[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] kelihos infection



This is like when I got the helpful notification saying that my exit
relay was running Windows XP and I ought to upgrade it.  You can, if
you feel like it, write back explaining that your exit node happens to
have been used to forward traffic on behalf of a computer that happens
to be infected with Kelihos, and while it would be nice if you could
notify the operator of that computer that they have an infection, by
design of the Tor network this is not possible.  Your exit relay will
continue to pop up on future such scans and it would be best if they
just ignored it.  You apologize for the inconvenience.

There isn't anything you can or should do about it configuration-wise.
In particular, I am not finding mention of Kelihos using any specific
port for its traffic, or any specific C&C servers, so there's no exit
policy that you can set to prevent it.

zw



On Mon, Jan 22, 2018 at 3:50 PM, scar <scar@xxxxxxxxxx> wrote:
> Hello fellow relay operators,
>
> I have received word from my ISP that they detected malicious traffic from
> my account.  I'm running the exit node "cave" with reduced exit policy,
>
> https://atlas.torproject.org/#details/3875c9c843d33762fa733bcaf128f26a10bc75e7
>
> The information received from my ISP was:
>
> infection => 'kelihos', subtype => 'kelihos.e', port => '52935', asn =>
> '209', family => 'kelihos', sourceSummary => 'Drone Report'
>
> Typically they will also provide an IP address related to the infection,
> which is usually a sinkhole.  The solution is to block the IP in my exit
> policy.  However no IP was provided in this report and there is not one
> available, since my ISP is just relaying information they receive from a 3rd
> party detection agency.  Furthermore, the port mentioned, 52935, is not
> allowed in my exit policy, so I'm guessing that port is somewhere else...
>
> Any ideas about this "infection" and how we could prevent it from using our
> exit nodes?
>
> Thanks
>
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays