[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] exit node experience: abuse over HTTP, stealrat infection

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] exit node experience: abuse over HTTP, stealrat infection
From: Kees Goossens <kees@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Sun, 19 Oct 2014 13:49:35 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 19 Oct 2014 07:49:50 -0400
In-reply-to: <20141019113101.GE35778@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <909BC484-464B-497A-9ED7-4C3ECDCDDE3B@xxxxxxxxxxxxxxxxxxxxxxx> <20141019113101.GE35778@xxxxxxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Dear Roger,

Thanks for quick reply.  This possibility did occur to me.  When I asked my VPS provider about getting more information for further diagnosis told me they didnât have more, but that the party that sent them the notification had been reliable in the past. My provider has been relatively friendly during this process, and I didnât want to push them further.

Overall, letâs just hope that Iâve been an atypical case in getting two complaints in my first week of operating an exit node.

Thanks,
Kees



> On 19 Oct 2014, at 13:31, Roger Dingledine <arma@xxxxxxx> wrote:
> 
> On Sun, Oct 19, 2014 at 01:24:31PM +0200, Kees Goossens wrote:
>> However, the only thing I do with my VPS is run tor.  I don???t run a web site, and don???t have apache or whatever installed.
>> I didn???t investigate much further, but my hypothesis is that when
>> publishing the tor-exit notice on port 80 either tor internally uses a
>> web server or enables a web server that???s present in the system. Either
>> way, that webserver was hacked through a PHP hack.
> 
> It is much more likely that this was a false positive. That is, whoever
> sent you the mail was using a wrong-in-your-case mechanism for detecting
> whether you're infected with "stealrat". They probably just make a list
> of all the computers that connect to them and send certain traffic. And
> if your computer connected to them and sent that traffic, onto their
> list you go.
> 
> The Internet is full of people telling other people that they're
> infected and ought to clean up their computer. Sometimes they're right,
> sometimes they're wrong. Usually, when it comes to Tor relays they're
> wrong, because it never occurred to them that you might be proxying the
> traffic from somebody else.
> 
> Hope that helps,
> --Roger
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] exit node experience: abuse over HTTP, stealrat infection
  - From: Kees Goossens
- Re: [tor-relays] exit node experience: abuse over HTTP, stealrat infection
  - From: Roger Dingledine

Prev by Author: [tor-relays] exit node experience: abuse over HTTP, stealrat infection
Next by Author: Re: [tor-relays] Need Routing Info on Relays
Previous by thread: Re: [tor-relays] exit node experience: abuse over HTTP, stealrat infection
Next by thread: Re: [tor-relays] exit node experience: abuse over HTTP, stealrat infection
Index(es):
- Author
- Thread