[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] exit node experience: abuse over HTTP, stealrat infection

To: kees@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] exit node experience: abuse over HTTP, stealrat infection
From: Tom van der Woerdt <info@xxxxxxx>
Date: Sun, 19 Oct 2014 13:53:40 +0200
Cc: tor-relays@xxxxxxxxxxxxxxxxxxxx
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 19 Oct 2014 07:53:55 -0400
In-reply-to: <909BC484-464B-497A-9ED7-4C3ECDCDDE3B@xxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <909BC484-464B-497A-9ED7-4C3ECDCDDE3B@xxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:24.0) Gecko/20100101 Thunderbird/24.6.0

Kees Goossens schreef op 19/10/14 13:24:

Part 1: Abuse over HTTP.

Within one week of being an exit, my provider forwarded the following
abuse notification to me (XXXX is the abused Russian website, ZZZZ is me):
====
Greetings,

XXXX abuse team like to inform you, that we have had mass bruteforce
attempts to the Joomla / WordPress control panel on the our
shared-hosting server XXXX from your network, from IP address ZZZZ

During the last 30 minutes we recorded 333 attempts like this:

XXXX - [14/Oct/2014:14:17:49 +0400] "POST /administrator/index.php
HTTP/1.1" 200 11646 "-" "-"
XXXX - [14/Oct/2014:14:17:49 +0400] "POST /administrator/index.php
HTTP/1.1" 200 11646 "-" "-"
XXXX - [14/Oct/2014:14:17:51 +0400] "POST /administrator/index.php
HTTP/1.1" 200 11646 "-" "-"
XXXX - [14/Oct/2014:14:17:51 +0400] "POST /administrator/index.php
HTTP/1.1" 200 11646 "-" "-“
XXXX - [14/Oct/2014:14:17:54 +0400] "POST /administrator/index.php
HTTP/1.1" 499 0 "-" "-"
====

Lesson (for me at least): since HTTP was used, even a very reduced exit
policy is does not make one immune to abuse problems.
At this point I reverted back to being a non-exit relay, as I have no
interest in having to deal with this.


Hi Kees,

Sounds familiar. This same company (valuehost.ru?) sends me about 20abuse reports a day. At first I replied with explanations of what Toris, explaining why it's hard to do anything against this kind of abuse.Later I started sending the same replies but with a note "Please replyif you have read this message." - no replies. Their message mentions acontact address so I started cc'ing that address - still no reply. Afterreplying for two months and never getting any replies, I stopped replying.


IANAL but you can probably just ignore those.

Abuse reports are very common but there's usually not much you can doother than write a message back explaining why there's not much you cando. Make sure your server provider knows that you run an exit relay!

Tom

Attachment: smime.p7s
Description: S/MIME-cryptografische ondertekening

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] exit node experience: abuse over HTTP, stealrat infection
  - From: obx
- Re: [tor-relays] exit node experience: abuse over HTTP, stealrat infection
  - From: Rejo Zenger

References:
- [tor-relays] exit node experience: abuse over HTTP, stealrat infection
  - From: Kees Goossens

Prev by Author: Re: [tor-relays] Anonbox Project
Next by Author: Re: [tor-relays] exit node experience: abuse over HTTP, stealrat infection
Previous by thread: Re: [tor-relays] exit node experience: abuse over HTTP, stealrat infection
Next by thread: Re: [tor-relays] exit node experience: abuse over HTTP, stealrat infection
Index(es):
- Author
- Thread