[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Sent open privoxy port warning

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Sent open privoxy port warning
From: Luther Blissett <lblissett@xxxxxxxxxxxxx>
Date: Fri, 13 Sep 2013 12:52:35 -0300
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 13 Sep 2013 12:18:32 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paranoici.org; s=stigmate; t=1379087574; bh=rcb7F4Pg8VKNt1HRAmUotahUZRKu2tbVTZm1+xxyfxM=; h=Subject:From:To:Date:In-Reply-To:References; b=llI9vzFhO181dN0+tQMc9Shg0ziVRI7Qi+fmif4bOV0RRLmwICRMmK0MDta2OZgo3 0qOLB1spqZLnChCp1FHqjL2r2Y1QoaDhkeGmb3qyX8Sw773qGmuA+2Wo+bnIOw1rTe KOOO4vS11PS6Xs7Nyr5oDOMwfu0kDls1DZlhmjPA=
In-reply-to: <alpine.LRH.2.02.1309111224180.17119@xxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <alpine.LRH.2.02.1309111224180.17119@xxxxxxxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

On Wed, 2013-09-11 at 12:35 -0700, Aaron Hopkins wrote: 
> I sent the following warning to the listed e-mail address of 14 of the 19
> Tor nodes I found that accepted connections on port 8118, some of which
> bounced.
> 
> If any of you run or know how to get in touch with the operators of the
> nodes DaJoker, FawkesSwissBlade, LUDICROUS2U, RaspberryPI, pangu,
> mouseHouse, tornonym, or 75.137.122.118, I'd appreciate if you could pass
> this along.
> 
> Thanks!
> 
>                                      -- Aaron
> 
> ---
> 
> I noticed your Tor node _ with an IP of _ is one of 19 nodes that accepts
> connections publicly on TCP port 8118, which is the default port for
> Privoxy.  I suspect this might be a configuration mistake.
> 
> I'm investigating this because my tor node "tordienet" has received millions
> of HTTP proxy requests to port 8118 per day for months.  The requests appear
> to come from a botnet running on roughly 1500 IPs, and seem to be
> advertising click-fraud related.  From the discussion in July on the
> tor-relays@xxxxxxxxxxxxxxxxxxxx mailing list (archive at
> https://lists.torproject.org/pipermail/tor-relays/), this appears to be true
> of many nodes.
> 
> Port 8118 is the default port for Privoxy, which comes bundled with Tor but
> is meant to provide an HTTP proxy for you and your local users to browse
> through and is not designed to be offered as a public service.  If you don't
> use Privoxy, would you mind shutting it down?  Or if you do, can you move it
> to a different port and/or only allow your own IPs to connect to it?
> 
> I'd be happy to provide more information or help you with the configuration
> changes if I can.
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Hello Aron,

Sometime ago I noticed similar behavior from a series of IP numbers
which mostly were inside limestonenetworks IP range and searched for
polipo (port 8123). I sent an email alert to its admins, but received no
answer whatsoever. I also sent to this malling list and some others, but
since my mail wasn't registered I think it bounced. I'm copying it
bellow. In case this is of any help.

Also, wouldn't this be the case for a "routine security alert" on tor
blogs?

**************************

Hello dear companions,

Two days ago one of my tor exit nodes experienced something I'm now
calling "limestonenetworks DDoS on polipo" ( $WAN_IP:8123 ), since all
packets in the storm were flowing from a range of 514 different IP
addresses, all of them inside limestonenetworks IP range and targeting
port 8123 on my tor exit node WAN IP.

Before the packet storm, I could observe a huge increase on attempts to
access my WAN domain through tor. I couldn't relate IP addresses from
this first raise to those responsible for the actual packet storm nor
could I identify some useful pattern there, but they were all coming
from port 9001 and increased just some hours before the storm, so I'm
guessing they are related somehow.

Also, throughout the storm, one of my log files got corrupted with some
unreadable bin garbage. I do not know if it was intended/targeted
exploit, but I'm reworking secrets and trying to figure out what is this
binary.

Here is a sample line of a WAN attempt:

Aug 13 16:50:22 $USER user.warn kernel: [DROP INVALID WAN] : IN=vlan2
OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
SRC=77.56.151.190 DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=43
ID=38787 DF PROTO=TCP SPT=40888 DPT=9001 SEQ=289854459 ACK=41163

Here is a sample line of packet storm:

Aug 13 20:39:14 $USER user.warn kernel: [hammer] : IN=vlan2 OUT=
MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
SRC=74.63.216.60 DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=48
ID=20269 DF PROTO=TCP SPT=1757 DPT=8123 WINDOW=65535 RES=0x00 SYN URGP=0
OP

The attack persisted for at least three hours and left this binary (hex
represented):

0000000 0000 0000 0000 0000 0000 0000 0000 0000
*
0000b90 0000 0000 0000 0000 0000 0000 2067 3331
0000ba0 3220 3a30 3135 303a 2034 6174 6567 7573
0000bb0 7568 7520 6573 2e72 6177 6e72 6b20 7265
0000bc0 656e 3a6c 5b20 6168 6d6d 7265 205d 203a
0000bd0 4e49 763d 616c 326e 4f20 5455 203d 414d
0000be0 3d43 3030 323a 3a31 3732 663a 3a61 6464
0000bf0 343a 3a34 3030 313a 3a35 3966 323a 3a61
0000c00 6639 643a 3a39 3830 303a 3a30 3534 303a
0000c10 3a30 3030 333a 2034 5253 3d43 3132 2e36
0000c20 3432 2e35 3232 2e31 3031 2037 5344 3d54
0000c30 3831 2e39 3833 322e 3533 322e 3035 4c20
0000c40 4e45 353d 2032 4f54 3d53 7830 3030 5020
0000c50 4552 3d43 7830 3030 5420 4c54 343d 2038
0000c60 4449 313d 3335 3431 4420 2046 5250 544f
0000c70 3d4f 4354 2050 5053 3d54 3932 3635 4420
0000c80 5450 383d 3231 2033 4957 444e 574f 363d
0000c90 3535 3533 5220 5345 303d 3078 2030 5953
0000ca0 204e 5255 5047 303d 000a               
0000ca9

Attached is the list of participating IP addresses, line by line, with
the count of packets received. The attacker started sending something
like 4 packets per second and increased to over than 9000!!! - just
kidding, over 30 per second.

JSYK, I welcome any comments.

74.63.255.118: 248 
216.245.193.201: 235 
208.115.232.205: 231 
74.63.255.119: 225 
216.245.193.200: 219 
216.245.193.202: 218 
216.245.193.198: 214 
74.63.255.120: 204 
216.245.220.57: 202 
64.31.63.156: 201 
216.245.193.203: 198 
74.63.255.116: 192 
69.162.76.137: 189 
64.31.63.153: 186 
216.245.220.56: 186 
208.115.218.170: 184 
74.63.255.74: 179 
74.63.255.117: 178 
74.63.218.58: 177 
69.162.71.236: 176 
64.31.11.137: 173 
69.162.71.232: 172 
216.245.220.59: 172 
64.31.58.200: 171 
216.245.193.199: 165 
64.31.63.154: 164 
208.115.230.158: 164 
69.162.76.138: 161 
69.162.119.46: 161 
69.162.119.44: 159 
69.162.71.235: 157 
74.63.244.202: 155 
64.31.63.152: 155 
64.31.11.142: 155 
216.144.253.39: 154 
64.31.58.204: 153 
64.31.58.203: 153 
216.245.220.58: 151 
69.162.76.139: 150 
69.162.71.233: 150 
64.31.58.202: 148 
64.31.63.155: 147 
64.31.58.201: 143 
216.144.253.40: 138 
74.63.218.56: 138 
216.245.193.197: 132 
74.63.252.233: 127 
69.162.76.136: 126 
208.115.218.173: 125 
208.115.229.125: 125 
74.63.255.115: 125 
64.31.50.99: 125 
74.63.252.234: 122 
64.31.50.98: 121 
64.31.63.158: 119 
208.115.240.190: 119 
208.115.240.188: 118 
208.115.212.73: 116 
208.115.232.204: 114 
74.63.216.61: 113 
74.63.252.235: 112 
208.115.240.189: 112 
74.63.218.57: 111 
216.144.253.41: 111 
64.31.63.157: 110 
208.115.232.206: 107 
216.245.222.114: 105 
69.162.76.253: 105 
208.115.218.174: 104 
64.31.11.136: 104 
74.63.216.62: 104 
64.31.58.205: 104 
69.162.109.29: 103 
64.31.11.138: 103 
64.31.50.100: 99 
74.63.252.232: 97 
216.144.253.36: 96 
69.162.125.230: 94 
69.162.76.140: 93 
69.162.119.39: 91 
74.63.244.206: 91 
208.115.240.187: 91 
208.115.229.126: 88 
69.162.71.234: 87 
208.115.212.72: 84 
74.63.255.114: 83 
69.162.109.30: 82 
64.31.50.101: 81 
69.162.125.228: 81 
64.31.53.24: 80 
74.63.237.194: 78 
64.31.53.26: 77 
74.63.218.66: 77 
69.162.126.27: 77 
74.63.237.195: 76 
74.63.255.75: 75 
216.144.253.42: 75 
216.245.221.107: 74 
208.115.228.51: 74 
64.31.53.25: 73 
64.31.53.27: 72 
64.31.38.5: 71 
208.115.229.46: 70 
69.162.71.237: 69 
74.63.221.251: 68 
69.162.100.87: 68 
64.31.38.2: 68 
63.143.51.243: 68 
208.115.212.71: 66 
74.63.216.60: 65 
74.63.252.236: 64 
208.115.212.74: 61 
64.31.63.243: 58 
63.143.36.18: 58 
216.245.221.105: 57 
63.143.51.244: 57 
74.63.200.66: 57 
64.31.53.28: 56 
216.245.221.103: 56 
74.63.240.188: 55 
216.144.253.43: 55 
64.31.63.244: 55 
208.115.228.52: 53 
64.31.58.206: 52 
64.31.50.102: 51 
208.115.229.45: 51 
74.63.252.237: 50 
208.115.200.230: 47 
69.162.125.229: 47 
74.63.240.190: 46 
64.31.11.130: 46 
208.115.215.243: 46 
64.31.63.245: 45 
64.31.53.30: 45 
208.115.222.12: 43 
64.31.38.6: 43 
74.63.252.238: 42 
64.31.53.29: 42 
63.143.51.246: 41 
216.245.221.106: 39 
69.162.83.195: 39 
216.245.220.52: 38 
208.115.226.130: 38 
63.143.51.245: 38 
69.162.83.196: 37 
64.31.50.103: 37 
64.31.50.104: 37 
208.115.232.214: 37 
208.115.226.189: 37 
208.115.222.14: 37 
208.115.229.124: 36 
216.245.221.104: 36 
216.245.222.125: 36 
69.162.83.198: 35 
63.143.49.228: 35 
208.115.229.44: 35 
216.245.195.233: 34 
64.31.38.3: 34 
216.245.220.51: 32 
208.115.215.245: 32 
208.115.200.219: 32 
208.115.200.228: 32 
74.63.216.59: 32 
216.245.213.78: 31 
63.143.36.19: 30 
216.245.195.234: 30 
208.115.218.172: 30 
208.115.212.76: 30 
69.162.83.197: 29 
216.245.222.126: 29 
23.19.99.4: 29 
63.143.49.230: 28 
64.31.52.149: 28 
74.63.240.189: 28 
216.245.195.237: 28 
64.31.52.166: 28 
173.234.116.236: 27 
23.19.54.153: 27 
64.31.28.5: 27 
69.162.116.171: 27 
23.19.54.157: 27 
173.234.116.235: 26 
216.245.222.115: 26 
208.115.232.213: 26 
74.63.237.197: 26 
208.115.212.75: 26 
216.245.195.238: 26 
216.245.221.101: 26 
69.162.76.141: 25 
216.245.195.235: 24 
64.31.63.94: 24 
69.162.74.20: 23 
216.245.220.53: 23 
64.31.63.246: 23 
173.234.116.231: 23 
23.19.54.189: 23 
208.115.226.187: 22 
23.19.54.151: 22 
64.31.38.4: 22 
64.31.63.247: 22 
173.234.116.233: 22 
64.31.63.169: 21 
23.19.54.158: 21 
216.144.240.38: 21 
173.234.247.26: 21 
216.245.222.123: 21 
216.245.222.124: 21 
74.63.193.12: 20 
64.31.28.7: 20 
216.245.221.102: 20 
64.31.51.210: 19 
173.234.116.234: 19 
64.31.51.213: 19 
69.162.65.196: 18 
208.115.215.244: 18 
64.31.28.4: 18 
208.115.228.54: 18 
64.31.52.147: 18 
69.162.126.116: 18 
208.115.200.235: 18 
216.245.222.118: 17 
23.19.54.152: 17 
23.19.99.5: 17 
208.115.215.250: 17 
23.19.54.244: 16 
208.115.200.237: 16 
23.19.54.188: 16 
216.245.222.117: 15 
208.115.229.114: 15 
216.245.222.116: 15 
23.19.54.190: 15 
173.234.116.237: 15 
74.63.193.14: 15 
69.162.126.115: 15 
173.234.116.238: 15 
23.19.99.7: 14 
208.115.212.77: 14 
216.245.219.70: 14 
173.234.116.184: 14 
63.143.51.247: 14 
74.63.218.68: 14 
64.31.28.3: 13 
69.162.88.171: 13 
23.19.79.51: 13 
208.115.228.55: 13 
74.63.237.198: 13 
208.115.226.188: 13 
173.234.116.186: 13 
23.19.54.44: 12 
69.162.119.38: 12 
63.143.36.40: 12 
173.234.116.232: 12 
74.63.232.211: 11 
23.19.79.52: 11 
208.115.200.232: 11 
216.245.195.236: 11 
142.91.245.132: 11 
208.115.211.58: 11 
23.19.54.43: 11 
64.31.28.6: 10 
208.115.215.246: 10 
108.62.75.7: 10 
208.115.215.248: 10 
173.234.12.187: 10 
23.19.54.156: 10 
208.115.200.238: 9 
173.234.116.183: 9 
108.62.75.6: 9 
69.162.126.117: 9 
108.62.236.190: 9 
173.234.116.188: 9 
173.234.116.185: 9 
69.162.65.195: 9 
173.208.57.54: 9 
23.19.54.154: 8 
64.31.51.211: 8 
142.91.31.251: 8 
64.31.63.93: 8 
23.19.47.229: 8 
23.19.58.236: 8 
208.115.200.234: 8 
173.234.247.19: 8 
64.31.53.23: 8 
216.144.247.141: 8 
69.162.74.22: 8 
173.234.116.189: 7 
208.115.200.212: 7 
64.31.52.162: 7 
69.162.127.172: 7 
23.19.50.22: 6 
173.234.224.62: 6 
108.62.75.8: 6 
23.19.63.172: 6 
216.144.247.174: 6 
64.31.50.106: 6 
173.234.60.179: 6 
69.162.104.168: 6 
63.143.36.45: 6 
74.63.193.13: 6 
208.115.221.194: 5 
208.115.232.215: 5 
69.162.65.197: 5 
69.162.88.172: 5 
208.115.228.56: 5 
63.143.36.42: 5 
208.115.246.199: 5 
23.19.99.14: 5 
208.115.211.56: 5 
69.162.74.21: 5 
173.234.116.187: 5 
69.162.77.29: 4 
64.31.43.141: 4 
64.31.53.18: 4 
23.19.54.155: 4 
208.115.212.78: 4 
23.19.99.11: 4 
216.245.220.54: 4 
23.19.130.169: 4 
74.63.240.187: 4 
69.162.64.254: 4 
23.19.54.187: 4 
69.162.86.84: 4 
63.143.36.43: 3 
173.234.33.66: 3 
74.63.232.217: 3 
23.19.54.242: 3 
23.19.50.20: 3 
173.234.247.21: 3 
23.19.50.19: 3 
74.63.255.36: 3 
23.19.50.23: 3 
173.208.85.19: 3 
23.19.130.166: 3 
23.19.99.8: 3 
23.19.50.24: 3 
23.19.75.215: 3 
173.234.60.182: 3 
173.234.41.44: 3 
23.19.54.246: 3 
69.162.86.85: 3 
74.63.237.199: 3 
23.19.99.12: 3 
74.63.193.4: 3 
23.19.75.212: 3 
69.162.76.254: 2 
64.31.53.20: 2 
64.31.52.173: 2 
173.208.57.53: 2 
69.162.67.70: 2 
216.144.243.28: 2 
74.63.200.77: 2 
74.63.255.35: 2 
69.162.126.22: 2 
23.19.79.53: 2 
173.234.224.61: 2 
208.115.218.162: 2 
69.162.117.118: 2 
208.115.222.13: 2 
23.19.63.174: 2 
216.245.220.55: 2 
74.63.232.212: 2 
208.115.229.115: 2 
208.115.232.198: 2 
208.115.229.119: 2 
63.143.36.26: 2 
74.63.216.53: 2 
23.19.47.227: 2 
208.115.240.66: 2 
208.115.230.157: 2 
23.19.99.2: 2 
69.162.86.86: 2 
208.115.209.51: 2 
69.162.77.30: 2 
208.115.226.186: 2 
208.115.226.182: 2 
216.144.240.43: 1 
69.162.83.26: 1 
208.115.209.57: 1 
69.162.74.19: 1 
64.31.62.190: 1 
69.162.120.93: 1 
173.234.116.11: 1 
64.31.28.8: 1 
23.19.99.13: 1 
216.144.250.20: 1 
 URGP=0 OPT (02: 1 
216.144.247.136: 1 
216.245.213.75: 1 
69.162.100.86: 1 
63.143.51.249: 1 
69.162.100.83: 1 
64.31.11.131: 1 
208.115.246.206: 1 
216.245.222.121: 1 
63.143.36.30: 1 
208.115.226.131: 1 
208.115.222.5: 1 
208.115.226.142: 1 
63.143.36.46: 1 
69.162.83.83: 1 
69.162.100.84: 1 
69.162.126.118: 1 
69.162.120.90: 1 
208.115.245.251: 1 
216.245.221.99: 1 
208.115.221.197: 1 
208.115.222.2: 1 
208.115.221.205: 1 
208.115.226.138: 1 
64.31.39.150: 1 
64.31.50.18: 1 
64.31.52.107: 1 
63.143.36.24: 1 
216.144.252.126: 1 
74.63.218.51: 1 
63.143.45.115: 1 
208.115.246.205: 1 
64.31.62.182: 1 
OW=65535 RES: 1 
69.162.121.12: 1 
173.234.116.69: 1 
23.19.67.214: 1 
69.162.76.252: 1 
208.115.232.218: 1 
173.234.41.40: 1 
108.62.40.236: 1 
208.115.215.252: 1 
74.63.252.100: 1 
63.143.36.34: 1 
208.115.200.196: 1 
69.162.88.173: 1 
74.63.216.52: 1 
69.162.126.29: 1 
208.115.221.195: 1 
69.162.83.28: 1 
23.19.47.230: 1 
208.115.222.3: 1 
208.115.213.14: 1 
64.31.39.157: 1 
23.19.54.247: 1 
74.63.232.214: 1 
69.162.119.206: 1 
69.162.116.174: 1 
208.115.232.220: 1 
208.115.240.68: 1 
64.31.39.158: 1 
69.162.126.21: 1 
69.162.124.4: 1 
108.62.40.235: 1 
69.162.76.142: 1 
216.144.253.35: 1 
69.162.119.35: 1 
20=0x00: 1 
208.115.213.12: 1 
69.162.113.70: 1 
74.63.218.71: 1 
64.31.39.147: 1 
64.31.39.154: 1 
 SPT=1480 DP: 1 
64.31.11.140: 1 
74.63.218.69: 1 
64.31.51.219: 1 
208.115.211.60: 1 
30001010402) 
: 1 
208.115.222.10: 1 
208.115.240.67: 1 
69.162.100.82: 1 
69.162.105.68: 1 
23.19.54.181: 1 
208.115.232.211: 1 
23.19.54.148: 1 
74.63.218.78: 1 
23.19.54.253: 1 
216.245.210.61: 1 
64.31.50.108: 1 
108.62.185.205: 1 
63.143.45.119: 1 
64.31.62.185: 1 
208.115.212.68: 1 
208.115.232.197: 1 
216.144.254.195: 1 
208.115.226.135: 1 
74.63.218.60: 1 
64.31.38.116: 1 
64.31.51.216: 1 
23.19.54.180: 1 
69.162.105.70: 1 
23.19.130.164: 1 
64.31.52.108: 1 
208.115.209.60: 1 
208.115.218.166: 1 
64.31.52.174: 1 
63.143.36.35: 1 
69.162.120.94: 1 
64.120.56.14: 1 
208.115.209.58: 1 
64.31.48.156: 1 
SYN URGP=0 OPT: 1 
69.162.127.173: 1 
208.115.233.28: 1 
216.245.220.166: 1 
23.19.130.163: 1 
63.143.45.124: 1 
64.31.52.158: 1 
63.143.36.38: 1 
64.31.62.163: 1 
63.143.36.29: 1 
64.31.39.152: 1 
216.144.247.169: 1 
74.63.232.213: 1 
O=TCP SPT=2216 : 1 
208.115.211.50: 1 
74.63.200.73: 1

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] Sent open privoxy port warning
  - From: Aaron Hopkins

Prev by Author: Re: [tor-relays] Reimbursement of Exit Operators
Next by Author: Re: [tor-relays] Sent open privoxy port warning
Previous by thread: [tor-relays] Sent open privoxy port warning
Next by thread: Re: [tor-relays] Sent open privoxy port warning
Index(es):
- Author
- Thread