[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Received botnet/drone abuse complaint



> I received a botnet/drone complaint from shadowserver.org today

If the complaint was sent directly to you, rather than to you via your
ISP, it is unlikely you need to do anything. Unless you're concerned
about possibly having your own IP space blacklisted (which is normally
an ISP concern).

If your ISP is bugging you, there are some abuse templates and general
advice docs on the Tor project site that you may find useful.

> If I'm reading this correctly, they identify "mebroot" as the source of the

That's probably the nasty that was sent, not necessarily the scan and
injection platform in use.

> My DirPort is set to 80, which may explain that value in the complaint.

No, that's more likely to be the 128:80 dest ip/port pair for the flow sourced
from your 210:48586 pair. You might find the log format documented at
Shadowserver or via google. They obviously didn't bother to include a
complete definition of all the fields in the email.

> Any thoughts on what to do to avoid further complaints? ÂShadowserver
> addresses the topic of Tor exits here:

Try blocking traffic to that IP or some suitable larger subnet of the afflicted
IP as might be determined from whois or BGP, for a few months.

It's seems to be just a probe, nothing a simple email or config change
won't fix.
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays