[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: PHP exploit from your IP



On Mon, Mar 07, 2005 at 10:15:40AM +0100, Julien Orange wrote:
> we noticed a few PHP attack on our web server (212.43.226.115) this
> week end, and those attacks came from the IP address 140.247.62.119 (
> serifos.eecs.harvard.edu ), which seems to be your server.

I do indeed administer serifos.eecs.harvard.edu, which serves as a Tor
exit node.

http://serifos.eecs.harvard.edu:8000/cgi-bin/exit.pl

I know nothing of these attacks, and as far as I can tell,
serifos.eecs.harvard.edu is not compromised.  I conclude that all
attacks on your web server appearing to originate from
serifos.eecs.harvard.edu are actually originating from the Tor network.

> Please do the necessary in order to stop those hacking attempts.
> I guess someone with bad intentions used your TOR service to attack our 
> server ; we would like to have the IP of this hacker.

This conclusion seems likely.

Tor is an anonymity system designed to separate routing information from
identity.  Even if I were to log all connections through Tor, which I do
not, I would at best be able to provide the IP address of the previous
Tor router in the chain, not the originating IP address.  This is by
design; if I could provide routing information for the origin of the
datagram, then Tor would be broken.  For more information, please refer
to the following URL.

http://tor.eff.org/

> As an advice, i would suggest you to filter access to the services on 
> your servers (i noticed that http://140.247.62.119:8000 was available 
> from wwweb).

I appreciate your concern, but this service and others are intended to
be publically available.  (Though please let me know if you know of
something that allows arbitrary command execution.)

Cheers,

Geoff Goodell

Attachment: signature.asc
Description: Digital signature