On Mon, Mar 07, 2005 at 10:15:40AM +0100, Julien Orange wrote: > we noticed a few PHP attack on our web server (212.43.226.115) this > week end, and those attacks came from the IP address 140.247.62.119 ( > serifos.eecs.harvard.edu ), which seems to be your server. I do indeed administer serifos.eecs.harvard.edu, which serves as a Tor exit node. http://serifos.eecs.harvard.edu:8000/cgi-bin/exit.pl I know nothing of these attacks, and as far as I can tell, serifos.eecs.harvard.edu is not compromised. I conclude that all attacks on your web server appearing to originate from serifos.eecs.harvard.edu are actually originating from the Tor network. > Please do the necessary in order to stop those hacking attempts. > I guess someone with bad intentions used your TOR service to attack our > server ; we would like to have the IP of this hacker. This conclusion seems likely. Tor is an anonymity system designed to separate routing information from identity. Even if I were to log all connections through Tor, which I do not, I would at best be able to provide the IP address of the previous Tor router in the chain, not the originating IP address. This is by design; if I could provide routing information for the origin of the datagram, then Tor would be broken. For more information, please refer to the following URL. http://tor.eff.org/ > As an advice, i would suggest you to filter access to the services on > your servers (i noticed that http://140.247.62.119:8000 was available > from wwweb). I appreciate your concern, but this service and others are intended to be publically available. (Though please let me know if you know of something that allows arbitrary command execution.) Cheers, Geoff Goodell
Attachment:
signature.asc
Description: Digital signature