[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] exit node experience: abuse over HTTP, stealrat infection



Kees Goossens schreef op 19/10/14 13:24:
Part 1: Abuse over HTTP.

Within one week of being an exit, my provider forwarded the following
abuse notification to me (XXXX is the abused Russian website, ZZZZ is me):
====
Greetings,

XXXX abuse team like to inform you, that we have had mass bruteforce
attempts to the Joomla / WordPress control panel on the our
shared-hosting server XXXX from your network, from IP address ZZZZ

During the last 30 minutes we recorded 333 attempts like this:

XXXX - [14/Oct/2014:14:17:49 +0400] "POST /administrator/index.php
HTTP/1.1" 200 11646 "-" "-"
XXXX - [14/Oct/2014:14:17:49 +0400] "POST /administrator/index.php
HTTP/1.1" 200 11646 "-" "-"
XXXX - [14/Oct/2014:14:17:51 +0400] "POST /administrator/index.php
HTTP/1.1" 200 11646 "-" "-"
XXXX - [14/Oct/2014:14:17:51 +0400] "POST /administrator/index.php
HTTP/1.1" 200 11646 "-" "-“
XXXX - [14/Oct/2014:14:17:54 +0400] "POST /administrator/index.php
HTTP/1.1" 499 0 "-" "-"
====

Lesson (for me at least): since HTTP was used, even a very reduced exit
policy is does not make one immune to abuse problems.
At this point I reverted back to being a non-exit relay, as I have no
interest in having to deal with this.

Hi Kees,

Sounds familiar. This same company (valuehost.ru?) sends me about 20 abuse reports a day. At first I replied with explanations of what Tor is, explaining why it's hard to do anything against this kind of abuse. Later I started sending the same replies but with a note "Please reply if you have read this message." - no replies. Their message mentions a contact address so I started cc'ing that address - still no reply. After replying for two months and never getting any replies, I stopped replying.

IANAL but you can probably just ignore those.

Abuse reports are very common but there's usually not much you can do other than write a message back explaining why there's not much you can do. Make sure your server provider knows that you run an exit relay!

Tom

Attachment: smime.p7s
Description: S/MIME-cryptografische ondertekening

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays