[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] suspicious relays

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] suspicious relays
From: Tim Wilson-Brown - teor <teor2345@xxxxxxxxx>
Date: Fri, 24 Jun 2016 22:38:56 +1000
Cc: nepenthesdev@xxxxxxxxx, freiling@xxxxxxxxxxxxxxxxxxxxxxxxxx, dornseif@xxxxxxxxxxxxxxxxxxxxxxxxxx, bad-relays@xxxxxxxxxxxxxxxxxxxx, holz@xxxxxxxxxxxxxxxxxxxxxxxxxx
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 24 Jun 2016 08:39:27 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=fMvDQDHCx3ZokBjp+xsAoBRxr1Vvozcli+cPHovObwY=; b=bcrH9NwtzH19F/sGcn7kBVh7Hgexy2sjcuOCE2twV/oH4TYqCPv5raDbDEPatz12Qm A2CClE/C9t8x8NxAEb6YiOnQtYffETt8JL6+Ux048EC17/vaBmsbppv9L8l7wrLV4T1Z 1RMCNBW6k63J/0ODQMoYk2G2mBrdYSvqZlUabIVdfXnfP2XUABKGS+J2b6jzh8t7UvUZ U5ttKP+jSFbgPqRZaVTW2kEOxuGL78mEG1AK43nlyM7Qp9W5gi5F2n3addjvBqDE+VOf LtihSl4p5MkrU866Gj0ndBaR8aHScTNWDfVIUXWtcLRWAJtWMS3XgZSOyf8P2jdFyitJ 5BuQ==
In-reply-to: <576CD6D0.2050908@xxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <0fb7f8368eca0836758eb182382da6cf@xxxxxxxxxx> <576CD6D0.2050908@xxxxxxxxxxxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Dear Nepenthes Development Team,

Do you know anything about the 55 Tor Relays called "Relay127001"?
https://atlas.torproject.org/#search/Relay127001
They appeared around the 23rd of June 2016.

It looks like the relays have a self-signed HTTPS certificate called  "Nepenthes Development Team" on port 443.

If you know about these relays, there are a few things you can do to help the Tor network:
* let us know if the relays are doing anything other than relaying traffic
* provide a ContactInfo in the torrc, typically an email address
* declare the relays to be part of a family using "MyFamily fingerprint0, â fingerprint54" in the torrc

Previous discussion on the tor-relays list is below:

> On 24 Jun 2016, at 16:44, simon <komsat@xxxxxxxxxxxxxxxxxxx> wrote:
> 
> On 23.06.2016 22:47, yandereson@xxxxxxxxxx wrote:
>> I check torstatus/atlas regularly and this was showing up :
>> https://atlas.torproject.org/#search/Relay127001 i just thought i report
>> it here.
> I copypasted some of the IP addresses into my webbrowser's url bar to
> check for a dirfrontpage; but what actually shows up is
> "Directory listing for /"
> for several of them.

None of them have a DirPort, so Tor won't serve any front page.
You're seeing the output from some other web server running on port 80.
No identifying headers.
It looks like a very basic server that serves HTML 3.2.

The HTTPS is more interesting: a self-signed "Nepenthes Development Team" certificate.
It's apparently a malware collection platform that "emulates only the vulnerable parts of a service".
Here's the relevant paper:
https://www1.cs.fau.de/filepool/publications/collecting-malware-final.pdf

> I've seen something similar for "involuntary" FTP servers before. Bonnet?

Or a honeypot. Or a series of cloned servers. It's hard to tell.
But there do seem to be a large number of them, 55 in a recent consensus.
And no contact info, either.

We might want to remove these relays from the network before they pick up too many more flags.

Tim

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP 968F094B
ricochet:ekmygaiu4rzgsk6n

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] suspicious relays
  - From: yandereson
- Re: [tor-relays] suspicious relays
  - From: simon

Prev by Author: Re: [tor-relays] Multiple fingerprints for same IP:Port combo
Next by Author: Re: [tor-relays] Bridge torrc custom + socks
Previous by thread: Re: [tor-relays] suspicious relays
Next by thread: [tor-relays] If you get weird crashes, that might be why
Index(es):
- Author
- Thread