[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Security risks of using vds for setting up tor-nodes?

On Fri, Nov 26, 2010 at 07:09:00PM +0000, James Brown wrote:
> Sometimes ago I ren a VDS under Debian Lenny,
> ~# uname -a
> Linux 2.6.18-028stab070.4-ent #1 SMP Tue Aug 17 19:03:05 MSD 2010 i686
> GNU/Linux
> I set up on that VDS only exit tor-node and nothing more. I didn't stop
> apache, proftpd daemon and etc. because I have intended to use it in the
> feature but I didn't use it for several month.
> and from rkhunter that my server have problems which you can see in the
> attached log inculding detected SHV4 Rootkit and SHV5 Rootkit
> How it was possible to catch that viruses, rootkits and etc. from using
> an exit tor-node? Have anybody such problems? What is the security
> measures takes of other owners of exit-nodes?

It's much more likely that they broke in through some other service
you're running. Sounds like you didn't keep your system up-to-date?

> What is the better to me - to try clean the existing system or to give
> an order to VDS provider to reinstall my VDS?

Reinstall, for sure. They got root, and replaced a lot of files. You're
always going to be wondering what else they replaced that you didn't

> If the last way is the better (now I am inclined to that) - what files
> from tor-node installation I need to save exept torrc and keys of my node?


> Or it would better generate new keys through new installation of
> tor-node?

It's better to generate new keys. Who knows how many people have seen
your current keys. That's what compromise means. :)

Generating new keys for your relay really doesn't hurt Tor much, so you
shouldn't feel bad about doing it in cases like this.

> Could existing keys compomise my tor-node after reinstalling
> my VDS?
> And could it be an attack against exactly my VDS as tor-node? Could it
> be an attempt of an Adversary to take control over my tor-node for
> attacks against the Tor-net?!

Maybe, but it's much more likely that you're just a random victim,
and they were planning to use your machine to launch other attacks,
run an IRC bouncer, or do whatever else script kiddies do these days.


To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/