[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Question regarding some strange behavior on some exitnodes

On Sat, 27 Jun 2015 17:42:35 +0200
chloe <chloe@xxxxxxxxxxxxxxx> wrote:

> 
> Hello,
> 
> I have a question regarding some strange behavior on some nodes(11 of 
> them).
> 
> 
> See this access-log:
> 
> 81.89.0.201 - - [25/Jun/2015 12:25:30] "GET /db/backups/965110218-2015 
> HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:00:10] "GET /db/backups/965110218-2015 
> HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:00:35] "GET 
> /db/backups/965110218-2015?C=N;O=D HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:00:40] "GET 
> /db/backups/965110218-2015?C=N;O=D HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:00:46] "GET 
> /db/backups/965110218-2015?C=N;O=D HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:00:51] "GET 
> /db/backups/965110218-2015?C=N;O=D HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:00:57] "GET 
> /db/backups/965110218-2015?C=N;O=D HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:01:02] "GET 
> /db/backups/965110218-2015?C=N;O=D HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:01:08] "GET 
> /db/backups/965110218-2015?C=N;O=D HTTP/1.1" 200 5057
> AE4E83B0BFDF679989D746C3B3DEF2EBCA35FA68 was using URL 965110218-2015
> 
> 
> Here we can see that node (AE4E83B0BFDF679989D746C3B3DEF2EBCA35FA68) 
> with IP 81.89.0.201 first visit the unique URL 
> "/db/backups/965110218-2015"  and then around 1.5 hours later another IP 
> visits the same URL and does some indexing?
> 
> The other 10 nodes are doing the exact same thing. I'm using Bottlepy as 
> "web server" so no User Agent grabbed, but still, this is a unique URL, 
> why do I have more than 2 visits on them? The IP 37.187.202.46 is not 
> part of Tor.
> 
> Could you please look into this problem? The affected exitnodes are:
> 
> 1B6D6CCF428AF68619B0B8D9D17324D5FAD6304D
> 8AF4E4D2A13DED432208D3B3889D43256D56FC72
> 252A55672B450929374CBB7279404B22E0D69259
> F94BCE1B6E3899FA4E4CBCC3B19C4FD8CC2B33BB
> B3DA80FF09813020886578D84DD594A32EE280B1
> AA5D47D5A96AE3084379663056C321A0812154D5
> 42F752C0919357CD19B1B36865657072376960CB
> ACA45CB6D5DF151DB88AEF666D8FECC6DDED17FA
> 5C2B2A7AA55C60C56B4DC0BBF7EA3919731ABA1C
> 9FB2DCBE32859CD510EA325FA64237F5AAE78E17
> AE4E83B0BFDF679989D746C3B3DEF2EBCA35FA68
> 
> Kind regards,
> Chloe

Probably one of those studies on "what people are up to, when they use Tor".

Two that I know of (in Russian):
http://habrahabr.ru/post/92787/ and
http://habrahabr.ru/company/xakep/blog/244485/

Also keep in mind those absolutely don't have to be public, there could be
much more sniffing and crawling going on than we could imagine. Does not
seem too evil however, and I'd say that's not a reason to ban exit nodes.

-- 
With respect,
Roman

Attachment: signature.asc
Description: PGP signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk