[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Security risks of using vds for setting up tor-nodes?
On Fri, Nov 26, 2010 at 07:09:00PM +0000, James Brown wrote:
> Sometimes ago I ren a VDS under Debian Lenny,
> ~# uname -a
> Linux 2.6.18-028stab070.4-ent #1 SMP Tue Aug 17 19:03:05 MSD 2010 i686
> GNU/Linux
>
> I set up on that VDS only exit tor-node and nothing more. I didn't stop
> apache, proftpd daemon and etc. because I have intended to use it in the
> feature but I didn't use it for several month.
[snip]
> and from rkhunter that my server have problems which you can see in the
> attached log inculding detected SHV4 Rootkit and SHV5 Rootkit
[snip]
> How it was possible to catch that viruses, rootkits and etc. from using
> an exit tor-node? Have anybody such problems? What is the security
> measures takes of other owners of exit-nodes?
It's much more likely that they broke in through some other service
you're running. Sounds like you didn't keep your system up-to-date?
> What is the better to me - to try clean the existing system or to give
> an order to VDS provider to reinstall my VDS?
Reinstall, for sure. They got root, and replaced a lot of files. You're
always going to be wondering what else they replaced that you didn't
notice.
> If the last way is the better (now I am inclined to that) - what files
> from tor-node installation I need to save exept torrc and keys of my node?
https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#Iwanttoupgrademovemyrelay.HowdoIkeepthesamekey
> Or it would better generate new keys through new installation of
> tor-node?
It's better to generate new keys. Who knows how many people have seen
your current keys. That's what compromise means. :)
Generating new keys for your relay really doesn't hurt Tor much, so you
shouldn't feel bad about doing it in cases like this.
> Could existing keys compomise my tor-node after reinstalling
> my VDS?
> And could it be an attack against exactly my VDS as tor-node? Could it
> be an attempt of an Adversary to take control over my tor-node for
> attacks against the Tor-net?!
Maybe, but it's much more likely that you're just a random victim,
and they were planning to use your machine to launch other attacks,
run an IRC bouncer, or do whatever else script kiddies do these days.
--Roger
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/