[tor-relays] Pony C&C
Pierre Dennert
pierre at dennert.me
Mon Sep 2 08:06:26 UTC 2013
Ich checked both of my Exit nodes:
IP Address 91.219.238.107 is listed in the CBL. It appears to be infected with a
spam sending trojan, proxy or some other form of botnet. <- uptime ~16 days
IP Address 84.201.38.234 is not listed in the CBL. <-- New node, uptime < 24hrs
> This was detected by observing this IP attempting to make contact to a
> s_patcher Command and Control server, with contents unique to s_patcher C&C
> command protocols.
Not cool at all, let's see how the new node works out.
> I have been running a Tor exit node for only 2 days on a fresh IP address.
> However, that IP address is now blocked by spamhaus because it apparently
> tried to contact the Command and Control server of the "pony" malware:
>
> http://cbl.abuseat.org/lookup.cgi?ip=5.79.81.200
>
> Other node operators, could you please try your IP address? Perhaps this could
> explain the recent increase in connections?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20130902/0bec432f/attachment.html>
More information about the tor-relays
mailing list