[tor-relays] Fwd: [Abuse[...]] GameoverZeus-Infektionen
chgans at gna.org
Fri Jul 18 09:08:15 UTC 2014
I'm here to look for advice or comments on how to handle abuse reports
when you run a TOR relay exit on a "server for the mass".
I'm running the TOR exit node 18B6EBAF10814335242ECA5705A04AAD29774078
on Hetzner netowrk (50E/month, this is my contribution to the TOR project)
So far I had to deal with few "easy" abuse reports (ssh scan, forum
insults, spams, ...), I think i performed pretty well so far (thanks to
But today I just received this botnet related one. I do take this report
seriously, I know that malware are more and more using the TOR network
as an anonymous covert, I don't like malware, I don't like malicious
botnet and I don't like spammers. Still I end up being identify as one
I knew from day one that it was a risky business to run an exit TOR
node, but I want to stand up and fight. If only I can convince people of
my right doing.
First of all I am quite surprised that cert-bund.de (the complainant)
didn't notice that I am a TOR exit node, so my first question (for
people familiar with these guys) is:
- How legit are these guys? Do they run for the German government? Are
their simply trying to scare the shit out of me by citing
europol.europa.eu, and us-cert.gov? (see redacted forwarded message
below, my own opinion is "Yes")
- Do they simply spam hosting company each time they have a probe
sensing something somewhere (I know it's vague, but I can use that as a
"this complainant is a spammer" kind of argument)
Any other thoughts/remarks/comment on that matter?
Thought of the day:
Nowadays it looks like server administrator tend to send abuse report
each time they receive an illegal ping request!
Testimony of the day:
Last time I received an "SSH scan" abuse report, I sent back my SSH
honeypot logs, which contains more than 5k login attempts per day.
-------- Original Message --------
----- attachment -----
Dear Sir or Madam
"Gameover Zeus" is malicious software which is primarily used by
cybercriminals to carry out online banking fraud and to spy out
login credentials for online services on infected PCs. It can also
be used to install further malicious software (including
blackmailing trojans such as "CryptoLocker" ransomware) on PCs
or to carry out DDoS attacks.
In a joint international campaign since the end of May 2014,
law enforcement agencies, with the support of private sector partners,
have taken action against the "Gameover Zeus" botnet .
As part of this campaign, it has now been possible to identify the
IP addresses of systems infected with "Gameover Zeus" .
We are sending you a list of infected systems in your net area.
Would you please examine the situation thoroughly and take appropriate
measures to cleanse the systems.
 Europol: International action against 'Gameover Zeus' botnet and
 ShadowServer: Gameover Zeus & Cryptolocker
 US-CERT: GameOver Zeus P2P Malware
A list of infected systems in your net area:
More information about the tor-relays