My ISP recently sent to me a CERT-FI auto-report on malware-infected servers in my ISP's address space. I was send this report because my IP address was among those flagged. My entry looks like this:
51765|aa.bbb.ccc.dd|2013-07-08 02:39:23 +0000|||Proxy|743230|Datasource: C, Type: SOCKS4 (9050)
I am wondering how CERT-FI knows about this port. This is a snippet of my relay config:
OutboundBindAddress aa.bbb.ccc.dd ORPort [aa.bbb.ccc.dd]:443 DirPort [aa.bbb.ccc.dd]:80 SocksPort [127.0.0.1]:9050
Given that my SOCKS port is bound to localhost, how does CERT-FI know about it?
(For more info on the auto-reporter, go to https://www.cert.fi/en/autoreporter/autoreporter.html and log into it with this username/password: auto/reporter)
Thanks.
I assume the ISP did a port scan. Do you have port 9050 open in your firewall?
On 2013-07-10 15:57, Steve Snyder wrote:
My ISP recently sent to me a CERT-FI auto-report on malware-infected servers in my ISP's address space. I was send this report because my IP address was among those flagged. My entry looks like this:
51765|aa.bbb.ccc.dd|2013-07-08 02:39:23 +0000|||Proxy|743230|Datasource: C, Type: SOCKS4 (9050)
I am wondering how CERT-FI knows about this port. This is a snippet of my relay config:
OutboundBindAddress aa.bbb.ccc.dd ORPort [aa.bbb.ccc.dd]:443 DirPort [aa.bbb.ccc.dd]:80 SocksPort [127.0.0.1]:9050
Given that my SOCKS port is bound to localhost, how does CERT-FI know about it?
(For more info on the auto-reporter, go to https://www.cert.fi/en/autoreporter/autoreporter.html and log into it with this username/password: auto/reporter)
Thanks. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Wed, 10 Jul 2013 17:04:12 +0200 Logforme m7527@abc.se allegedly wrote:
I assume the ISP did a port scan. Do you have port 9050 open in your firewall?
Unlikely. I think it would be very unusual for an ISP in any country to portscan anyone without prior authority (such as would appear in a contract). Such action is illegal in may jurisdictions. And in any case, Steve has already said that his socks port is bound only to localhost (127.0.0.1). The report from CERT-FI must simply record the fact that they have seen (or had reported) apparent open proxy relaying from Steve's IP address with source port 9050. Without a lot more detail about configuration, and the exact details of the reporting from CERT-FI it is difficult to make any assumptions.
If I were Steve, I would contact CERT-FI directly for more information. They are likely to be very helpful.
Mick
On 2013-07-10 15:57, Steve Snyder wrote:
My ISP recently sent to me a CERT-FI auto-report on malware-infected servers in my ISP's address space. I was send this report because my IP address was among those flagged. My entry looks like this:
---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
tor-relays@lists.torproject.org