Dear Nepenthes Development Team,
Do you know anything about the 55 Tor Relays called "Relay127001"? https://atlas.torproject.org/#search/Relay127001 They appeared around the 23rd of June 2016.
It looks like the relays have a self-signed HTTPS certificate called "Nepenthes Development Team" on port 443.
If you know about these relays, there are a few things you can do to help the Tor network: * let us know if the relays are doing anything other than relaying traffic * provide a ContactInfo in the torrc, typically an email address * declare the relays to be part of a family using "MyFamily fingerprint0, … fingerprint54" in the torrc
Previous discussion on the tor-relays list is below:
On 24 Jun 2016, at 16:44, simon komsat@kalidasa.klamath.ch wrote:
On 23.06.2016 22:47, yandereson@riseup.net wrote:
I check torstatus/atlas regularly and this was showing up : https://atlas.torproject.org/#search/Relay127001 i just thought i report it here.
I copypasted some of the IP addresses into my webbrowser's url bar to check for a dirfrontpage; but what actually shows up is "Directory listing for /" for several of them.
None of them have a DirPort, so Tor won't serve any front page. You're seeing the output from some other web server running on port 80. No identifying headers. It looks like a very basic server that serves HTML 3.2.
The HTTPS is more interesting: a self-signed "Nepenthes Development Team" certificate. It's apparently a malware collection platform that "emulates only the vulnerable parts of a service". Here's the relevant paper: https://www1.cs.fau.de/filepool/publications/collecting-malware-final.pdf
I've seen something similar for "involuntary" FTP servers before. Bonnet?
Or a honeypot. Or a series of cloned servers. It's hard to tell. But there do seem to be a large number of them, 55 in a recent consensus. And no contact info, either.
We might want to remove these relays from the network before they pick up too many more flags.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B ricochet:ekmygaiu4rzgsk6n