On Tue, May 22, 2012 at 11:18 PM, Mike Perry <mikeperry@torproject.org>wrote:
Thus spake Jon (torance.ca@gmail.com):
On Tue, May 22, 2012 at 3:17 PM, Mike Perry <mikeperry@torproject.org wrote:
On Tue, 22 May 2012 13:29:54 -0500 Jon <torance.ca@gmail.com> allegedly wrote:
Yep same here, got notice today from ISP on a report of the 20th for alledged hacking with someone using sqlmap. the reporting ip was a brazilian gov ip address.
I just blocked the port and kept on serving....
As of yet, no one has mentioned the port. Out of curiosity, is it included in the Reduced Exit Policy? https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
The port was 57734 - of course that doesn't mean another port could be used
Are you sure that's not the source port (which is randomized) for the incident? This is a weird destination port.
If so, simply switching to the Reduced Exit Policy (or adding a reject line for *:57734) would prevent the attack from using your exit. No need to stop exiting entirely.
-- Mike Perry
______________________________________________
Yes, that was the source port that was used thru my machine. ( you are correct, Mike )
The destination port was 80. The Host: 200.189.123.184 COSED [CSG-GOP-009] SCAN Sqlmap SQL Injection Scan = The Alert that started the alleged hack attempt I have had similar incidents in the past and all I did was block the port that was used and never had any more issues of the type that was reported. This particular issue is the 1st for me. Time will tell if it did work or not. At this point, I am still running a Exit relay. Jon