[tor-relays] too many abuse reports

[Jon]

On Tue, May 22, 2012 at 11:18 PM, Mike Perry <mikeperry at torproject.org>wrote:

> Thus spake Jon (torance.ca at gmail.com):
>
> > On Tue, May 22, 2012 at 3:17 PM, Mike Perry <mikeperry at torproject.org
> >wrote:
> >
> > > > On Tue, 22 May 2012 13:29:54 -0500
> > > > Jon <torance.ca at gmail.com> allegedly wrote:
> > > >
> > > > > Yep same here, got notice today from ISP on a report of the 20th
> for
> > > > > alledged hacking with someone using sqlmap. the reporting ip was a
> > > > > brazilian gov ip address.
> > > > >
> > > > > I just blocked the port and kept on serving....
> > >
> > > As of yet, no one has mentioned the port. Out of curiosity, is it
> > > included in the Reduced Exit Policy?
> > > https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
> > >
> > >  The port was 57734 - of course that doesn't mean another port could be
> > used
>
> Are you sure that's not the source port (which is randomized) for the
> incident? This is a weird destination port.
>
> If so, simply switching to the Reduced Exit Policy (or adding a reject
> line for *:57734) would prevent the attack from using your exit. No need
> to stop exiting entirely.
>
>
> --
> Mike Perry
>
> ______________________________________________
>
> Yes, that was the source port that was used thru my machine. ( you are
correct, Mike )

The destination port was 80. The Host: 200.189.123.184

COSED [CSG-GOP-009] SCAN Sqlmap SQL Injection Scan = The Alert  that
started the alleged hack attempt


 I have had similar incidents in the past and all I did was block the port
that was used and never had any more issues of the type that was reported.

This particular issue is the 1st for me. Time will tell if it did work or
not. At this point, I am still running a Exit relay.


Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20120523/a60da932/attachment.html>