-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
hi all, i operate the "cave" router from my home DSL connection, and
from time to time it will get suspended because CenturyLink will
notice mailicious traffic from viruses routed thru the Tor network.
most of the time i can block these because my they will tell me
destination IP addresses. but lately my service has been getting
suspended because of this "zeus" virus and the reports my ISP sends
don't have any destination ip addresses. below is a sample report of
what they send me, you can see with with 'conficker' one there is a
dst address that i can block, but with zeus there is practically no
data. (the IP Address column is what my IP address was at the time)
i have asked CenturyLink for more info, specifically destination ip
addresses, but this is all they give me. so does anyone know of a way
to block this zeus thru Tor? thanks
Date/Time Seen (GMT) IP Address Infection Data (*)
- -------------------- --------------- ------------------------------
2012-08-20 00:56:32 67.1.15.107 infection => 'zeus',
addl_data => '/config.bin'
2012-07-30 15:06:13 97.115.197.107 infection => 'zeus',
addl_data => '/zs/config.bin'
2012-07-26 23:17:48 97.115.196.146 infection => 'conficker',
subtype => 'downadup', src_port => '49510', dst_port => '80',
http_host => '149.20.56.33', url => 'GET /search?q=0 HTTP/1.1',
http_agent => 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729)', dst_ip => '149.20.56.33', sourceSummary => 'Sinkhole HTTP
Drone Report'
2012-07-04 18:46:35 97.115.192.31 infection => 'zeus',
addl_data => '/update32.php'