[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: FW: [Full-disclosure] Tool Release - Tor Blocker

On Sat, 3 Jun 2006, y0himba wrote:

This is an apache module? It's staticly coded, whereas the nature of tor exit nodes is that the list will change. And this 403 would just tip-off would-be "hackers" to use another method of circumvention.

What could be far more useful is a simple bash/perl/whatever script to pull in the list of tor nodes and drop them into a .htaccess file or, better, a firewall rule.

That is, of course, assuming we're into blocking anonymous nodes as opposed to actually running secure machines.

If your machine is listening on a public IP, and can be "hacked" on a completely valid TCP connection (which is the only kind TOR allows -- leaving out most of the tricks "hackers" use), then you've got bigger problems then tor.

-Dan



Item of interest?

-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Jason Areff
Sent: Saturday, June 03, 2006 12:22 AM
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Tool Release - Tor Blocker

It has come to our attention that the majority of tor users are not actually
from china but are rather malicious hackers that (ab)use it to keep their
anonymity. We have released a tool to stop users from utilizing this tool to
protect their identity from prosecution by a designated systems
administrator. Otherwise this puts the administrator in responsibility for
any malicious actions caused by said user. Forensics is left with a tor exit
node.

Recently our servers were hacked by a tor user and we were unable to
prosecute due to not being able to trace the source as the user was using
this malicious piece of software to keep his/her anonymity.

To mitigate most tor attackers we've written an apache module designed to
give tor users a 403 error when visiting a specific website.  We suggest all
administrators whom do not wish a malicious tor user to visit and possibly
deface their website to enable the usage of this module. This may not get
all attackers, but hopefully it raises the security bar just a little bit
more to safeguard ourselves from hackers.

Thanks.

Jason Areff
CISSP, A+, MCSE, Security+


----------
security through obscurity isnt security
----------



CODE:





/* MOD_DETOR
*/
 //blocks tor users from apache 2 server

#include "http_config.h"
#include "httpd.h"
static void mod_detor_register_hooks(apr_pool_t *p); int
mod_detor_method_handler(request_rec *rec);

module AP_MODULE_DECLARE_DATA detor_module = { STANDARD20_MODULE_STUFF,NULL,
NULL, NULL, NULL, NULL, mod_detor_register_hooks };

static void mod_detor_register_hooks(apr_pool_t *p) {
   ap_hook_handler (mod_detor_method_handler, NULL, NULL, APR_HOOK_FIRST);}
int mod_detor_method_handler (request_rec * rec) {

conn_rec *connection = rec->connection;
const char *internetaddress = con->remote_ip; char *listof33[] = {
"62.178.28.11", "83.65.91.110", "86.59.21.38", " 202.173.141.155
<http://202.173.141.155> ", "69.70.237.137", "209.172.34.176",
"66.11.179.38", " 216.239.78.246", "198.161.91.196", "72.0.207.216", "
139.142.184.213 <http://139.142.184.213> ", "64.229.250.110",
"72.60.167.126", "24.36.132.185", " 70.68.168.93", "84.73.12.12",
"80.242.195.68", "84.72.104.77 ", "62.2.174.20", "211.94.188.225",
"166.111.249.39", " 218.58.83.2 <http://218.58.83.2> ", "218.72.40.145",
"219.142.175.208", "222.28.80.131", " 147.251.52.140", "81.0.225.179",
"213.220.233.15", " 85.178.229.8 <http://85.178.229.8> ", "84.58.246.2",
"80.143.198.147", "80.190.241.118", " 89.52.64.107 <http://89.52.64.107> ",
"85.214.38.21", "81.169.130.130", "83.171.170.169", " 62.75.129.201",
"217.160.177.118", "213.61.151.217", " 89.58.21.142 <http://89.58.21.142> ",
"217.172.187.46", "81.169.136.161", "213.239.202.232", " 62.75.222.205",
"84.16.234.153", "212.12.60.181", "84.167.55.157 ", "62.75.171.154",
"85.25.132.119", "217.190.228.18", " 212.112.231.83 <http://212.112.231.83>
", "213.133.99.185", "85.176.201.130", "212.112.241.137", " 131.188.185.41",
"84.175.229.31", "217.187.160.148", " 87.123.81.89 <http://87.123.81.89> ",
"212.112.235.83", "213.39.133.132", "85.176.92.87", " 212.114.250.252",
"217.160.220.28", "213.239.211.148", " 217.20.117.240
<http://217.20.117.240> ", "80.190.250.139", "212.112.241.159",
"217.224.170.117", "212.112.242.21", "212.112.228.2", "217.160.108.109", "
81.169.176.178 <http://81.169.176.178> ", "212.99.205.46", "85.31.186.86",
"85.10.240.250", " 84.141.183.62 <http://84.141.183.62> ", "84.56.199.101",
"87.106.2.7", "217.160.142.69", " 84.163.168.232 <http://84.163.168.232> ",
"213.239.217.146", "84.177.160.152", "62.75.151.195", " 81.169.176.135",
"85.214.29.61", "85.179.0.63", "85.31.187.90 ", "212.202.233.2",
"134.130.58.205", "81.169.132.19", " 212.88.142.147 <http://212.88.142.147>
", "212.168.190.8", "141.76.46.90", "80.237.203.179", " 193.28.225.8",
"88.198.253.18", "85.214.44.126", "217.160.95.117 ", "62.75.149.130",
"84.44.156.17", "81.169.180.180", " 85.14.216.20 <http://85.14.216.20> ",
"80.190.242.122", "212.112.242.159", "84.16.235.143", " 80.237.160.201",
"83.171.188.170", "217.84.3.39",
"80.190.251.24 ", "87.123.114.110", "194.95.224.201", "80.244.242.127", "
87.106.34.45 <http://87.106.34.45> ", "87.122.3.11", "83.171.173.229",
"85.10.194.117", " 217.160.132.150 <http://217.160.132.150> ",
"217.79.181.118", "212.60.156.94","213.239.212.45", " 62.75.240.77",
"217.172.183.219", "85.16.8.132", "85.14.220.126 ", "84.184.85.208",
"85.31.186.61", "217.172.49.89", " 213.203.214.130 <http://213.203.214.130>
", "81.169.178.215", "212.112.242.89", "85.214.29.234"," 213.239.194.175",
"85.14.216.207", "84.172.97.158", " 82.82.64.68 <http://82.82.64.68> ",
"195.71.99.214", "80.143.172.132", "217.20.118.52", " 217.160.170.132
<http://217.160.170.132> ", "84.56.64.207", "213.146.114.96",
"81.169.174.124", " 88.73.69.206", "84.156.61.231", "84.60.118.102",
"88.198.0.177 ", "129.187.150.131", "85.178.108.140", "217.160.109.40", "
85.176.106.4 <http://85.176.106.4> ", "84.19.182.23", "62.75.185.15",
"84.57.89.186", " 81.169.158.102 <http://81.169.158.102> ", "83.73.91.126",
"62.243.85.164", "85.57.137.206", " 63.246.145.70 <http://63.246.145.70> ",
"85.84.204.128", "84.77.51.149", "85.77.12.12", " 80.223.105.208
<http://80.223.105.208> ", "85.134.2.139", "82.141.90.19", "80.186.67.109",
" 85.76.189.225 <http://85.76.189.225> ", "193.184.9.66", "84.249.227.96",
"84.34.133.217", " 82.128.216.214 <http://82.128.216.214> ", "85.76.78.8",
"84.230.221.101", "212.246.66.120", " 80.222.75.74 <http://80.222.75.74> ",
"217.119.47.6", "82.128.214.254", "144.120.8.219", " 81.56.58.94
<http://81.56.58.94> ", "213.41.166.51", "82.228.48.220", "213.41.242.132",
" 82.227.178.224 <http://82.227.178.224> ", "81.56.123.123", "81.56.27.175",
"86.210.52.95", " 82.231.59.44 <http://82.231.59.44> ", "83.214.47.135",
"82.227.61.106", "82.67.175.80", " 82.240.188.187 <http://82.240.188.187> ",
"82.225.238.47", "88.121.142.36", "82.67.125.23", " 81.57.158.21
<http://81.57.158.21> ", "82.252.150.50", "212.56.108.4", "86.142.8.187", "
84.9.189.25 <http://84.9.189.25> ", "83.245.82.184", "81.5.172.97",
"195.62.29.176", " 217.155.230.230 <http://217.155.230.230> ",
"85.210.2.142", "193.110.91.7", "62.17.252.166", " 62.121.31.116
<http://62.121.31.116> ", "83.223.108.108", "87.80.96.52",
"213.228.241.143", " 83.245.15.87", "150.140.191.102","218.189.210.17",
" 203.218.52.238 <http://203.218.52.238> ", "195.245.255.11",
"212.24.170.230","213.253.212.106",
"193.202.88.3", "62.123.118.106", "212.239.118.83", " 143.225.178.7
<http://143.225.178.7> ", "84.221.103.103", "88.149.168.74", "151.8.40.35",
" 82.56.18.50 <http://82.56.18.50> ", "194.21.56.6", "82.60.153.158",
"159.149.57.14", " 62.48.34.110 <http://62.48.34.110> ", "84.221.75.14",
"59.134.15.153", "60.36.181.86", " 219.105.111.74 <http://219.105.111.74> ",
"83.243.88.133", "137.226.59.249", "217.19.27.52", " 82.92.225.162",
"194.109.206.212", "131.155.71.110", " 83.160.255.58 <http://83.160.255.58>
", "82.156.33.125", "62.163.136.55", "192.150.94.242", " 62.195.3.242",
"212.187.48.185", "194.109.109.109", " 193.16.154.187
<http://193.16.154.187> ", "80.126.37.100","195.85.225.145",
"192.42.113.248", " 80.127.66.162", "82.94.251.206", "137.120.180.65", "
137.120.180.50 <http://137.120.180.50> ", "195.169.149.45",
"81.191.185.124", "80.202.94.130", " 80.203.228.236", "84.16.193.140",
"80.203.211.14", "128.39.141.245 ", "60.234.229.82", "200.121.55.151",
"203.81.233.127", " 193.219.28.245 <http://193.219.28.245> ",
"83.28.65.161", "217.153.252.4", "82.76.242.24", " 80.252.209.6
<http://80.252.209.6> ", "62.119.159.118", "85.8.4.206", "83.227.72.118", "
213.113.166.221 <http://213.113.166.221> ", "83.219.212.101",
"85.225.168.113", "213.100.254.179", " 85.225.42.22", "82.182.109.115",
"217.28.206.143", " 213.112.252.71 <http://213.112.252.71> ",
"213.114.29.49", "194.249.212.110", "195.72.0.6", " 203.155.247.31
<http://203.155.247.31> ", "65.25.220.178", "67.23.145.190",
"68.227.90.101", " 70.17.122.103", "209.51.169.86", "70.187.87.248",
"70.92.178.34 ", "68.232.142.96", "24.170.55.120", "154.35.101.77", "
64.246.50.101 <http://64.246.50.101> ", "24.110.201.24", "68.7.121.40",
"147.97.50.171", " 68.167.210.203 <http://68.167.210.203> ", "18.246.2.33",
"68.173.37.136", "72.21.33.202", " 72.36.146.118 <http://72.36.146.118> ",
"207.150.167.67", "149.9.13.22", "71.133.227.217", " 216.55.190.201
<http://216.55.190.201> ", "68.40.192.5", "12.222.100.156", "216.39.146.25",
" 64.142.74.86 <http://64.142.74.86> ", "63.85.194.6", "216.130.255.201",
"146.201.211.64", " 69.60.122.49", "24.18.9.231", "18.78.1.38",
"70.84.114.153 ", "208.40.218.144", "64.122.12.107", "65.196.226.32", "
24.125.131.99 <http://24.125.131.99> ", "154.5.66.241", "65.13.27.20",
"204.253.162.11", " 129.21.228.88 <http://129.21.228.88> ", "70.110.70.238",
"137.148.5.13", "144.92.82.21", " 216.12.165.46 <http://216.12.165.46> ",
"64.90.164.74", "208.99.207.139", "68.110.103.159", " 64.5.53.220",
"168.103.224.74", "75.6.230.66", "72.177.87.57 ", "24.155.82.33",
"68.4.96.114", "72.226.235.186", " 66.219.161.166 <http://66.219.161.166> ",
"128.2.141.33", "209.237.225.10", "216.237.143.47", " 68.57.216.138",
"68.83.82.92", "206.225.83.5", "66.210.104.251 ", "216.55.149.21",
"69.41.174.196", "131.179.224.133", " 128.83.114.63 <http://128.83.114.63>
", "216.32.80.75", "66.93.170.242", "199.77.129.53", " 64.81.100.208
<http://64.81.100.208> ", "65.174.217.58", "69.205.41.136", "160.36.137.37",
" 208.14.31.5 <http://208.14.31.5> ", "24.111.174.178", "66.90.89.162",
"154.35.47.59", " 68.35.231.249 <http://68.35.231.249> ", "208.40.218.131",
"208.40.218.136", "64.74.207.50", " 70.232.120.165", "66.70.10.53",
"141.149.128.197", " 209.114.200.129 <http://209.114.200.129> ",
"154.35.85.17","208.185.251.121", "68.115.140.133", " 18.248.3.82",
"24.11.233.143", "128.2.132.175",
"70.85.75.42 ", "66.111.43.137", "140.247.60.64", "216.152.242.200", "
68.40.71.110 <http://68.40.71.110> ", "206.174.19.25", "69.163.32.140",
"24.175.184.12", " 71.32.251.76 <http://71.32.251.76> ", "24.131.177.71",
"207.210.65.130", "24.91.169.157", " 68.40.171.66", "71.242.124.82",
"18.244.0.188", "18.244.0.114 ", "18.152.2.242", "64.81.246.230",
"149.9.118.34", " 64.142.31.83 <http://64.142.31.83> ", "24.22.104.31",
"24.136.12.209", "64.34.180.99", " 68.102.99.221 <http://68.102.99.221> ",
"69.12.128.32", "69.93.158.203", "66.52.66.26", " 149.9.200.187
<http://149.9.200.187> ", "64.90.179.108", "70.16.37.14", "64.81.240.144", "
70.230.73.20 <http://70.230.73.20> ", "18.244.0.188", "71.108.145.137",
"65.254.37.163", " 71.248.176.151 <http://71.248.176.151> ",
"65.254.45.211", "66.167.32.85", "72.20.1.166", " 68.167.210.150
<http://68.167.210.150> ", "66.98.136.49", "65.60.136.107", "67.173.143.46",
" 209.8.40.177 <http://209.8.40.177> ", "24.10.127.243", "69.62.156.11",
"140.247.62.64", " 68.167.210.88 <http://68.167.210.88> ", "68.94.234.105",
"24.30.67.89", "140.247.62.119", " 68.171.51.78 <http://68.171.51.78> ",
"65.185.92.216", "68.20.30.211", "12.222.111.115", " 65.7.136.249
<http://65.7.136.249> ", "18.187.1.68", "138.236.226.221", "24.21.12.194", "
70.59.183.168 <http://70.59.183.168> ", "69.12.145.165", "128.30.28.19",
"24.117.110.24", " 69.51.152.43 <http://69.51.152.43> ", "134.53.170.128",
"198.252.201.22", "209.242.5.54", " 64.135.207.45", "154.35.1.8",
"206.124.149.146", "82.165.144.169 ", "24.250.192.233", "69.155.12.77",
"216.231.168.178", " 70.110.247.138 <http://70.110.247.138> ",
"66.146.193.33", "65.28.107.89", "24.94.2.121", " 130.126.141.153
<http://130.126.141.153> ", "71.56.235.157", "72.3.249.87",
"68.121.166.117", " 74.0.33.114 <http://74.0.33.114> ", "149.9.0.21",
"134.53.24.52", "38.99.66.86", " 216.27.178.157 <http://216.27.178.157> ",
"66.200.164.250", "168.150.251.36", "66.236.18.180", " 66.219.59.183",
"154.35.254.172",
       NULL
   };
int index = 0
int ast4 = 0;
while (listof33[index] != NULL) {
if (strcmp (internetaddress, listof33[index]) == 0) {
ast4 = 1;
break;
}
index++;
}
if (ast4) {
fprintf(stderr, "TOR EXIT %s ATTEMPTED CONNECT!!!\n", internetaddress);
fflush(stderr); return HTTP_FORBIDDEN; } else return DECLINED; }






--

"Hey Guys, does anyone know what 'poon tang' is?"

-C.S. Dave, July 8, 2K, about 12:30AM

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------