<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Dear all,<div class=""><br class=""></div><div class="">I’ve been running tor non-exit relay freshhumbug at <a href="http://torrelay.nl" class="">torrelay.nl</a> for about 3 months now.</div><div class="">Recently, I tried running it as an exit relay for a week, with following interesting results.</div><div class=""><br class=""></div><div class="">Set up:</div><div class="">- Ubuntu 14.04 running as VPS with <a href="http://transip.nl" class="">transip.nl</a>, latest release version of Tor</div><div class="">- bandwidth rate set to between 1 MB/s and 2 MB/s</div><div class="">- VERY reduced exit policy (listed below)</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Part 1: Abuse over HTTP.</div><div class=""><br class=""></div><div class="">Within one week of being an exit, my provider forwarded the following abuse notification to me (XXXX is the abused Russian website, ZZZZ is me):</div><div class="">====<br class="">Greetings,<br class=""><br class="">XXXX abuse team like to inform you, that we have had mass bruteforce attempts to the Joomla / WordPress control panel on the our shared-hosting server XXXX from your network, from IP address ZZZZ<br class=""><br class="">During the last 30 minutes we recorded 333 attempts like this:<br class=""><br class="">XXXX - [14/Oct/2014:14:17:49 +0400] "POST /administrator/index.php HTTP/1.1" 200 11646 "-" "-"<br class="">XXXX - [14/Oct/2014:14:17:49 +0400] "POST /administrator/index.php HTTP/1.1" 200 11646 "-" "-"<br class="">XXXX - [14/Oct/2014:14:17:51 +0400] "POST /administrator/index.php HTTP/1.1" 200 11646 "-" "-"<br class="">XXXX - [14/Oct/2014:14:17:51 +0400] "POST /administrator/index.php HTTP/1.1" 200 11646 "-" "-“<br class="">XXXX - [14/Oct/2014:14:17:54 +0400] "POST /administrator/index.php HTTP/1.1" 499 0 "-" "-"<br class="">====<br class=""></div><div class=""><br class=""></div><div class="">Lesson (for me at least): since HTTP was used, even a very reduced exit policy is does not make one immune to abuse problems. </div><div class="">At this point I reverted back to being a non-exit relay, as I have no interest in having to deal with this.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Part 2: Stealrat infection.</div><div class=""><br class=""></div><div class="">As part of being an exit relay, I set reverse DNS to <a href="http://this-is-a-tor-exit.torrelay.nl" class="">this-is-a-tor-exit.torrelay.nl</a>, and I displayed the this-is-a-tor-exit-node.html web page on port 80, using the DirPortFrontPage option.</div><div class="">A few days after having shut down my exit, I received notification from my provider that they have been told that my IP address was infected with Stealrat. It hosted a Stealrat PHP file, used to send spam.</div><div class="">- <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/compromised-sites-conceal-stealrat-botnet-operations/" class="">http://blog.trendmicro.com/trendlabs-security-intelligence/compromised-sites-conceal-stealrat-botnet-operations/</a><br class="">- <a href="http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf" class="">http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf</a></div><div class=""><br class=""></div><div class="">However, the only thing I do with my VPS is run tor. I don’t run a web site, and don’t have apache or whatever installed.</div><div class="">I didn’t investigate much further, but my hypothesis is that when publishing the tor-exit notice on port 80 either tor internally uses a web server or enables a web server that’s present in the system. Either way, that webserver was hacked through a PHP hack.</div><div class="">(Note that I received the Stealrat notification only after stopping my exit node. I’m not sure if the Stealrat hack was still active or not. I couldn’t find relevant PHP files on my system.)</div><div class="">Since I didn’t want to spend time or effort (figuring out how to) clean my system, I reinstalled ubuntu & tor (only ~40 min work anyway).</div><div class=""><br class=""></div><div class="">Lesson (for me): using the DirPortFrontPage option opens up an unexpected web server vulnerability.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Perhaps this information is useful for others. </div><div class=""><br class=""></div><div class="">With best regards,</div><div class="">Kees</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Relevant parts of the torrc:</div><div class=""><br class=""></div><div class=""><div class="">ORPort 9001 # port used for relaying traffic</div><div class="">DirPort 80 # port used for mirroring directory information - not used, since have accountingmax</div><div class="">SocksPort 0 # prevents tor from being used as a client</div><div class="">RelayBandwidthRate 1000 KB # limit for the bandwidth we'll use to relay</div><div class="">RelayBandwidthBurst 10 MB # maximum rate when relaying bursts of traffic</div><div class="">BandwidthRate 1000 KB # same as RelayBandwidthRate</div><div class="">BandwidthBurst 10 M # same as RelayBandwidthBurst</div></div><div class="">DirPortFrontPage /home/administrator/.arm/this-is-a-tor-exit.html</div><div class=""><div class="">ExitPolicy accept *:20-23 # FTP, SSH, telnet</div><div class="">ExitPolicy accept *:43 # WHOIS</div><div class="">ExitPolicy accept *:53 # DNS</div><div class="">ExitPolicy accept *:79-81 # finger, HTTP</div><div class="">ExitPolicy accept *:88 # kerberos</div><div class="">ExitPolicy accept *:220 # IMAP3</div><div class="">ExitPolicy accept *:389 # LDAP</div><div class="">ExitPolicy accept *:443 # HTTPS</div><div class="">ExitPolicy accept *:464 # kpasswd</div><div class="">ExitPolicy accept *:531 # IRC/AIM</div><div class="">ExitPolicy accept *:543-544 # Kerberos</div><div class="">ExitPolicy accept *:554 # RTSP</div><div class="">ExitPolicy accept *:563 # NNTP over SSL</div><div class="">ExitPolicy accept *:636 # LDAP over SSL</div><div class="">ExitPolicy accept *:749 # kerberos </div><div class="">ExitPolicy accept *:981 # Remote HTTPS management for firewall</div><div class="">ExitPolicy accept *:989-995 # FTP over SSL, Netnews Administration System, telnets, IMAP over SSL, ircs, POP3 over SSL</div><div class="">ExitPolicy accept *:1194 # OpenVPN</div><div class="">ExitPolicy accept *:1293 # PKT-KRB-IPSec</div><div class="">ExitPolicy accept *:1723 # PPTP</div><div class="">ExitPolicy accept *:1755 # RTSP</div><div class="">ExitPolicy accept *:2086-2087 # GNUnet, ELI</div><div class="">ExitPolicy accept *:3690 # SVN</div><div class="">ExitPolicy accept *:4321 # RWHOIS</div><div class="">ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL</div><div class="">ExitPolicy accept *:5900 # VNC</div><div class="">ExitPolicy accept *:6660-6669 # IRC</div><div class="">ExitPolicy accept *:6679 # IRC SSL </div><div class="">ExitPolicy accept *:6697 # IRC SSL </div><div class="">ExitPolicy accept *:8008 # HTTP alternate</div><div class="">ExitPolicy accept *:8080 # HTTP Proxies</div><div class="">ExitPolicy accept *:8082 # HTTPS Electrum Bitcoin port</div><div class="">ExitPolicy accept *:8332-8333 # Bitcoin</div><div class="">ExitPolicy accept *:8443 # PCsync HTTPS</div><div class="">ExitPolicy accept *:8888 # HTTP Proxies, NewsEDGE</div><div class="">ExitPolicy accept *:9418 # git</div><div class="">ExitPolicy accept *:11371 # OpenPGP hkp (http keyserver protocol)</div><div class="">ExitPolicy accept *:50002 # Electrum Bitcoin SSL</div><div class="">ExitPolicy reject *:*</div></div><div class=""><br class=""></div></body></html>