[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] suspicious exit?

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] suspicious exit?
From: JB <technomental@xxxxxxxxx>
Date: Sun, 08 Jun 2014 22:05:42 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 08 Jun 2014 16:06:04 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=B5rl5EyM8DPJTubBX+kcXKbEDDmSrjP2g8RLHiT+XsM=; b=WqHEjCo2YtZ27xWiLPLWIxd6pBBQKc7a0gVXWOmsMwSOJuOe4bB6tvF3xhzmFm7vvh +DP4uAtPwatqlcoRT7oOdxOzAecdtnzD9PvuLYfrchTAvBQPVsX4unozJLq5bDF7IzHd NuCxO6M7Sa+nVSEPqJ4NyeybIq/FXyBlhKOm3q53X8FQdLLoYcJOS5zNN3LZm3OccEWa cgXB2ltJYD+2ylVEG3kAEVVOMf5NnVF3YabX2QHwYl6Ey8zX56sCtECF1FkqVZUiOvp/ o0ZNZsI50Mb4BAAM7BWYF+3HkEJ2ts2wmREM9NMdtDODqhLl2/jyuWTRzgbIivMvRg2R Kkpw==
In-reply-to: <5392CD12.2080004@xxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <5392511D.2070001@xxxxxxxxx> <5392CD12.2080004@xxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0

Thanks Mike and Grampa(?) for the replies.

Will send a notification to the exit node admin tomorrow.

And just wish that that small minority of ediots weren't fucking up theworld for us.


I guess if I was running an exit I'd spend my life sniffing packets.

But I see that's frowned upon.

Slippery slope slippery slopes....


On 07/06/2014 10:28, Michael Wolf wrote:

On 6/6/2014 7:39 PM, JB wrote:

I just setup my relay node today, and am keeping a hawkish(ish) eye on
traffic.... And noticed a flurry of activity from SSH port (22) at
5.104.224.5 - which is listed as an exit.

That exit node uses port 22 as its ORPort (where other relays send Tor
traffic).  There is nothing suspicious about this.  You can verify this
info here:

https://globe.torproject.org/#/relay/30D983762D3993AD8F17EB5DCD522A5D6AAE8C59

But it's also listed onhttp://cbl.abuseat.org/lookup.cgi?ip=5.104.224.5
as infected (or NATting for a computer that is infected) with the
Conficker botnet.

Exits are going to show up in all sorts of lists, because a small group
of bad people abuse Tor.  Exit nodes get blamed because the "victims"
think the traffic actually originates at the exit.
Mikedddd

I've black-holed it in the meantime, but am wondering if I'm being
overly cautious...

Yes :)  Please don't block other tor nodes.  Tor can communicate to/from
any port the admin has configured.

-- Mike
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] suspicious exit?
  - From: JB
- Re: [tor-relays] suspicious exit?
  - From: Michael Wolf

Prev by Author: [tor-relays] suspicious exit?
Next by Author: [tor-relays] Why is UFW bllocking allowed TOR traffic?
Previous by thread: Re: [tor-relays] suspicious exit?
Next by thread: [tor-relays] Unblocking blacklisted exits [was: suspicious]
Index(es):
- Author
- Thread