[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Analyzing TOR-exitnodes for anomalies



Hi  *Taka Khumbartha*   :


> Claude LaFrenière @ 2006/10/06 12:24:
>> For the moment nothings prove that any exit nodes are responsibles for this.
>> We have to do somethings based on facts not fears...
>> 
> 
> How about this then? .... when navigating to www.ezboard.com the proper page is loaded and displayed.  
> verified by comparing the IP address of www.ezboard.com found with and without tor_resolve.exe.  
> however, after entering your username/password and logging in from that page, the request is handled 
> by login.ezboard.com, which resolved to 64.74.223.198 !!  the correct IP for login.ezboard.com is 209.66.118.157. 
> also, the now in-famous URL with the flanding.domainsponsor.com and SUSPECTED+UNDESIRABLE+BOT junk in it was shown as the address.  
> i think 64.74.223.198 possibly now hijacked the ezboard login information!  unfortunately during this time i was scurrying about trying to reset 
> my password and wasn't able to get the IP of the exit node i was using.
> 
>> I suggest, If the facts prove that some exit nodes are responsible, that we
>> keep them temporarely, instead of immediatly blocking them, and use them
>> as "guinea pig" to study their behaviour and prevent that kind of abuse in
>> the future.
>> 
>> Consider this as a laboratory experience with "cyber-rats" !  ;-)
>> Better than SETI@Home IMHO.
>> 
>> :)
>> 
> 
> fact or fear, then? ;)
> 
> using un-encrypted authentication over Tor is dumb to begin with, but this really emphasizes it i think!  
>this is too unfortunate as many sites still do not use SSL but sometimes Tor users still at least need location privacy.  
> so i for one hope we can dispose of these cyber-rats soon.

I found some interesting information about this IP address: 64.74.223.198

*A)  First IP query* ...
*"The domain name for the specified IP address could not be found"*

Initiating server query ...
Looking up the domain name for IP: 64.74.223.198
(The domain name for the specified IP address could not be found.)
Connecting to the server on standard HTTP port: 80
[Connected]  Requesting the server's default page.
The server returned the following response headers:
HTTP/1.1 200 OK
Connection: close
Date: Sun, 08 Oct 2006 13:45:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
p3p: CP="CAO PSA OUR"
Set-Cookie: Domain=; path=/
Set-Cookie: Domain=223.198; path=/
Set-Cookie: RSAddParams=; path=/
Set-Cookie:
RSAddParams=dmxargs=03u3hs9yoaj11qQTDDRRATT40txSy0lsLQ7K3oUg2iAcp4horctsrlkG-ApV8QOKsyB5kP__xvek2IXUyHdaJqI5t6tpKyTKqmJSm0V1DPfpDBHppNXjFKlH8Sm7L3Lvyapfvaaamj6pVRlFechgR5wQkDC7RuB1FqstRZKAhV_EEOZz2zXNybkrsnzAUBfdG-SGB5P-a_1VrJSpHZrlPphCK4r9B1PifOr4w0kNtM-iN3vw-1z6vF07LDwbhPYYYipjk4t0GvDN-nzq_34xVXdgP61cH_Vg..;
path=/
Set-Cookie: LastURL=; path=/
Set-Cookie: LastURL=http://64.74.223.198/default.pk; path=/
Set-Cookie: RefPage=; path=/
Set-Cookie: RefPage=0; path=/
Set-Cookie: PCAddParams=; path=/
Set-Cookie:
PCAddParams=dmxargs=03u3hs9yoaj11qQTDDRRATT40txSy0lsLQ7K3oUg2iAcp4horctsrlkG-ApV8QOLsy4P_hv7-Pr0nxC0mQbrRNRFdvltLWSTVU5KX2igoZz9K4IzNJi8ZJUk_i03au5b_Jml89plqaTqnFGUV5GGA3nECQcLum4EUWiy1VkhCFf8Qy5svbJc15uVuyjMB8AsGjfpD7srWalaqzkqcjCVxx06BFfV-c6hhPIV-YaUe2n_Rp91Yfp5-Hi3Flw4NEnnMMb0xecb6DOC3en1a_24zSfcIfV1IA;
path=/
Set-Cookie: SessionHitCount=; path=/
Set-Cookie: SessionHitCount=1; path=/
Set-Cookie: ActionsTaken=; path=/
Set-Cookie: ActionsTaken=D A1 22L ; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 2381
Vary: Accept-Encoding
Content-Encoding: gzip
Query complete.

*B) Here I found the domain name: enom*
     *and the Hosting provider: internap*

http://www.ipv6tools.com/tools/whois.ch?ip=64.74.223.198&src=ShowIP

Location: United States [City: Oakland, California]

NOTE: More information appears to be available at NET-64-74-223-0-1.

Internap Network Services PNAP-SEA-BLOCK4 (NET-64-74-0-0-1) 
                                  64.74.0.0 - 64.74.255.255
eNom INAP-SJE-ENOM-3077 (NET-64-74-223-0-1) 
                                  64.74.223.0 - 64.74.223.255
                                                                    
http://www.dnsstuff.com/tools/whois.ch?ip=!NET-64-74-223-0-1&server=whois.arin.net

CustName:   eNom
Address:    2002 156th Ave NE
City:       Bellevue
StateProv:  WA
PostalCode: 98008
Country:    US
RegDate:    2005-09-23
Updated:    2005-09-23

NetRange:   64.74.223.0 - 64.74.223.255 

http://www.dnsstuff.com/tools/whois.ch?ip=!INO3-ARIN&server=whois.arin.net&type=P

Name:       InterNap Network Operations Center 
Handle:     INO3-ARIN
Company:    Internap Network Operations Center
Address:    Internap Network Services

From:
http://www.completewhois.com/hijacked/index.htm
http://www.completewhois.com/cgi-bin/whois.cgi
Completewhois.Com Whois Server, Version 0.91a33, compiled on May 28, 2006

Unknown domain: 64.74.223.198
[IPv4 whois information for 64.74.223.198 ]
[whois.arin.net]
Internap Network Services PNAP-SEA-BLOCK4 (NET-64-74-0-0-1) 
                                  64.74.0.0 - 64.74.255.255
eNom INAP-SJE-ENOM-3077 (NET-64-74-223-0-1) 
                                  64.74.223.0 - 64.74.223.255

# ARIN WHOIS database, last updated 2006-10-07 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
[whois.arin.net]
OrgName:    Internap Network Services 
OrgID:      PNAP

NetRange:   64.74.0.0 - 64.74.255.255 
CIDR:       64.74.0.0/16 
NetName:    PNAP-SEA-BLOCK4
NetHandle:  NET-64-74-0-0-1
Parent:     NET-64-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.PNAP.NET
NameServer: NS2.PNAP.NET

# ARIN WHOIS database, last updated 2006-10-07 19:10

[whois.arin.net]
Internap Network Services PNAP-SEA-BLOCK4 (NET-64-74-0-0-1) 
                                  64.74.0.0 - 64.74.255.255
eNom INAP-SJE-ENOM-3077 (NET-64-74-223-0-1) 
                                  64.74.223.0 - 64.74.223.255

# ARIN WHOIS database, last updated 2006-10-07 19:10

[whois.arin.net]
CustName:   eNom
Address:    2002 156th Ave NE
City:       Bellevue
StateProv:  WA
PostalCode: 98008
Country:    US
RegDate:    2005-09-23
Updated:    2005-09-23

NetRange:   64.74.223.0 - 64.74.223.255 
CIDR:       64.74.223.0/24 


[OTHER (whois.cyberabuse.org) whois information for 64.74.223.198 ]
[ Informations about 64.74.223.198 ]
 IP range     :    64.74.223.0 - 64.74.223.255
 Network name :    INAP-SJE-ENOM-3077
 Infos        :    eNom
 Infos        :    2002 156th Ave NE
 Infos        :    Bellevue
 Infos        :    WA
 Infos        :    98008
 Country      :    United States of America (US)
 Abuse E-mail :    abuse@xxxxxxxxxxxx
 Source       :    ARIN

[OTHER (rbl.completewhois.com) whois information for 64.74.223.198 ]

 Listed in country-rirdata: US -  United States
 
*C) Now a very interesting information:*
      *Listed in spam black list* :
 
Listed in blacklist.spambag.org: 64.74.223.0/24 --> Blocked by spambag, see
http://www.spambag.org/cgi-bin/spambag?mailfrom=012netil

[OTHER (riswhois.ripe.net) whois information for 64.74.223.198 ]
[riswhois.ripe.net]

route:        64.74.208.0/20
origin:       AS12182
descr:        INTERNAP-2BLK - Internap Network Services
lastupd-frst: 2006-01-01 00:03Z  195.66.224.68@rrc01
lastupd-last: 2006-10-08 01:28Z  194.68.123.139@rrc07
seen-at:
rrc00,rrc01,rrc03,rrc04,rrc05,rrc06,rrc07,rrc10,rrc11,rrc12,rrc13,rrc14,rrc15
num-rispeers: 84
source:       RISWHOIS

http://www.spambag.org/query.html
http://www.spambag.org/cgi-bin/spambag?query=64.74.223.198

*This IP address is listed by spambag.org's record for enom*.

http://www.spambag.org/cgi-bin/spambag?record=enom

Spambag: 63.251.160.0-63.251.199.255
Spambag: 66.151.144.0-66.151.159.255
Spambag: 212.118.240.0-212.118.255.255
Spambag: 69.25.140.0-69.25.159.255
Spambag: 216.52.180.0-216.52.191.255
Spambag: 64.74.80.0-64.74.109.255
Spambag: 64.74.223.0/24
Spambag: 63.251.80.0-63.251.95.255
Spambag: 70.42.32.0-70.42.47.255


*D) And here a beginning of answer ...:*

*Massive problems with enom.com-hosted spam domain redirectors.*

*enom.com must stop hosting domain redirectors for professional criminal spam gangs*

*enom.com is hosted by Internap.  Complaints to Internap has been ignored*

*Internap must stop ignoring spam complaints about enom.com*

*E) Is it related to the "tor-proxy1.internap.com" Tor exit node ???*

US *inap1               *tor-proxy1.internap.com* 

Ref:
http://serifos.eecs.harvard.edu/cgi-bin/exit.pl?textonly=1

:)                                      
-- 
Claude LaFrenière