[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: question



On Tue, Jul 19, 2005 at 04:54:10PM -0700, Bob wrote:
>   I'm running tor 0.1.0.11 win32 as an exit server.  I came home
> after a meeting today, and found a virus warning for the Trojan.phel
> virus in my temp directory.

So just so I understand correctly, you run a program (virus checker)
that intercepts all network traffic and looks for bad stuff? When it
finds the bad stuff, it saves it to a file somewhere?

Is there any indication that you were actually infected? Or are you just
wondering about why an infected file passed through your network?

>   A side-effect of my virus program is that it also logs all port 80
> exits from my tor server, and it had the following entries:

Please note that this may be bad for the security of Tor and
its users. Plus, there may be legal liability questions here; see
http://tor.eff.org/eff/tor-legal-faq.html#ExitSnooping

I'm working with the EFF lawyers to see if they can provide a more
detailed answer to this question, even though the laws in the US are
currently very ambiguous.

> Which coincides with the infection times, and is also a time when
> both my kids were at work, and I was not home.  Assuming that I do
> not have some other backdoor program (several different AV products
> say this system is clean), and I did not have a physical break-in at
> this computer (I hope I can assume this), I have to conclude that it
> was a result of the tor server serving the pages through this system.

Sure. Is this a problem? We expect all users to have ways on their own
of dealing with viruses, for example by not running software that is
vulnerable to them.

>  Is there a way to verify this (i.e., force another machine to use my
> tor server as the exit server and see what happens when I hit this
> site)?

Yes; see
http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ChooseEntryExit

Hope this helps,
--Roger