On 6/6/2014 7:39 PM, JB wrote:
I just setup my relay node today, and am keeping a hawkish(ish) eye on traffic.... And noticed a flurry of activity from SSH port (22) at 5.104.224.5 - which is listed as an exit.
That exit node uses port 22 as its ORPort (where other relays send Tor traffic). There is nothing suspicious about this. You can verify this info here:
https://globe.torproject.org/#/relay/30D983762D3993AD8F17EB5DCD522A5D6AAE8C5...
But it's also listed on http://cbl.abuseat.org/lookup.cgi?ip=5.104.224.5 as infected (or NATting for a computer that is infected) with the Conficker botnet.
Exits are going to show up in all sorts of lists, because a small group of bad people abuse Tor. Exit nodes get blamed because the "victims" think the traffic actually originates at the exit.
I've black-holed it in the meantime, but am wondering if I'm being overly cautious...
Yes :) Please don't block other tor nodes. Tor can communicate to/from any port the admin has configured.
-- Mike