[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Analyzing TOR-exitnodes for anomalies
Hi *Taka Khumbartha* :
> Claude LaFrenière @ 2006/10/06 12:24:
>> For the moment nothings prove that any exit nodes are responsibles for this.
>> We have to do somethings based on facts not fears...
>>
>
> How about this then? .... when navigating to www.ezboard.com the proper page is loaded and displayed.
> verified by comparing the IP address of www.ezboard.com found with and without tor_resolve.exe.
> however, after entering your username/password and logging in from that page, the request is handled
> by login.ezboard.com, which resolved to 64.74.223.198 !! the correct IP for login.ezboard.com is 209.66.118.157.
> also, the now in-famous URL with the flanding.domainsponsor.com and SUSPECTED+UNDESIRABLE+BOT junk in it was shown as the address.
> i think 64.74.223.198 possibly now hijacked the ezboard login information! unfortunately during this time i was scurrying about trying to reset
> my password and wasn't able to get the IP of the exit node i was using.
>
>> I suggest, If the facts prove that some exit nodes are responsible, that we
>> keep them temporarely, instead of immediatly blocking them, and use them
>> as "guinea pig" to study their behaviour and prevent that kind of abuse in
>> the future.
>>
>> Consider this as a laboratory experience with "cyber-rats" ! ;-)
>> Better than SETI@Home IMHO.
>>
>> :)
>>
>
> fact or fear, then? ;)
>
> using un-encrypted authentication over Tor is dumb to begin with, but this really emphasizes it i think!
>this is too unfortunate as many sites still do not use SSL but sometimes Tor users still at least need location privacy.
> so i for one hope we can dispose of these cyber-rats soon.
I found some interesting information about this IP address: 64.74.223.198
*A) First IP query* ...
*"The domain name for the specified IP address could not be found"*
Initiating server query ...
Looking up the domain name for IP: 64.74.223.198
(The domain name for the specified IP address could not be found.)
Connecting to the server on standard HTTP port: 80
[Connected] Requesting the server's default page.
The server returned the following response headers:
HTTP/1.1 200 OK
Connection: close
Date: Sun, 08 Oct 2006 13:45:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
p3p: CP="CAO PSA OUR"
Set-Cookie: Domain=; path=/
Set-Cookie: Domain=223.198; path=/
Set-Cookie: RSAddParams=; path=/
Set-Cookie:
RSAddParams=dmxargs=03u3hs9yoaj11qQTDDRRATT40txSy0lsLQ7K3oUg2iAcp4horctsrlkG-ApV8QOKsyB5kP__xvek2IXUyHdaJqI5t6tpKyTKqmJSm0V1DPfpDBHppNXjFKlH8Sm7L3Lvyapfvaaamj6pVRlFechgR5wQkDC7RuB1FqstRZKAhV_EEOZz2zXNybkrsnzAUBfdG-SGB5P-a_1VrJSpHZrlPphCK4r9B1PifOr4w0kNtM-iN3vw-1z6vF07LDwbhPYYYipjk4t0GvDN-nzq_34xVXdgP61cH_Vg..;
path=/
Set-Cookie: LastURL=; path=/
Set-Cookie: LastURL=http://64.74.223.198/default.pk; path=/
Set-Cookie: RefPage=; path=/
Set-Cookie: RefPage=0; path=/
Set-Cookie: PCAddParams=; path=/
Set-Cookie:
PCAddParams=dmxargs=03u3hs9yoaj11qQTDDRRATT40txSy0lsLQ7K3oUg2iAcp4horctsrlkG-ApV8QOLsy4P_hv7-Pr0nxC0mQbrRNRFdvltLWSTVU5KX2igoZz9K4IzNJi8ZJUk_i03au5b_Jml89plqaTqnFGUV5GGA3nECQcLum4EUWiy1VkhCFf8Qy5svbJc15uVuyjMB8AsGjfpD7srWalaqzkqcjCVxx06BFfV-c6hhPIV-YaUe2n_Rp91Yfp5-Hi3Flw4NEnnMMb0xecb6DOC3en1a_24zSfcIfV1IA;
path=/
Set-Cookie: SessionHitCount=; path=/
Set-Cookie: SessionHitCount=1; path=/
Set-Cookie: ActionsTaken=; path=/
Set-Cookie: ActionsTaken=D A1 22L ; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 2381
Vary: Accept-Encoding
Content-Encoding: gzip
Query complete.
*B) Here I found the domain name: enom*
*and the Hosting provider: internap*
http://www.ipv6tools.com/tools/whois.ch?ip=64.74.223.198&src=ShowIP
Location: United States [City: Oakland, California]
NOTE: More information appears to be available at NET-64-74-223-0-1.
Internap Network Services PNAP-SEA-BLOCK4 (NET-64-74-0-0-1)
64.74.0.0 - 64.74.255.255
eNom INAP-SJE-ENOM-3077 (NET-64-74-223-0-1)
64.74.223.0 - 64.74.223.255
http://www.dnsstuff.com/tools/whois.ch?ip=!NET-64-74-223-0-1&server=whois.arin.net
CustName: eNom
Address: 2002 156th Ave NE
City: Bellevue
StateProv: WA
PostalCode: 98008
Country: US
RegDate: 2005-09-23
Updated: 2005-09-23
NetRange: 64.74.223.0 - 64.74.223.255
http://www.dnsstuff.com/tools/whois.ch?ip=!INO3-ARIN&server=whois.arin.net&type=P
Name: InterNap Network Operations Center
Handle: INO3-ARIN
Company: Internap Network Operations Center
Address: Internap Network Services
From:
http://www.completewhois.com/hijacked/index.htm
http://www.completewhois.com/cgi-bin/whois.cgi
Completewhois.Com Whois Server, Version 0.91a33, compiled on May 28, 2006
Unknown domain: 64.74.223.198
[IPv4 whois information for 64.74.223.198 ]
[whois.arin.net]
Internap Network Services PNAP-SEA-BLOCK4 (NET-64-74-0-0-1)
64.74.0.0 - 64.74.255.255
eNom INAP-SJE-ENOM-3077 (NET-64-74-223-0-1)
64.74.223.0 - 64.74.223.255
# ARIN WHOIS database, last updated 2006-10-07 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
[whois.arin.net]
OrgName: Internap Network Services
OrgID: PNAP
NetRange: 64.74.0.0 - 64.74.255.255
CIDR: 64.74.0.0/16
NetName: PNAP-SEA-BLOCK4
NetHandle: NET-64-74-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.PNAP.NET
NameServer: NS2.PNAP.NET
# ARIN WHOIS database, last updated 2006-10-07 19:10
[whois.arin.net]
Internap Network Services PNAP-SEA-BLOCK4 (NET-64-74-0-0-1)
64.74.0.0 - 64.74.255.255
eNom INAP-SJE-ENOM-3077 (NET-64-74-223-0-1)
64.74.223.0 - 64.74.223.255
# ARIN WHOIS database, last updated 2006-10-07 19:10
[whois.arin.net]
CustName: eNom
Address: 2002 156th Ave NE
City: Bellevue
StateProv: WA
PostalCode: 98008
Country: US
RegDate: 2005-09-23
Updated: 2005-09-23
NetRange: 64.74.223.0 - 64.74.223.255
CIDR: 64.74.223.0/24
[OTHER (whois.cyberabuse.org) whois information for 64.74.223.198 ]
[ Informations about 64.74.223.198 ]
IP range : 64.74.223.0 - 64.74.223.255
Network name : INAP-SJE-ENOM-3077
Infos : eNom
Infos : 2002 156th Ave NE
Infos : Bellevue
Infos : WA
Infos : 98008
Country : United States of America (US)
Abuse E-mail : abuse@xxxxxxxxxxxx
Source : ARIN
[OTHER (rbl.completewhois.com) whois information for 64.74.223.198 ]
Listed in country-rirdata: US - United States
*C) Now a very interesting information:*
*Listed in spam black list* :
Listed in blacklist.spambag.org: 64.74.223.0/24 --> Blocked by spambag, see
http://www.spambag.org/cgi-bin/spambag?mailfrom=012netil
[OTHER (riswhois.ripe.net) whois information for 64.74.223.198 ]
[riswhois.ripe.net]
route: 64.74.208.0/20
origin: AS12182
descr: INTERNAP-2BLK - Internap Network Services
lastupd-frst: 2006-01-01 00:03Z 195.66.224.68@rrc01
lastupd-last: 2006-10-08 01:28Z 194.68.123.139@rrc07
seen-at:
rrc00,rrc01,rrc03,rrc04,rrc05,rrc06,rrc07,rrc10,rrc11,rrc12,rrc13,rrc14,rrc15
num-rispeers: 84
source: RISWHOIS
http://www.spambag.org/query.html
http://www.spambag.org/cgi-bin/spambag?query=64.74.223.198
*This IP address is listed by spambag.org's record for enom*.
http://www.spambag.org/cgi-bin/spambag?record=enom
Spambag: 63.251.160.0-63.251.199.255
Spambag: 66.151.144.0-66.151.159.255
Spambag: 212.118.240.0-212.118.255.255
Spambag: 69.25.140.0-69.25.159.255
Spambag: 216.52.180.0-216.52.191.255
Spambag: 64.74.80.0-64.74.109.255
Spambag: 64.74.223.0/24
Spambag: 63.251.80.0-63.251.95.255
Spambag: 70.42.32.0-70.42.47.255
*D) And here a beginning of answer ...:*
*Massive problems with enom.com-hosted spam domain redirectors.*
*enom.com must stop hosting domain redirectors for professional criminal spam gangs*
*enom.com is hosted by Internap. Complaints to Internap has been ignored*
*Internap must stop ignoring spam complaints about enom.com*
*E) Is it related to the "tor-proxy1.internap.com" Tor exit node ???*
US *inap1 *tor-proxy1.internap.com*
Ref:
http://serifos.eecs.harvard.edu/cgi-bin/exit.pl?textonly=1
:)
--
Claude LaFrenière