OrNetRadar spots botnet joining the tor network? (79 relays, 38 countries, 67 ASes)

Hi, this smells like a botnet to me: http://article.gmane.org/gmane.network.onion-routing.ornetradar/1073 http://article.gmane.org/gmane.network.onion-routing.ornetradar/1074 all relays with that bitcoin adress: https://gist.githubusercontent.com/nusenu/fb19034a7860dba6c203/raw/5531768e7...

On Tue, Mar 08, 2016 at 12:56:06AM +0000, nusenu wrote:
Agreed. With wide-open exit policies too. Yuck. Thanks. Usually these sorts of things disappear within a day or so of appearing. I guess because the operator realizes this isn't going to actually do whatever he/she thought it would. Once it does disappear, we might be wise to put the addresses on a watchlist to see if they reappear later. --Roger

On Mon, Mar 07, 2016 at 08:19:54PM -0500, Roger Dingledine wrote:
This pile of relays is continuing to swell a bit for now. I've started the process of bumping the current ones out of the network, so that should be done well before the bandwidth authorities get around to having an opinion on their bandwidth. I'll aim to keep at it, as things progress. Let us know if you hear back from their contactinfo. Whee, --Roger

Dear abuse handlers at universities, the following two servers run a tor exit relay (exit policy: accept *:*). Due to ~80 other servers [1] around the world joining the tor network with the same bitcoin donation address in the contact field my wild guess is that it was not the owner making this server a tor exit relay. If you can confirm that these servers were indeed compromised - this would be valuable information for us. AS name: University of California at Berkeley IP address: 169.229.227.122 started to run as a tor relay at: 2016-03-07 17:37:24 AS name: University of Vienna, Austria IP: 77.80.14.190 started to run as a tor relay at: 2016-03-07 17:32:29 (I'm not associated with the torproject) [1] https://gist.githubusercontent.com/nusenu/fb19034a7860dba6c203/raw/5531768e7... https://lists.torproject.org/pipermail/tor-relays/2016-March/008857.html


Coincidentally I stumbled on another group that was perfectly hiding during that event. It was purely for deception if you want ;) I assume they are actually controlled by the same entity. 17 - still running - relays (non-exit): https://gist.githubusercontent.com/nusenu/ab28394f71cd59a61c43/raw/36ecce1e2...

there are likely more of them: https://gist.githubusercontent.com/nusenu/db4d68926dcc673b04ee/raw/6595fc08f...
participants (4)
-
I
-
nusenu
-
Roger Dingledine
-
Virgil Griffith