[tor-relays] Tor relays and exits exposing Privoxy publicly

Claudio cld at riseup.net
Sun Nov 10 13:04:30 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello everyone,

Some months ago I encountered a situation where a user running an exit
node with a publicly exposed privoxy (intentionally or not, I'm not
sure) was constantly receiving a number of requests directed to
advertisement networks.
Fundamentally, someone is/was running an infrastructure using exposed
Privoxies to perform some sort of advertisement fraud.

It's been roughly documented also here:
https://b.kentbackman.com/2013/04/15/rotpoion-botnet-powered-by-thousands-of-servers/

Out of interest, I gave a quick look at existing relays and exists and
it turns out that there's ~20 nodes exposing Privoxy on public IPs.

Host: 46.65.12.134 (46-65-12-134.zone16.bethere.co.uk)	Ports:
8118/open/tcp//privoxy///
Host: 66.146.193.31 (sable.dredel.com)	Ports: 8118/open/tcp//privoxy///
Host: 66.180.193.219 (tor-proxy.die.net)	Ports: 8118/open/tcp//privoxy///
Host: 69.164.211.18 (nsi.mirt.net)	Ports: 8118/open/tcp//privoxy///
Host: 71.246.241.109 (koansys.com)	Ports: 8118/open/tcp//privoxy///
Host: 75.137.122.118 (75-137-122-118.dhcp.gnvl.sc.charter.com)	Ports:
8118/open/tcp//privoxy///
Host: 78.47.41.125 (maurer-web.wisseberger-jonges.de)	Ports:
8118/open/tcp//privoxy///
Host: 81.56.102.224 (perso.schenck.fr)	Ports: 8118/open/tcp//privoxy///
Host: 82.45.34.136 (cpc11-hawk13-2-0-cust135.aztw.cable.virginm.net)
Ports: 8118/open/tcp//privoxy///
Host: 93.207.83.51 (p5DCF5333.dip0.t-ipconnect.de)	Ports:
8118/open/tcp//privoxy///
Host: 95.140.34.187 (medea.tobias.vn)	Ports: 8118/open/tcp//privoxy///
Host: 95.140.34.188 (mikrobi.tobias.vn)	Ports: 8118/open/tcp//privoxy///
Host: 123.254.105.104 ()	Ports: 8118/open/tcp//privoxy///
Host: 151.28.124.42 (ppp-42-124.28-151.libero.it)	Ports:
8118/open/tcp//privoxy///
Host: 162.243.5.88 ()	Ports: 8118/open/tcp//privoxy///
Host: 165.154.108.120 ()	Ports: 8118/open/tcp//privoxy///
Host: 176.31.127.140 (ks396886.kimsufi.com)	Ports:
8118/open/tcp//privoxy///
Host: 199.184.154.12 ()	Ports: 8118/open/tcp//privoxy///

First thing first, I'm interested to know whether there's an actual
reason for doing this or if it's something discouraged.

Best,
/nex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSf4ReAAoJEDmTLM1sbEdvCgMP/id8RbYksJwVBwAXQwJmRMbI
+MDLGARDSRlLaQYfNoJyfViuj2rX1RowbwemUsmOQgogHMBJgWSzHMhE4cuxmRG0
dFlcSQI5Fs9y2aFzo4BeS2409yU3/ewpBcgly9AFWAiChCyV2j1q7pZjDcbmxQZK
/2AQjRmNeAtLuEnJO7cTSc3ljmnr6IXENFuS4I440c3YWubjqa4TTSy1iONLH0Xi
iq0Sgfz/Fs2rGArKRlfamNZIaAyvecuFkbqSp96lu5klAVlCnmYhqt9TStMvskb6
yWegDjTlzVfnjEC5dZIwlMTtHBJT3ERKbShouErjKgGGv0Ld4bgOR56JZO+wmUzC
4XRh41wxh7WbWryTFbdYup546rASPIPSeuyWwqKLnDyVUJa2ehm/8ZQoYT4To4tk
eYDOkYkEmr9seqn1p+5+H2CbqPotHscyPwpDTyKTVhg+WhACX2jiZSTBCuJQ61wt
rqGlnuZgy28nw+4jzk8V6BrqxSw9t0l7hfGTCqNimE0EHIvb80wwMH80tztR4CNT
CpkY3o3DOqQkk0CSjTIRmzR62kmGdNCRP3QnLXCQuA61RdH1Lg5GZh4zCcfitnS3
4ixaIaDhMnRqyUR5QNEpWXBGHEDc3EHjcBCI1Vy/j03fSZaxGZ/BavJfK+0GEE31
VeVmDYjM0Kut1w5PXFEx
=asRg
-----END PGP SIGNATURE-----


More information about the tor-relays mailing list