but it's invalid. Closing.
     20 wanted $[HEX] but got [HEX]

But that's just data, I don't know what the purpose is.

Ron Davis wrote:
>Hello,
>
>In the past 24 hrs I also had a long list of warning messages about
>'JAP', just like the example below. The IP address was constantly
>changing.
>
>Cheers,
>Ron
>
>On Wed, 13 Apr 2005 11:12:10 -0300, alexyz@xxxxxxxxxx said:
>  
>>I´ve been getting the following warning messages a lot:
>>
>>Apr 13 10:11:39.984 [warn] connection_tls_finish_handshake(): Identity
>>key not as expected for router claiming to be 'JAP'
>>(131.251.37.132:4434)
>>
>>There IS a ´jap´ nick in the list of tor nodes but the IP is 141.76.46.90
>>(currently, at least). This obviously doesn´t look good.
>>