On Mon, Mar 07, 2016 at 08:19:54PM -0500, Roger Dingledine wrote:

Usually these sorts of things disappear within a day or so of appearing. I guess because the operator realizes this isn't going to actually do whatever he/she thought it would.

This pile of relays is continuing to swell a bit for now. I've started the process of bumping the current ones out of the network, so that should be done well before the bandwidth authorities get around to having an opinion on their bandwidth. I'll aim to keep at it, as things progress.

Let us know if you hear back from their contactinfo.

Whee, --Roger

You're doing the Lord's work here Nusenu.

You rock. -V

On Monday, 7 March 2016, nusenu nusenu@openmailbox.org wrote:

Dear abuse handlers at universities,

the following two servers run a tor exit relay (exit policy: accept *:*).

Due to ~80 other servers [1] around the world joining the tor network with the same bitcoin donation address in the contact field my wild guess is that it was not the owner making this server a tor exit relay.

If you can confirm that these servers were indeed compromised - this would be valuable information for us.

AS name: University of California at Berkeley IP address: 169.229.227.122 started to run as a tor relay at: 2016-03-07 17:37:24

AS name: University of Vienna, Austria IP: 77.80.14.190 started to run as a tor relay at: 2016-03-07 17:32:29

(I'm not associated with the torproject)

[1]

https://gist.githubusercontent.com/nusenu/fb19034a7860dba6c203/raw/5531768e7...

https://lists.torproject.org/pipermail/tor-relays/2016-March/008857.html

Coincidentally I stumbled on another group that was perfectly hiding during that event. It was purely for deception if you want ;)

I assume they are actually controlled by the same entity. 17 - still running - relays (non-exit):

https://gist.githubusercontent.com/nusenu/ab28394f71cd59a61c43/raw/36ecce1e2...

there are likely more of them:

https://gist.githubusercontent.com/nusenu/db4d68926dcc673b04ee/raw/6595fc08f...