On Tue, May 22, 2012 at 11:18 PM, Mike Perry mikeperry@torproject.orgwrote:
Thus spake Jon (torance.ca@gmail.com):
On Tue, May 22, 2012 at 3:17 PM, Mike Perry <mikeperry@torproject.org wrote:
On Tue, 22 May 2012 13:29:54 -0500 Jon torance.ca@gmail.com allegedly wrote:
Yep same here, got notice today from ISP on a report of the 20th
for
alledged hacking with someone using sqlmap. the reporting ip was a brazilian gov ip address.
I just blocked the port and kept on serving....
As of yet, no one has mentioned the port. Out of curiosity, is it included in the Reduced Exit Policy? https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
The port was 57734 - of course that doesn't mean another port could be
used
Are you sure that's not the source port (which is randomized) for the incident? This is a weird destination port.
If so, simply switching to the Reduced Exit Policy (or adding a reject line for *:57734) would prevent the attack from using your exit. No need to stop exiting entirely.
-- Mike Perry
Yes, that was the source port that was used thru my machine. ( you are
correct, Mike )
The destination port was 80. The Host: 200.189.123.184
COSED [CSG-GOP-009] SCAN Sqlmap SQL Injection Scan = The Alert that started the alleged hack attempt
I have had similar incidents in the past and all I did was block the port that was used and never had any more issues of the type that was reported.
This particular issue is the 1st for me. Time will tell if it did work or not. At this point, I am still running a Exit relay.
Jon