[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: question

To: or-talk@xxxxxxxxxxxxx
Subject: Re: question
From: Roger Dingledine <arma@xxxxxxx>
Date: Tue, 19 Jul 2005 20:45:08 -0400
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Tue, 19 Jul 2005 20:45:22 -0400
In-reply-to: <20050719235355.B04F8140805E@moria.seul.org>
References: <20050719235355.B04F8140805E@moria.seul.org>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.5.9i

On Tue, Jul 19, 2005 at 04:54:10PM -0700, Bob wrote:
>   I'm running tor 0.1.0.11 win32 as an exit server.  I came home
> after a meeting today, and found a virus warning for the Trojan.phel
> virus in my temp directory.

So just so I understand correctly, you run a program (virus checker)
that intercepts all network traffic and looks for bad stuff? When it
finds the bad stuff, it saves it to a file somewhere?

Is there any indication that you were actually infected? Or are you just
wondering about why an infected file passed through your network?

>   A side-effect of my virus program is that it also logs all port 80
> exits from my tor server, and it had the following entries:

Please note that this may be bad for the security of Tor and
its users. Plus, there may be legal liability questions here; see
http://tor.eff.org/eff/tor-legal-faq.html#ExitSnooping

I'm working with the EFF lawyers to see if they can provide a more
detailed answer to this question, even though the laws in the US are
currently very ambiguous.

> Which coincides with the infection times, and is also a time when
> both my kids were at work, and I was not home.  Assuming that I do
> not have some other backdoor program (several different AV products
> say this system is clean), and I did not have a physical break-in at
> this computer (I hope I can assume this), I have to conclude that it
> was a result of the tor server serving the pages through this system.

Sure. Is this a problem? We expect all users to have ways on their own
of dealing with viruses, for example by not running software that is
vulnerable to them.

>  Is there a way to verify this (i.e., force another machine to use my
> tor server as the exit server and see what happens when I hit this
> site)?

Yes; see
http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ChooseEntryExit

Hope this helps,
--Roger

Follow-Ups:
- RE: question
  - From: Bob

References:
- question
  - From: Bob

Prev by Author: Re: tor 0.1.0.11 crash on Debian testing
Next by Author: Re: question
Previous by thread: question
Next by thread: RE: question
Index(es):
- Author
- Thread