[tor-relays] Fwd: [Abuse[...]] GameoverZeus-Infektionen
no.thing_to-hide at cryptopathie.eu
no.thing_to-hide at cryptopathie.eu
Fri Jul 18 20:24:31 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hello Chris and many thanks for running a fast exit!
CERT Bund is the CSIRT of the German Federal Office for Information
Security (BSI = Bundesamt fuer Sicherheit in der Informationstechnik).
(1)(2). They surely know Tor, because they distribute security advices
for our anonymizer project (3)(4)(5).
But in your case I guess that their operator did not know that you run
an exit, or at least did not look on the exit-list.
When I do a Whois lookup of your server (6), there is only the link to
Hetzner. When I do the same for exits of Zwiebelfreunde or CCC, there
is the hint at Tor:
"This network is used for research in anonymisation services and
provides a TOR exit node to end users." (7)(8). I case of
Zwiebelfreunde there is also a server running on the exit with a
Probably such a hint will help against a few complaints in future.
Best regards and stay wiretapped!
no.thing_to-hide at cryptopathie dot eu
0x30C3CDF0, RSA 2048, 24 Mar 2014
0FF8 A811 8857 1B7E 195B 649E CC26 E1A5 30C3 CDF0
Bitmessage (no metadata): BM-2cXixKZaqzJmTfz6ojiyLzmKg2JbzDnApC
On 18/07/14 11:08, Ch'Gans wrote:
> Hi there,
> I'm here to look for advice or comments on how to handle abuse
> reports when you run a TOR relay exit on a "server for the mass".
> I'm running the TOR exit node
> 18B6EBAF10814335242ECA5705A04AAD29774078 on Hetzner netowrk
> (50E/month, this is my contribution to the TOR project) So far I
> had to deal with few "easy" abuse reports (ssh scan, forum insults,
> spams, ...), I think i performed pretty well so far (thanks to
> Hetzner cooperation?)
> But today I just received this botnet related one. I do take this
> report seriously, I know that malware are more and more using the
> TOR network as an anonymous covert, I don't like malware, I don't
> like malicious botnet and I don't like spammers. Still I end up
> being identify as one of them.
> I knew from day one that it was a risky business to run an exit
> TOR node, but I want to stand up and fight. If only I can convince
> people of my right doing.
> First of all I am quite surprised that cert-bund.de (the
> complainant) didn't notice that I am a TOR exit node, so my first
> question (for people familiar with these guys) is: - How legit are
> these guys? Do they run for the German government? Are their simply
> trying to scare the shit out of me by citing europol.europa.eu, and
> us-cert.gov? (see redacted forwarded message below, my own opinion
> is "Yes") Then - Do they simply spam hosting company each time they
> have a probe sensing something somewhere (I know it's vague, but I
> can use that as a "this complainant is a spammer" kind of
> Any other thoughts/remarks/comment on that matter?
> Regards, Chris
> Thought of the day: Nowadays it looks like server administrator
> tend to send abuse report each time they receive an illegal ping
> request! Testimony of the day: Last time I received an "SSH scan"
> abuse report, I sent back my SSH honeypot logs, which contains more
> than 5k login attempts per day.
> -------- Original Message -------- [..] ----- attachment ----- Dear
> Sir or Madam
> "Gameover Zeus" is malicious software which is primarily used by
> cybercriminals to carry out online banking fraud and to spy out
> login credentials for online services on infected PCs. It can also
> be used to install further malicious software (including
> blackmailing trojans such as "CryptoLocker" ransomware) on PCs or
> to carry out DDoS attacks.
> In a joint international campaign since the end of May 2014, law
> enforcement agencies, with the support of private sector partners,
> have taken action against the "Gameover Zeus" botnet .
> As part of this campaign, it has now been possible to identify the
> IP addresses of systems infected with "Gameover Zeus" .
> We are sending you a list of infected systems in your net area.
> Would you please examine the situation thoroughly and take
> appropriate measures to cleanse the systems.
>  Europol: International action against 'Gameover Zeus' botnet
> and 'CryptoLocker' ransomware
>  ShadowServer: Gameover Zeus & Cryptolocker
>  US-CERT: GameOver Zeus P2P Malware
> A list of infected systems in your net area: [...]
> Kind regards, Team CERT-Bund
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the tor-relays