OrNetRadar spots botnet joining the tor network? (79 relays, 38 countries, 67 ASes)
Hi, this smells like a botnet to me: http://article.gmane.org/gmane.network.onion-routing.ornetradar/1073 http://article.gmane.org/gmane.network.onion-routing.ornetradar/1074 all relays with that bitcoin adress: https://gist.githubusercontent.com/nusenu/fb19034a7860dba6c203/raw/5531768e7...
On Tue, Mar 08, 2016 at 12:56:06AM +0000, nusenu wrote:
this smells like a botnet to me:
http://article.gmane.org/gmane.network.onion-routing.ornetradar/1073 http://article.gmane.org/gmane.network.onion-routing.ornetradar/1074
Agreed. With wide-open exit policies too. Yuck. Thanks. Usually these sorts of things disappear within a day or so of appearing. I guess because the operator realizes this isn't going to actually do whatever he/she thought it would. Once it does disappear, we might be wise to put the addresses on a watchlist to see if they reappear later. --Roger
On Mon, Mar 07, 2016 at 08:19:54PM -0500, Roger Dingledine wrote:
Usually these sorts of things disappear within a day or so of appearing. I guess because the operator realizes this isn't going to actually do whatever he/she thought it would.
This pile of relays is continuing to swell a bit for now. I've started the process of bumping the current ones out of the network, so that should be done well before the bandwidth authorities get around to having an opinion on their bandwidth. I'll aim to keep at it, as things progress. Let us know if you hear back from their contactinfo. Whee, --Roger
On Mon, Mar 07, 2016 at 08:19:54PM -0500, Roger Dingledine wrote:
Usually these sorts of things disappear within a day or so of appearing. I guess because the operator realizes this isn't going to actually do whatever he/she thought it would.
And, there's only one left running in the consensus. Looks like my "usually" held up here. :) --Roger
Dear abuse handlers at universities, the following two servers run a tor exit relay (exit policy: accept *:*). Due to ~80 other servers [1] around the world joining the tor network with the same bitcoin donation address in the contact field my wild guess is that it was not the owner making this server a tor exit relay. If you can confirm that these servers were indeed compromised - this would be valuable information for us. AS name: University of California at Berkeley IP address: 169.229.227.122 started to run as a tor relay at: 2016-03-07 17:37:24 AS name: University of Vienna, Austria IP: 77.80.14.190 started to run as a tor relay at: 2016-03-07 17:32:29 (I'm not associated with the torproject) [1] https://gist.githubusercontent.com/nusenu/fb19034a7860dba6c203/raw/5531768e7... https://lists.torproject.org/pipermail/tor-relays/2016-March/008857.html
On Monday, 7 March 2016, nusenu <nusenu@openmailbox.org> wrote:
Dear abuse handlers at universities,
the following two servers run a tor exit relay (exit policy: accept *:*).
Due to ~80 other servers [1] around the world joining the tor network with the same bitcoin donation address in the contact field my wild guess is that it was not the owner making this server a tor exit relay.
If you can confirm that these servers were indeed compromised - this would be valuable information for us.
AS name: University of California at Berkeley IP address: 169.229.227.122 started to run as a tor relay at: 2016-03-07 17:37:24
AS name: University of Vienna, Austria IP: 77.80.14.190 started to run as a tor relay at: 2016-03-07 17:32:29
(I'm not associated with the torproject)
[1]
https://gist.githubusercontent.com/nusenu/fb19034a7860dba6c203/raw/5531768e7...
https://lists.torproject.org/pipermail/tor-relays/2016-March/008857.html
You're doing the Lord's work here Nusenu. You rock. -V On Monday, 7 March 2016, nusenu <nusenu@openmailbox.org> wrote:
Dear abuse handlers at universities,
the following two servers run a tor exit relay (exit policy: accept *:*).
Due to ~80 other servers [1] around the world joining the tor network with the same bitcoin donation address in the contact field my wild guess is that it was not the owner making this server a tor exit relay.
If you can confirm that these servers were indeed compromised - this would be valuable information for us.
AS name: University of California at Berkeley IP address: 169.229.227.122 started to run as a tor relay at: 2016-03-07 17:37:24
AS name: University of Vienna, Austria IP: 77.80.14.190 started to run as a tor relay at: 2016-03-07 17:32:29
(I'm not associated with the torproject)
[1]
https://gist.githubusercontent.com/nusenu/fb19034a7860dba6c203/raw/5531768e7...
https://lists.torproject.org/pipermail/tor-relays/2016-March/008857.html
Coincidentally I stumbled on another group that was perfectly hiding during that event. It was purely for deception if you want ;) I assume they are actually controlled by the same entity. 17 - still running - relays (non-exit): https://gist.githubusercontent.com/nusenu/ab28394f71cd59a61c43/raw/36ecce1e2...
Coincidentally I stumbled on another group that was perfectly hiding during that event. It was purely for deception if you want ;)
I assume they are actually controlled by the same entity. 17 - still running - relays (non-exit):
https://gist.githubusercontent.com/nusenu/ab28394f71cd59a61c43/raw/36ecce1e2...
there are likely more of them: https://gist.githubusercontent.com/nusenu/db4d68926dcc673b04ee/raw/6595fc08f...
participants (4)
-
I -
nusenu -
Roger Dingledine -
Virgil Griffith