[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] suspicious relays



Dear Nepenthes Development Team,

Do you know anything about the 55 Tor Relays called "Relay127001"?
https://atlas.torproject.org/#search/Relay127001
They appeared around the 23rd of June 2016.

It looks like the relays have a self-signed HTTPS certificate called  "Nepenthes Development Team" on port 443.

If you know about these relays, there are a few things you can do to help the Tor network:
* let us know if the relays are doing anything other than relaying traffic
* provide a ContactInfo in the torrc, typically an email address
* declare the relays to be part of a family using "MyFamily fingerprint0, â fingerprint54" in the torrc

Previous discussion on the tor-relays list is below:

> On 24 Jun 2016, at 16:44, simon <komsat@xxxxxxxxxxxxxxxxxxx> wrote:
> 
> On 23.06.2016 22:47, yandereson@xxxxxxxxxx wrote:
>> I check torstatus/atlas regularly and this was showing up :
>> https://atlas.torproject.org/#search/Relay127001 i just thought i report
>> it here.
> I copypasted some of the IP addresses into my webbrowser's url bar to
> check for a dirfrontpage; but what actually shows up is
> "Directory listing for /"
> for several of them.

None of them have a DirPort, so Tor won't serve any front page.
You're seeing the output from some other web server running on port 80.
No identifying headers.
It looks like a very basic server that serves HTML 3.2.

The HTTPS is more interesting: a self-signed "Nepenthes Development Team" certificate.
It's apparently a malware collection platform that "emulates only the vulnerable parts of a service".
Here's the relevant paper:
https://www1.cs.fau.de/filepool/publications/collecting-malware-final.pdf

> I've seen something similar for "involuntary" FTP servers before. Bonnet?

Or a honeypot. Or a series of cloned servers. It's hard to tell.
But there do seem to be a large number of them, 55 in a recent consensus.
And no contact info, either.

We might want to remove these relays from the network before they pick up too many more flags.

Tim

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP 968F094B
ricochet:ekmygaiu4rzgsk6n



Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays