On Sun, Oct 19, 2014 at 01:24:31PM +0200, Kees Goossens wrote:
However, the only thing I do with my VPS is run tor. I don???t run a web site, and don???t have apache or whatever installed. I didn???t investigate much further, but my hypothesis is that when publishing the tor-exit notice on port 80 either tor internally uses a web server or enables a web server that???s present in the system. Either way, that webserver was hacked through a PHP hack.
It is much more likely that this was a false positive. That is, whoever sent you the mail was using a wrong-in-your-case mechanism for detecting whether you're infected with "stealrat". They probably just make a list of all the computers that connect to them and send certain traffic. And if your computer connected to them and sent that traffic, onto their list you go.
The Internet is full of people telling other people that they're infected and ought to clean up their computer. Sometimes they're right, sometimes they're wrong. Usually, when it comes to Tor relays they're wrong, because it never occurred to them that you might be proxying the traffic from somebody else.
Hope that helps, --Roger