Fwd: [Abuse[...]] GameoverZeus-Infektionen
Hi there, I'm here to look for advice or comments on how to handle abuse reports when you run a TOR relay exit on a "server for the mass". I'm running the TOR exit node 18B6EBAF10814335242ECA5705A04AAD29774078 on Hetzner netowrk (50E/month, this is my contribution to the TOR project) So far I had to deal with few "easy" abuse reports (ssh scan, forum insults, spams, ...), I think i performed pretty well so far (thanks to Hetzner cooperation?) But today I just received this botnet related one. I do take this report seriously, I know that malware are more and more using the TOR network as an anonymous covert, I don't like malware, I don't like malicious botnet and I don't like spammers. Still I end up being identify as one of them. I knew from day one that it was a risky business to run an exit TOR node, but I want to stand up and fight. If only I can convince people of my right doing. First of all I am quite surprised that cert-bund.de (the complainant) didn't notice that I am a TOR exit node, so my first question (for people familiar with these guys) is: - How legit are these guys? Do they run for the German government? Are their simply trying to scare the shit out of me by citing europol.europa.eu, and us-cert.gov? (see redacted forwarded message below, my own opinion is "Yes") Then - Do they simply spam hosting company each time they have a probe sensing something somewhere (I know it's vague, but I can use that as a "this complainant is a spammer" kind of argument) Any other thoughts/remarks/comment on that matter? Regards, Chris Thought of the day: Nowadays it looks like server administrator tend to send abuse report each time they receive an illegal ping request! Testimony of the day: Last time I received an "SSH scan" abuse report, I sent back my SSH honeypot logs, which contains more than 5k login attempts per day. -------- Original Message -------- [..] ----- attachment ----- Dear Sir or Madam "Gameover Zeus" is malicious software which is primarily used by cybercriminals to carry out online banking fraud and to spy out login credentials for online services on infected PCs. It can also be used to install further malicious software (including blackmailing trojans such as "CryptoLocker" ransomware) on PCs or to carry out DDoS attacks. In a joint international campaign since the end of May 2014, law enforcement agencies, with the support of private sector partners, have taken action against the "Gameover Zeus" botnet [1]. As part of this campaign, it has now been possible to identify the IP addresses of systems infected with "Gameover Zeus" [2]. We are sending you a list of infected systems in your net area. Would you please examine the situation thoroughly and take appropriate measures to cleanse the systems. Sources: [1] Europol: International action against 'Gameover Zeus' botnet and 'CryptoLocker' ransomware <https://www.europol.europa.eu/content/international-action-against- gameover-zeus-botnet-and-cryptolocker-ransomware> [2] ShadowServer: Gameover Zeus & Cryptolocker <http://blog.shadowserver.org/2014/06/08/gameover-zeus-cryptolocker/> [3] US-CERT: GameOver Zeus P2P Malware <https://www.us-cert.gov/ncas/alerts/TA14-150A> A list of infected systems in your net area: [...] Kind regards, Team CERT-Bund
- How legit are these guys? Do they run for the German government?
They are part of the German government, see https://www.bsi.bund.de/DE/Themen/IT-Krisenmanagement/CERTBund/certbund_node... (German), also https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Kritis/rfc2350_CERT-Bund... So most likely not FUD but a (more or less) friendly advice because of the fishy behaviour of your server. (but they should have checked for Tor... not that professionell) Renke
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Chris and many thanks for running a fast exit! CERT Bund is the CSIRT of the German Federal Office for Information Security (BSI = Bundesamt fuer Sicherheit in der Informationstechnik). (1)(2). They surely know Tor, because they distribute security advices for our anonymizer project (3)(4)(5). But in your case I guess that their operator did not know that you run an exit, or at least did not look on the exit-list. When I do a Whois lookup of your server (6), there is only the link to Hetzner. When I do the same for exits of Zwiebelfreunde or CCC, there is the hint at Tor: "This network is used for research in anonymisation services and provides a TOR exit node to end users." (7)(8). I case of Zwiebelfreunde there is also a server running on the exit with a homepage (9). Probably such a hint will help against a few complaints in future. Best regards and stay wiretapped! Anton 1) https://www.bsi.bund.de/EN/Topics/IT-Crisis-Management/Cert-Bund/cert-bund_n... 2) https://www.bsi.bund.de/EN/Home/home_node.html 3) https://www.cert-bund.de/advisoryshort/CB-K13-0005 4) https://www.cert-bund.de/advisoryshort/CB-K14-0112 5) https://www.cert-bund.de/advisoryshort/CB-K14-0722 6) https://apps.db.ripe.net/search/query.html?searchtext=5.9.21.19 7) https://apps.db.ripe.net/search/query.html?searchtext=77.247.181.164 8) https://apps.db.ripe.net/search/query.html?searchtext=77.244.254.227 9) http://77.247.181.164 - -- no.thing_to-hide at cryptopathie dot eu 0x30C3CDF0, RSA 2048, 24 Mar 2014 0FF8 A811 8857 1B7E 195B 649E CC26 E1A5 30C3 CDF0 Bitmessage (no metadata): BM-2cXixKZaqzJmTfz6ojiyLzmKg2JbzDnApC On 18/07/14 11:08, Ch'Gans wrote:
Hi there,
I'm here to look for advice or comments on how to handle abuse reports when you run a TOR relay exit on a "server for the mass". I'm running the TOR exit node 18B6EBAF10814335242ECA5705A04AAD29774078 on Hetzner netowrk (50E/month, this is my contribution to the TOR project) So far I had to deal with few "easy" abuse reports (ssh scan, forum insults, spams, ...), I think i performed pretty well so far (thanks to Hetzner cooperation?)
But today I just received this botnet related one. I do take this report seriously, I know that malware are more and more using the TOR network as an anonymous covert, I don't like malware, I don't like malicious botnet and I don't like spammers. Still I end up being identify as one of them.
I knew from day one that it was a risky business to run an exit TOR node, but I want to stand up and fight. If only I can convince people of my right doing.
First of all I am quite surprised that cert-bund.de (the complainant) didn't notice that I am a TOR exit node, so my first question (for people familiar with these guys) is: - How legit are these guys? Do they run for the German government? Are their simply trying to scare the shit out of me by citing europol.europa.eu, and us-cert.gov? (see redacted forwarded message below, my own opinion is "Yes") Then - Do they simply spam hosting company each time they have a probe sensing something somewhere (I know it's vague, but I can use that as a "this complainant is a spammer" kind of argument)
Any other thoughts/remarks/comment on that matter?
Regards, Chris
Thought of the day: Nowadays it looks like server administrator tend to send abuse report each time they receive an illegal ping request! Testimony of the day: Last time I received an "SSH scan" abuse report, I sent back my SSH honeypot logs, which contains more than 5k login attempts per day.
-------- Original Message -------- [..] ----- attachment ----- Dear Sir or Madam
"Gameover Zeus" is malicious software which is primarily used by cybercriminals to carry out online banking fraud and to spy out login credentials for online services on infected PCs. It can also be used to install further malicious software (including blackmailing trojans such as "CryptoLocker" ransomware) on PCs or to carry out DDoS attacks.
In a joint international campaign since the end of May 2014, law enforcement agencies, with the support of private sector partners, have taken action against the "Gameover Zeus" botnet [1].
As part of this campaign, it has now been possible to identify the IP addresses of systems infected with "Gameover Zeus" [2].
We are sending you a list of infected systems in your net area.
Would you please examine the situation thoroughly and take appropriate measures to cleanse the systems.
Sources:
[1] Europol: International action against 'Gameover Zeus' botnet and 'CryptoLocker' ransomware <https://www.europol.europa.eu/content/international-action-against-
gameover-zeus-botnet-and-cryptolocker-ransomware>
[2] ShadowServer: Gameover Zeus & Cryptolocker <http://blog.shadowserver.org/2014/06/08/gameover-zeus-cryptolocker/>
[3] US-CERT: GameOver Zeus P2P Malware <https://www.us-cert.gov/ncas/alerts/TA14-150A>
A list of infected systems in your net area: [...]
Kind regards, Team CERT-Bund
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTyYJ9AAoJEMwm4aUww83w2/IH/1gAhX1oV/vfdFCL5oai4vdF RONKF53IYywlFISSoz9fDjQc1VAiTPDKphTtvxKVCiVdP2BmN3iQszmfaV25Tn5h 8tWkdkwEUZR1kTHoSOV+ksBX52rzNJWmbHONG9aYIWObjZEQns2dtcRvc/4fS8cj 7vdg/KHNT4qr1EB0jDnB25hClefhea82ycLn7Qpb6i2uHCcRC8n0UhHPT9QpYo3Q AhNp6hOMl7BJDMidohvdo0KOKKsS/aEupurUtYXnRUi/RvuehXgzXiiwDT+qWMRw CZ8aXoW1XyaX7CT1DjBYpbxBKxvOfahP4e3ju9b/qqwHDWWhm+uFadRS3i6si7s= =cNon -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Speaking from experience of operating 25 servers doing 4Gbps, I can quite safely say that if your host has been supportive of Tor, I would simply respond with the normal boilerplate regardless of what the complaint is or who made it. I've received threats from countless organisations, companies, police and have clashed with Interpol in the past, they are yet to bring a single charge against me in the UK (albeit I have had some servers seized). I am the exception of Tor operators too, not the rule so if they can't charge me I very much doubt they could charge somebody operating just a single server. The point is that you should be very open that you operate a Tor node, ensure you promptly respond to abuse complaints and if your provider doesn't seem to be fully convinced by you or are threatening to close your service then it could do with some additional explanation. Heck if you need it just let me know who to contact and I'll do it for you! Running Tor isn't illegal, you are protected by various safe-harbour provisions and ultimately if they blacklist you there is little you can do. Half of my IP's are on a lot of "blacklists", and I've found removing them is useful in the short term perhaps but many are automated and so just waste your time. In the long run we need education more than anything and in fact I am actually writing up a letter at the moment to encourage some blacklists to check if the IP is a tor exit node and to prevent their systems spamming operators with abuse complaints. (This section I'll follow up with on this mailing list with next week) My ISP has a policy that as long as the complaints aren't from Spamhaus, they aren't too bothered as long as I reply to the abuse complaints which I do. You should ask your ISP outright what the policy is on these situations. But as far as Spamhaus goes I've not received a single complaint from them out of thousands I have received in the past year. If you want to talk privately, just reply to me off the mailing list and I'll be happy to do whatever I can. Regards, - -T On 18/07/2014 10:08, Ch'Gans wrote:
Hi there,
I'm here to look for advice or comments on how to handle abuse reports when you run a TOR relay exit on a "server for the mass". I'm running the TOR exit node 18B6EBAF10814335242ECA5705A04AAD29774078 on Hetzner netowrk (50E/month, this is my contribution to the TOR project) So far I had to deal with few "easy" abuse reports (ssh scan, forum insults, spams, ...), I think i performed pretty well so far (thanks to Hetzner cooperation?)
But today I just received this botnet related one. I do take this report seriously, I know that malware are more and more using the TOR network as an anonymous covert, I don't like malware, I don't like malicious botnet and I don't like spammers. Still I end up being identify as one of them.
I knew from day one that it was a risky business to run an exit TOR node, but I want to stand up and fight. If only I can convince people of my right doing.
First of all I am quite surprised that cert-bund.de (the complainant) didn't notice that I am a TOR exit node, so my first question (for people familiar with these guys) is: - How legit are these guys? Do they run for the German government? Are their simply trying to scare the shit out of me by citing europol.europa.eu, and us-cert.gov? (see redacted forwarded message below, my own opinion is "Yes") Then - Do they simply spam hosting company each time they have a probe sensing something somewhere (I know it's vague, but I can use that as a "this complainant is a spammer" kind of argument)
Any other thoughts/remarks/comment on that matter?
Regards, Chris
Thought of the day: Nowadays it looks like server administrator tend to send abuse report each time they receive an illegal ping request! Testimony of the day: Last time I received an "SSH scan" abuse report, I sent back my SSH honeypot logs, which contains more than 5k login attempts per day.
-------- Original Message -------- [..] ----- attachment ----- Dear Sir or Madam
"Gameover Zeus" is malicious software which is primarily used by cybercriminals to carry out online banking fraud and to spy out login credentials for online services on infected PCs. It can also be used to install further malicious software (including blackmailing trojans such as "CryptoLocker" ransomware) on PCs or to carry out DDoS attacks.
In a joint international campaign since the end of May 2014, law enforcement agencies, with the support of private sector partners, have taken action against the "Gameover Zeus" botnet [1].
As part of this campaign, it has now been possible to identify the IP addresses of systems infected with "Gameover Zeus" [2].
We are sending you a list of infected systems in your net area.
Would you please examine the situation thoroughly and take appropriate measures to cleanse the systems.
Sources:
[1] Europol: International action against 'Gameover Zeus' botnet and 'CryptoLocker' ransomware <https://www.europol.europa.eu/content/international-action-against-
gameover-zeus-botnet-and-cryptolocker-ransomware>
[2] ShadowServer: Gameover Zeus & Cryptolocker <http://blog.shadowserver.org/2014/06/08/gameover-zeus-cryptolocker/>
[3] US-CERT: GameOver Zeus P2P Malware <https://www.us-cert.gov/ncas/alerts/TA14-150A>
A list of infected systems in your net area: [...]
Kind regards, Team CERT-Bund
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJTyklGAAoJEE2uQiaesOsLauoP+gLTI6UG5Ch+vaY68TK6+bT6 rUI0Q53XN+I4Yd0NDiS26I11OpXMJaUlP1gEk64Zs3VrCUkLaIGSn7xAp4b2dSHD vTylavLk/x8zqVFY+aDk0kBMXofHC8bkgUUUB1uCuHr13DsVotIO8AIXLRdlFQsY PVHVB8tgizRfm6ePv3hT+LcW1osJ5+PviixE8jlBXcGxXr+olcqjaWAdGN+eXdhr 944vlL9Yk7rNWw8Xkhs0rTg/Prqz4Wlqc2pzit+mRVLs/mkTPihzcbgrIEi4kBHW L/srUhIoaGpNNG5Qmow8/Ky99k0KAIbnvAeiOOFWwOb3X4XlzsuBS6KYIVkHD7qr g0cZj7gjCkkAtMS+6Wb0uk/Idx2LlntCoOOJZVlgMKv6lfV8PP5C/DJQvGoz6ADn 0d1jS9VNdLSp+h6daSkRQs19WswH67kdWG5Qbl0TxnBEXULrq/Q36/FfFVbNfGqo /b8zux0jHe4LM0zYLvAo+0bjeVhGXnzg4xOPgo0zDU3/JdXLdMvUYzScvu1EYUs8 /XOzgF0n4eR4mkufoL7a4hCYc1DGB61m45co9mY0+8piTt+OuKxHG6mcVIweucdc BYaowXV0pe1mAc4wc07UqtrgDBWNyFnFp6hzgdoEsfEG6qsjLAxj5LKtTu7+9qgo BiRSx3NMi4GMPT2z4O6o =JFZA -----END PGP SIGNATURE-----
The real issue here is somewhere there is a Game Over Zeus infected client that is web browsing through the Tor network. We have no way of alerting that host to their compromised status. At least and unless entry nodes have a means for detecting infected clients. Which I believe is not the case. Anti virus software is poor at detecting this type of trojan. It is a difficult problem we would do well to give thought to. On Sat, Jul 19, 2014 at 11:32:38AM +0100, Thomas White wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Speaking from experience of operating 25 servers doing 4Gbps, I can quite safely say that if your host has been supportive of Tor, I would simply respond with the normal boilerplate regardless of what the complaint is or who made it. I've received threats from countless organisations, companies, police and have clashed with Interpol in the past, they are yet to bring a single charge against me in the UK (albeit I have had some servers seized). I am the exception of Tor operators too, not the rule so if they can't charge me I very much doubt they could charge somebody operating just a single server. The point is that you should be very open that you operate a Tor node, ensure you promptly respond to abuse complaints and if your provider doesn't seem to be fully convinced by you or are threatening to close your service then it could do with some additional explanation. Heck if you need it just let me know who to contact and I'll do it for you!
Running Tor isn't illegal, you are protected by various safe-harbour provisions and ultimately if they blacklist you there is little you can do. Half of my IP's are on a lot of "blacklists", and I've found removing them is useful in the short term perhaps but many are automated and so just waste your time. In the long run we need education more than anything and in fact I am actually writing up a letter at the moment to encourage some blacklists to check if the IP is a tor exit node and to prevent their systems spamming operators with abuse complaints. (This section I'll follow up with on this mailing list with next week)
My ISP has a policy that as long as the complaints aren't from Spamhaus, they aren't too bothered as long as I reply to the abuse complaints which I do. You should ask your ISP outright what the policy is on these situations. But as far as Spamhaus goes I've not received a single complaint from them out of thousands I have received in the past year.
If you want to talk privately, just reply to me off the mailing list and I'll be happy to do whatever I can.
Regards, - -T
On 18/07/2014 10:08, Ch'Gans wrote:
Hi there,
I'm here to look for advice or comments on how to handle abuse reports when you run a TOR relay exit on a "server for the mass". I'm running the TOR exit node 18B6EBAF10814335242ECA5705A04AAD29774078 on Hetzner netowrk (50E/month, this is my contribution to the TOR project) So far I had to deal with few "easy" abuse reports (ssh scan, forum insults, spams, ...), I think i performed pretty well so far (thanks to Hetzner cooperation?)
But today I just received this botnet related one. I do take this report seriously, I know that malware are more and more using the TOR network as an anonymous covert, I don't like malware, I don't like malicious botnet and I don't like spammers. Still I end up being identify as one of them.
I knew from day one that it was a risky business to run an exit TOR node, but I want to stand up and fight. If only I can convince people of my right doing.
First of all I am quite surprised that cert-bund.de (the complainant) didn't notice that I am a TOR exit node, so my first question (for people familiar with these guys) is: - How legit are these guys? Do they run for the German government? Are their simply trying to scare the shit out of me by citing europol.europa.eu, and us-cert.gov? (see redacted forwarded message below, my own opinion is "Yes") Then - Do they simply spam hosting company each time they have a probe sensing something somewhere (I know it's vague, but I can use that as a "this complainant is a spammer" kind of argument)
Any other thoughts/remarks/comment on that matter?
Regards, Chris
Thought of the day: Nowadays it looks like server administrator tend to send abuse report each time they receive an illegal ping request! Testimony of the day: Last time I received an "SSH scan" abuse report, I sent back my SSH honeypot logs, which contains more than 5k login attempts per day.
-------- Original Message -------- [..] ----- attachment ----- Dear Sir or Madam
"Gameover Zeus" is malicious software which is primarily used by cybercriminals to carry out online banking fraud and to spy out login credentials for online services on infected PCs. It can also be used to install further malicious software (including blackmailing trojans such as "CryptoLocker" ransomware) on PCs or to carry out DDoS attacks.
In a joint international campaign since the end of May 2014, law enforcement agencies, with the support of private sector partners, have taken action against the "Gameover Zeus" botnet [1].
As part of this campaign, it has now been possible to identify the IP addresses of systems infected with "Gameover Zeus" [2].
We are sending you a list of infected systems in your net area.
Would you please examine the situation thoroughly and take appropriate measures to cleanse the systems.
Sources:
[1] Europol: International action against 'Gameover Zeus' botnet and 'CryptoLocker' ransomware <https://www.europol.europa.eu/content/international-action-against-
gameover-zeus-botnet-and-cryptolocker-ransomware>
[2] ShadowServer: Gameover Zeus & Cryptolocker <http://blog.shadowserver.org/2014/06/08/gameover-zeus-cryptolocker/>
[3] US-CERT: GameOver Zeus P2P Malware <https://www.us-cert.gov/ncas/alerts/TA14-150A>
A list of infected systems in your net area: [...]
Kind regards, Team CERT-Bund
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32)
iQIcBAEBAgAGBQJTyklGAAoJEE2uQiaesOsLauoP+gLTI6UG5Ch+vaY68TK6+bT6 rUI0Q53XN+I4Yd0NDiS26I11OpXMJaUlP1gEk64Zs3VrCUkLaIGSn7xAp4b2dSHD vTylavLk/x8zqVFY+aDk0kBMXofHC8bkgUUUB1uCuHr13DsVotIO8AIXLRdlFQsY PVHVB8tgizRfm6ePv3hT+LcW1osJ5+PviixE8jlBXcGxXr+olcqjaWAdGN+eXdhr 944vlL9Yk7rNWw8Xkhs0rTg/Prqz4Wlqc2pzit+mRVLs/mkTPihzcbgrIEi4kBHW L/srUhIoaGpNNG5Qmow8/Ky99k0KAIbnvAeiOOFWwOb3X4XlzsuBS6KYIVkHD7qr g0cZj7gjCkkAtMS+6Wb0uk/Idx2LlntCoOOJZVlgMKv6lfV8PP5C/DJQvGoz6ADn 0d1jS9VNdLSp+h6daSkRQs19WswH67kdWG5Qbl0TxnBEXULrq/Q36/FfFVbNfGqo /b8zux0jHe4LM0zYLvAo+0bjeVhGXnzg4xOPgo0zDU3/JdXLdMvUYzScvu1EYUs8 /XOzgF0n4eR4mkufoL7a4hCYc1DGB61m45co9mY0+8piTt+OuKxHG6mcVIweucdc BYaowXV0pe1mAc4wc07UqtrgDBWNyFnFp6hzgdoEsfEG6qsjLAxj5LKtTu7+9qgo BiRSx3NMi4GMPT2z4O6o =JFZA -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Michael Rasmussen, Portland Oregon Be Appropriate && Follow Your Curiosity I'd save the goat urine to wash the taste of Accelerade out of my mouth. ~ Kent Peterson
On Sat, Jul 19, 2014 at 12:32 PM, Thomas White <thomaswhite@riseup.net> wrote:
Speaking from experience of operating 25 servers doing 4Gbps, I can quite safely say that if your host has been supportive of Tor, I would simply respond with the normal boilerplate regardless of what the complaint is or who made it.
I have found that if the complaint is of this type - that is, "this machine appears to be [infected with $MALWARE | running an unsafely obsolete version of $OPERATING_SYSTEM | part of $BOTNET]" - it is useful to augment the normal boilerplate along the lines of | Scanners that aim to detect misconfigured, vulnerable, or infected | computers will, from time to time, pick up Tor exits as false | positives, whenever they happen to be emitting traffic that | originates from such computers. By design, we have no way to pass | your report along to the true source of the traffic. We can assure | you that the actual computer at [EXIT'S IP ADDRESS] is not infected | with any malware and is kept up to date with security fixes. | However, you should expect it to continue to appear in your scans as | a false positive. zw
On 20/07/14 05:58, Zack Weinberg wrote:
On Sat, Jul 19, 2014 at 12:32 PM, Thomas White <thomaswhite@riseup.net> wrote:
Speaking from experience of operating 25 servers doing 4Gbps, I can quite safely say that if your host has been supportive of Tor, I would simply respond with the normal boilerplate regardless of what the complaint is or who made it.
I have found that if the complaint is of this type - that is, "this machine appears to be [infected with $MALWARE | running an unsafely obsolete version of $OPERATING_SYSTEM | part of $BOTNET]" - it is useful to augment the normal boilerplate along the lines of
| Scanners that aim to detect misconfigured, vulnerable, or infected | computers will, from time to time, pick up Tor exits as false | positives, whenever they happen to be emitting traffic that | originates from such computers. By design, we have no way to pass | your report along to the true source of the traffic. We can assure | you that the actual computer at [EXIT'S IP ADDRESS] is not infected | with any malware and is kept up to date with security fixes. | However, you should expect it to continue to appear in your scans as | a false positive.
Tanks Zack for this example of explanation, I think i will re-use it in my answer. Thanks again! Chris
zw _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- QtCreator/qmakeparser.cpp:42 ////////// Parser /////////// #define fL1S(s) QString::fromLatin1(s) namespace { // MSVC2010 doesn't seem to know the semantics of "static" ...
On 19/07/14 22:32, Thomas White wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Speaking from experience of operating 25 servers doing 4Gbps, I can quite safely say that if your host has been supportive of Tor, I would simply respond with the normal boilerplate regardless of what the complaint is or who made it. I've received threats from countless organisations, companies, police and have clashed with Interpol in the past, they are yet to bring a single charge against me in the UK (albeit I have had some servers seized). I am the exception of Tor operators too, not the rule so if they can't charge me I very much doubt they could charge somebody operating just a single server. The point is that you should be very open that you operate a Tor node, ensure you promptly respond to abuse complaints and if your provider doesn't seem to be fully convinced by you or are threatening to close your service then it could do with some additional explanation. Heck if you need it just let me know who to contact and I'll do it for you!
Thanks for proposing your help, I think i'm OK for now. This is true that I have not been very "honest" with my hosting company, I didn't tell them that i am running an exit TOR node, I simply stated so far that I provide "service to people", and that sometimes this service get abused by bad apples. But I think this time I will tell them, and try to come with convincing arguments (your email and other's one are helpful to me) Actually, I'm not the only TOR exit not on the Hetzner AS: https://metrics.torproject.org/bubbles.html#as-exits-only Hetzner is on the right of the biggest AS bubble (i3d BV) And from https://metrics.torproject.org/bubbles.html#as, Hetzner is the biggest bubble! Thx, Chris
Running Tor isn't illegal, you are protected by various safe-harbour provisions and ultimately if they blacklist you there is little you can do. Half of my IP's are on a lot of "blacklists", and I've found removing them is useful in the short term perhaps but many are automated and so just waste your time. In the long run we need education more than anything and in fact I am actually writing up a letter at the moment to encourage some blacklists to check if the IP is a tor exit node and to prevent their systems spamming operators with abuse complaints. (This section I'll follow up with on this mailing list with next week)
My ISP has a policy that as long as the complaints aren't from Spamhaus, they aren't too bothered as long as I reply to the abuse complaints which I do. You should ask your ISP outright what the policy is on these situations. But as far as Spamhaus goes I've not received a single complaint from them out of thousands I have received in the past year.
If you want to talk privately, just reply to me off the mailing list and I'll be happy to do whatever I can.
Regards, - -T
On 18/07/2014 10:08, Ch'Gans wrote:
Hi there,
I'm here to look for advice or comments on how to handle abuse reports when you run a TOR relay exit on a "server for the mass". I'm running the TOR exit node 18B6EBAF10814335242ECA5705A04AAD29774078 on Hetzner netowrk (50E/month, this is my contribution to the TOR project) So far I had to deal with few "easy" abuse reports (ssh scan, forum insults, spams, ...), I think i performed pretty well so far (thanks to Hetzner cooperation?)
But today I just received this botnet related one. I do take this report seriously, I know that malware are more and more using the TOR network as an anonymous covert, I don't like malware, I don't like malicious botnet and I don't like spammers. Still I end up being identify as one of them.
I knew from day one that it was a risky business to run an exit TOR node, but I want to stand up and fight. If only I can convince people of my right doing.
First of all I am quite surprised that cert-bund.de (the complainant) didn't notice that I am a TOR exit node, so my first question (for people familiar with these guys) is: - How legit are these guys? Do they run for the German government? Are their simply trying to scare the shit out of me by citing europol.europa.eu, and us-cert.gov? (see redacted forwarded message below, my own opinion is "Yes") Then - Do they simply spam hosting company each time they have a probe sensing something somewhere (I know it's vague, but I can use that as a "this complainant is a spammer" kind of argument)
Any other thoughts/remarks/comment on that matter?
Regards, Chris
Thought of the day: Nowadays it looks like server administrator tend to send abuse report each time they receive an illegal ping request! Testimony of the day: Last time I received an "SSH scan" abuse report, I sent back my SSH honeypot logs, which contains more than 5k login attempts per day.
-------- Original Message -------- [..] ----- attachment ----- Dear Sir or Madam
"Gameover Zeus" is malicious software which is primarily used by cybercriminals to carry out online banking fraud and to spy out login credentials for online services on infected PCs. It can also be used to install further malicious software (including blackmailing trojans such as "CryptoLocker" ransomware) on PCs or to carry out DDoS attacks.
In a joint international campaign since the end of May 2014, law enforcement agencies, with the support of private sector partners, have taken action against the "Gameover Zeus" botnet [1].
As part of this campaign, it has now been possible to identify the IP addresses of systems infected with "Gameover Zeus" [2].
We are sending you a list of infected systems in your net area.
Would you please examine the situation thoroughly and take appropriate measures to cleanse the systems.
Sources:
[1] Europol: International action against 'Gameover Zeus' botnet and 'CryptoLocker' ransomware <https://www.europol.europa.eu/content/international-action-against-
gameover-zeus-botnet-and-cryptolocker-ransomware>
[2] ShadowServer: Gameover Zeus & Cryptolocker <http://blog.shadowserver.org/2014/06/08/gameover-zeus-cryptolocker/>
[3] US-CERT: GameOver Zeus P2P Malware <https://www.us-cert.gov/ncas/alerts/TA14-150A>
A list of infected systems in your net area: [...]
Kind regards, Team CERT-Bund
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32)
iQIcBAEBAgAGBQJTyklGAAoJEE2uQiaesOsLauoP+gLTI6UG5Ch+vaY68TK6+bT6 rUI0Q53XN+I4Yd0NDiS26I11OpXMJaUlP1gEk64Zs3VrCUkLaIGSn7xAp4b2dSHD vTylavLk/x8zqVFY+aDk0kBMXofHC8bkgUUUB1uCuHr13DsVotIO8AIXLRdlFQsY PVHVB8tgizRfm6ePv3hT+LcW1osJ5+PviixE8jlBXcGxXr+olcqjaWAdGN+eXdhr 944vlL9Yk7rNWw8Xkhs0rTg/Prqz4Wlqc2pzit+mRVLs/mkTPihzcbgrIEi4kBHW L/srUhIoaGpNNG5Qmow8/Ky99k0KAIbnvAeiOOFWwOb3X4XlzsuBS6KYIVkHD7qr g0cZj7gjCkkAtMS+6Wb0uk/Idx2LlntCoOOJZVlgMKv6lfV8PP5C/DJQvGoz6ADn 0d1jS9VNdLSp+h6daSkRQs19WswH67kdWG5Qbl0TxnBEXULrq/Q36/FfFVbNfGqo /b8zux0jHe4LM0zYLvAo+0bjeVhGXnzg4xOPgo0zDU3/JdXLdMvUYzScvu1EYUs8 /XOzgF0n4eR4mkufoL7a4hCYc1DGB61m45co9mY0+8piTt+OuKxHG6mcVIweucdc BYaowXV0pe1mAc4wc07UqtrgDBWNyFnFp6hzgdoEsfEG6qsjLAxj5LKtTu7+9qgo BiRSx3NMi4GMPT2z4O6o =JFZA -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- QtCreator/qmakeparser.cpp:42 ////////// Parser /////////// #define fL1S(s) QString::fromLatin1(s) namespace { // MSVC2010 doesn't seem to know the semantics of "static" ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Actually, I'm not the only TOR exit not on the Hetzner AS: https://metrics.torproject.org/bubbles.html#as-exits-only Hetzner is on the right of the biggest AS bubble (i3d BV) And from https://metrics.torproject.org/bubbles.html#as, Hetzner is the biggest bubble!
Thx, Chris
Yeah I'm all those other exits :) We're on the same AS, different company though and I think both are within SmartDC. I am sure in the wake of the US-GE spying allegations, something like Tor should be slightly more welcome since the German people may have lost some confidence in US hardware/services. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJTy7qaAAoJEE2uQiaesOsLbtYP/30KHai7tUMf6S91CfUy7zCn Vn7iKB2Bkj0esCPgxEFn9h9PoNGE6w3BNFWLU+Vr6I5P/PhSpSvBXDGgpPtsBI1l dnaZtNKkyG1mZmtpBrFKsYgoljaJkeO4r2kgL7XijdA3s0QIl1IP9dv6xpC/sKw5 o8r6+aKqYKOh9W9BNQOSqUJ7EMTdCQJFxzlUFIBP/FMvZi950PKNmHBNtbirctl1 Mk2fSPBy62PNG6O72O8Dps4Hkeq3YMWDgMMqaW+JRd33jnRLb3sRaGlEfROl8EtN nTz2ff6dHkSx0Mra+FtohcZXpYcsegVwtvMFjzzQHUQ/zGGiN5lIwpthg1oVm0Fg MQdemxGrDHFgSZT1nfGF4svzW3BXS8Msq6zTLNROt3pYUXxix/3Nfv6jS8u/mMCI 7RTmMtv4A+Q7ZZVMWfqTXIDgdgB7IrNz71BRhgOT3uOHH2GEglop4mPTwBnrUu1F 6X2YEkaL62LDcfxuVy4gxsIhJl0MdKIxzvzWcSKo2SPzTw9sbs/LDKicudRc5Bk4 fLZDEn6zujxxDPg4DyoB4CTKP7utwNk57QuLa2cdGOhwhoPTzEhinzRW+FSuserh XhpPoZGsZJL/NvJslYnW+PVo+vmmTI3Mh8ozHVF/0tLIeKrVWTzL+94Bgmk09C4g T5LU8R+0BjVfUQym0Y10 =AsmC -----END PGP SIGNATURE-----
participants (6)
-
Ch'Gans -
Michael Rasmussen -
no.thing_to-hide@cryptopathie.eu -
renke@mobtm.com -
Thomas White -
Zack Weinberg