[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] kelihos infection



Hello fellow relay operators,

I have received word from my ISP that they detected malicious traffic from my account. I'm running the exit node "cave" with reduced exit policy,

https://atlas.torproject.org/#details/3875c9c843d33762fa733bcaf128f26a10bc75e7

The information received from my ISP was:

infection => 'kelihos', subtype => 'kelihos.e', port => '52935', asn => '209', family => 'kelihos', sourceSummary => 'Drone Report'

Typically they will also provide an IP address related to the infection, which is usually a sinkhole. The solution is to block the IP in my exit policy. However no IP was provided in this report and there is not one available, since my ISP is just relaying information they receive from a 3rd party detection agency. Furthermore, the port mentioned, 52935, is not allowed in my exit policy, so I'm guessing that port is somewhere else...

Any ideas about this "infection" and how we could prevent it from using our exit nodes?

Thanks

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays