I’ve been running tor non-exit relay freshhumbug at torrelay.nl for about 3 months now.

Recently, I tried running it as an exit relay for a week, with following interesting results.

Set up:

- Ubuntu 14.04 running as VPS with transip.nl, latest release version of Tor

- bandwidth rate set to between 1 MB/s and 2 MB/s

- VERY reduced exit policy (listed below)

Part 1: Abuse over HTTP.

Within one week of being an exit, my provider forwarded the following abuse notification to me (XXXX is the abused Russian website, ZZZZ is me):

====
Greetings,

XXXX abuse team like to inform you, that we have had mass bruteforce attempts to the Joomla / WordPress control panel on the our shared-hosting server XXXX from your network, from IP address ZZZZ

During the last 30 minutes we recorded 333 attempts like this:

XXXX - [14/Oct/2014:14:17:49 +0400] "POST /administrator/index.php HTTP/1.1" 200 11646 "-" "-"
XXXX - [14/Oct/2014:14:17:49 +0400] "POST /administrator/index.php HTTP/1.1" 200 11646 "-" "-"
XXXX - [14/Oct/2014:14:17:51 +0400] "POST /administrator/index.php HTTP/1.1" 200 11646 "-" "-"
XXXX - [14/Oct/2014:14:17:51 +0400] "POST /administrator/index.php HTTP/1.1" 200 11646 "-" "-“
XXXX - [14/Oct/2014:14:17:54 +0400] "POST /administrator/index.php HTTP/1.1" 499 0 "-" "-"
====

Lesson (for me at least): since HTTP was used, even a very reduced exit policy is does not make one immune to abuse problems. 

At this point I reverted back to being a non-exit relay, as I have no interest in having to deal with this.

Part 2: Stealrat infection.

As part of being an exit relay, I set reverse DNS to this-is-a-tor-exit.torrelay.nl, and I displayed the this-is-a-tor-exit-node.html web page on port 80, using the DirPortFrontPage option.

A few days after having shut down my exit, I received notification from my provider that they have been told that my IP address was infected with Stealrat.  It hosted a Stealrat PHP file, used to send spam.

- http://blog.trendmicro.com/trendlabs-security-intelligence/compromised-sites-conceal-stealrat-botnet-operations/
- http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf

However, the only thing I do with my VPS is run tor.  I don’t run a web site, and don’t have apache or whatever installed.

I didn’t investigate much further, but my hypothesis is that when publishing the tor-exit notice on port 80 either tor internally uses a web server or enables a web server that’s present in the system. Either way, that webserver was hacked through a PHP hack.

(Note that I received the Stealrat notification only after stopping my exit node.  I’m not sure if the Stealrat hack was still active or not. I couldn’t find relevant PHP files on my system.)

Since I didn’t want to spend time or effort (figuring out how to) clean my system, I reinstalled ubuntu & tor (only ~40 min work anyway).

Lesson (for me): using the DirPortFrontPage option opens up an unexpected web server vulnerability.

Perhaps this information is useful for others. 

With best regards,

Kees

Relevant parts of the torrc:

DirPortFrontPage /home/administrator/.arm/this-is-a-tor-exit.html