Hello fellow relay operators,
I have received word from my ISP that they detected malicious traffic from my account. I'm running the exit node "cave" with reduced exit policy,
https://atlas.torproject.org/#details/3875c9c843d33762fa733bcaf128f26a10bc75...
The information received from my ISP was:
infection => 'kelihos', subtype => 'kelihos.e', port => '52935', asn => '209', family => 'kelihos', sourceSummary => 'Drone Report'
Typically they will also provide an IP address related to the infection, which is usually a sinkhole. The solution is to block the IP in my exit policy. However no IP was provided in this report and there is not one available, since my ISP is just relaying information they receive from a 3rd party detection agency. Furthermore, the port mentioned, 52935, is not allowed in my exit policy, so I'm guessing that port is somewhere else...
Any ideas about this "infection" and how we could prevent it from using our exit nodes?
Thanks
This is like when I got the helpful notification saying that my exit relay was running Windows XP and I ought to upgrade it. You can, if you feel like it, write back explaining that your exit node happens to have been used to forward traffic on behalf of a computer that happens to be infected with Kelihos, and while it would be nice if you could notify the operator of that computer that they have an infection, by design of the Tor network this is not possible. Your exit relay will continue to pop up on future such scans and it would be best if they just ignored it. You apologize for the inconvenience.
There isn't anything you can or should do about it configuration-wise. In particular, I am not finding mention of Kelihos using any specific port for its traffic, or any specific C&C servers, so there's no exit policy that you can set to prevent it.
zw
On Mon, Jan 22, 2018 at 3:50 PM, scar scar@drigon.com wrote:
Hello fellow relay operators,
I have received word from my ISP that they detected malicious traffic from my account. I'm running the exit node "cave" with reduced exit policy,
https://atlas.torproject.org/#details/3875c9c843d33762fa733bcaf128f26a10bc75...
The information received from my ISP was:
infection => 'kelihos', subtype => 'kelihos.e', port => '52935', asn => '209', family => 'kelihos', sourceSummary => 'Drone Report'
Typically they will also provide an IP address related to the infection, which is usually a sinkhole. The solution is to block the IP in my exit policy. However no IP was provided in this report and there is not one available, since my ISP is just relaying information they receive from a 3rd party detection agency. Furthermore, the port mentioned, 52935, is not allowed in my exit policy, so I'm guessing that port is somewhere else...
Any ideas about this "infection" and how we could prevent it from using our exit nodes?
Thanks
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
scar -
Zack Weinberg