[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

RE: question



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi-

>
> So just so I understand correctly, you run a program (virus
> checker) that intercepts all network traffic and looks for bad
> stuff? When it finds the bad stuff, it saves it to a file
> somewhere?

Apparently, Norton Internet Security 2005 monitors http requests
going out from port 80, it seems to pick up anything that exits my
tor server also, in fact, on further examination, it is also doing
some privacy blocking on cookies.

>
> Is there any indication that you were actually infected? Or
> are you just
> wondering about why an infected file passed through your network?
>

I wasn't infected, the AV program caught it: as a file in my temp
folder.  Now I'm not sure if the AV is sniffing the http packets and
then writing the bad stuff to a file in my tmp directory and deleting
it.  Does tor write to the temp directory at all?  This particular
trojan would only work through the M$ Help system in XP, and the
vulnerability was addressed with a patch release in January.


> >   A side-effect of my virus program is that it also logs all port
> > 80 exits from my tor server, and it had the following entries:
>
> Please note that this may be bad for the security of Tor and
> its users. Plus, there may be legal liability questions here; see
> http://tor.eff.org/eff/tor-legal-faq.html#ExitSnooping
>

I have SafeLogging=1 in my torrc, so I can't see directly what ip is
making the requests (nor would I want to).  I've turned off the
logging in NIS for cookies and web histories now, to totally
obfuscate and disable my ability to infer who does what, I will have
to disable connection logging also.

>
> >  Is there a way to verify this (i.e., force another machine
> to use my
> > tor server as the exit server and see what happens when I hit
> > this site)?
>
> Yes; see
> http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ChooseEntryExi
> t
>

I will try this and see if I can duplicate the alert....

Thanks,
Bob

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQt3AnrjZjQrA9LuCEQIxYwCdEwXS6MMwL54zRB7twBSKkhuHt3QAoLs4
O8D4JDdazs39c82IOH5Hgfmj
=YQbP
-----END PGP SIGNATURE-----