Dear Roger,
Thanks for quick reply. This possibility did occur to me. When I asked my VPS provider about getting more information for further diagnosis told me they didn’t have more, but that the party that sent them the notification had been reliable in the past. My provider has been relatively friendly during this process, and I didn’t want to push them further.
Overall, let’s just hope that I’ve been an atypical case in getting two complaints in my first week of operating an exit node.
Thanks, Kees
On 19 Oct 2014, at 13:31, Roger Dingledine arma@mit.edu wrote:
On Sun, Oct 19, 2014 at 01:24:31PM +0200, Kees Goossens wrote:
However, the only thing I do with my VPS is run tor. I don???t run a web site, and don???t have apache or whatever installed. I didn???t investigate much further, but my hypothesis is that when publishing the tor-exit notice on port 80 either tor internally uses a web server or enables a web server that???s present in the system. Either way, that webserver was hacked through a PHP hack.
It is much more likely that this was a false positive. That is, whoever sent you the mail was using a wrong-in-your-case mechanism for detecting whether you're infected with "stealrat". They probably just make a list of all the computers that connect to them and send certain traffic. And if your computer connected to them and sent that traffic, onto their list you go.
The Internet is full of people telling other people that they're infected and ought to clean up their computer. Sometimes they're right, sometimes they're wrong. Usually, when it comes to Tor relays they're wrong, because it never occurred to them that you might be proxying the traffic from somebody else.
Hope that helps, --Roger
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays