[tor-relays] Exit relay operators: a call for packets on port 8118

Javantea jvoss at altsci.com
Mon Jul 22 07:09:55 UTC 2013

Hi Kent,

I am getting 125 packets per second sustained incoming on port 8118 like you on my exit node. I noticed this last year but forgot about it because it was such low bandwidth. I count 2582 unique IPs in 20 minutes.

I think you've found something significant. The obvious question is why since sending data in the clear is pretty worthless and it's going to come out of a tor exit node just like if they were using tor.

I'm a security researcher and would be happy to help you learn more about these silly systems. You've already done most of the basic research though: who, what, and where. When I open port 8118 with netcat a few times I get this:

GET http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=4211101&pub_url=${PUB_URL} HTTP/1.0
Accept: */*
Referer: http://www.lotsoffree.com/index.php?option=com_content&view=article&id=84:free-gift-card-microsoft-privacy&catid=39:free-gift-cards&Itemid=106
Accept-Language: en-us
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2008092417 Firefox/3.0.3
Host: ad.yieldmanager.com
Connection: Keep-Alive

GET http://ib.adnxs.com/ttj?id=1284883 HTTP/1.0
Accept: */*
Referer: http://www.psxobs.com/privacy-policy
Accept-Language: en-us
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Host: ib.adnxs.com
Connection: Keep-Alive

That looks like clickfraud to me. Perhaps someone wrote a quick script that downloads the list of tor exit nodes and sends clickfraud requests to 8118 and was too lazy to add tor. That would mean that the sites in the referrer are the attackers and the url on the first line is the ad service which is being defrauded. Of course there is the possibility of a joe job occuring, but we know that at least some of them are the bad actors. Whois on both referrers returns China. I'm surprised that the script doesn't remove servers from the list that have the port closed. It's a very inefficient script.


-----Original Message-----
Subject: [tor-relays] Exit relay operators: a call for packets on port 8118
From: rotpoison throngnet <rotpoison at gmail.com>
To: tor-relays at lists.torproject.org
Date: Sun, 21 Jul 2013 14:40:26 -1000

I am an exit relay operator in Honolulu that has posted to this list
before, on the same subject.  I am hoping that some other exit relay
operators can sniff for packets to destination port 8118  (usually used for
Privoxy) to confirm that they are seeing the same thing I am on all exit
relays that I have set up in the last half year.  Depending on your network
configuration, you might have to instead record firewall logs for that
port.  Don’t worry, unless you have your Privoxy service open to the world,
you won’t be intercepting or eavesdropping on any legitimate traffic.   You
should just be seeing SYN packets from a few hundred-strong net of Windows
servers now hosted at Gorilla Servers, Ubiquity/Nobistech, and Limestone
Networks, with a handful at Psychz. I am calling this malicious (?) net of
Windows servers Rotpoi$on.

I have more details in the most recent blog post at

Thanks for your help.

- Kent
tor-relays mailing list
tor-relays at lists.torproject.org

More information about the tor-relays mailing list