[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] suspicious exit?

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] suspicious exit?
From: Michael Wolf <mikewolf@xxxxxxxxxx>
Date: Sat, 07 Jun 2014 04:28:02 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 07 Jun 2014 04:28:10 -0400
In-reply-to: <5392511D.2070001@xxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Openpgp: id=CA6A1F17
References: <5392511D.2070001@xxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0

On 6/6/2014 7:39 PM, JB wrote:
> I just setup my relay node today, and am keeping a hawkish(ish) eye on
> traffic.... And noticed a flurry of activity from SSH port (22) at
> 5.104.224.5 - which is listed as an exit.

That exit node uses port 22 as its ORPort (where other relays send Tor
traffic).  There is nothing suspicious about this.  You can verify this
info here:

https://globe.torproject.org/#/relay/30D983762D3993AD8F17EB5DCD522A5D6AAE8C59

> But it's also listed on http://cbl.abuseat.org/lookup.cgi?ip=5.104.224.5
> as infected (or NATting for a computer that is infected) with the
> Conficker botnet.

Exits are going to show up in all sorts of lists, because a small group
of bad people abuse Tor.  Exit nodes get blamed because the "victims"
think the traffic actually originates at the exit.

> I've black-holed it in the meantime, but am wondering if I'm being
> overly cautious...

Yes :)  Please don't block other tor nodes.  Tor can communicate to/from
any port the admin has configured.

-- Mike
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] suspicious exit?
  - From: JB

References:
- [tor-relays] suspicious exit?
  - From: JB

Prev by Author: Re: [tor-relays] BBC iPlayer blocked for UK middle relay operators?
Next by Author: Re: [tor-relays] Spam
Previous by thread: [tor-relays] suspicious exit?
Next by thread: Re: [tor-relays] suspicious exit?
Index(es):
- Author
- Thread