[tor-relays] Fwd: [Abuse[...]] GameoverZeus-Infektionen

Ch'Gans chgans at gna.org
Sun Jul 20 05:40:01 UTC 2014 

On 19/07/14 22:32, Thomas White wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Speaking from experience of operating 25 servers doing 4Gbps, I can
> quite safely say that if your host has been supportive of Tor, I would
> simply respond with the normal boilerplate regardless of what the
> complaint is or who made it. I've received threats from countless
> organisations, companies, police and have clashed with Interpol in the
> past, they are yet to bring a single charge against me in the UK
> (albeit I have had some servers seized). I am the exception of Tor
> operators too, not the rule so if they can't charge me I very much
> doubt they could charge somebody operating just a single server. The
> point is that you should be very open that you operate a Tor node,
> ensure you promptly respond to abuse complaints and if your provider
> doesn't seem to be fully convinced by you or are threatening to close
> your service then it could do with some additional explanation. Heck
> if you need it just let me know who to contact and I'll do it for you!

Thanks for proposing your help, I think i'm OK for now.
This is true that I have not been very "honest" with my hosting company, 
I didn't tell them that i am running an exit TOR node, I simply stated 
so far that I provide "service to people", and that sometimes this 
service get abused by bad apples.
But I think this time I will tell them, and try to come with convincing 
arguments (your email and other's one are helpful to me)

Actually, I'm not the only TOR exit not on the Hetzner AS:
https://metrics.torproject.org/bubbles.html#as-exits-only
Hetzner is on the right of the biggest AS bubble (i3d BV)
And from https://metrics.torproject.org/bubbles.html#as, Hetzner is the 
biggest bubble!

Thx,
Chris

>
> Running Tor isn't illegal, you are protected by various safe-harbour
> provisions and ultimately if they blacklist you there is little you
> can do. Half of my IP's are on a lot of "blacklists", and I've found
> removing them is useful in the short term perhaps but many are
> automated and so just waste your time. In the long run we need
> education more than anything and in fact I am actually writing up a
> letter at the moment to encourage some blacklists to check if the IP
> is a tor exit node and to prevent their systems spamming operators
> with abuse complaints. (This section I'll follow up with on this
> mailing list with next week)
>
> My ISP has a policy that as long as the complaints aren't from
> Spamhaus, they aren't too bothered as long as I reply to the abuse
> complaints which I do. You should ask your ISP outright what the
> policy is on these situations. But as far as Spamhaus goes I've not
> received a single complaint from them out of thousands I have received
> in the past year.
>
> If you want to talk privately, just reply to me off the mailing list
> and I'll be happy to do whatever I can.
>
> Regards,
> - -T
>
> On 18/07/2014 10:08, Ch'Gans wrote:
>> Hi there,
>>
>> I'm here to look for advice or comments on how to handle abuse
>> reports when you run a TOR relay exit on a "server for the mass".
>> I'm running the TOR exit node
>> 18B6EBAF10814335242ECA5705A04AAD29774078 on Hetzner netowrk
>> (50E/month, this is my contribution to the TOR project) So far I
>> had to deal with few "easy" abuse reports (ssh scan, forum insults,
>> spams, ...), I think i performed pretty well so far (thanks to
>> Hetzner cooperation?)
>>
>> But today I just received this botnet related one. I do take this
>> report seriously, I know that malware are more and more using the
>> TOR network as an anonymous covert, I don't like malware, I don't
>> like malicious botnet and I don't like spammers. Still I end up
>> being identify as one of them.
>>
>> I knew from day one that it was a risky business to run an exit
>> TOR node, but I want to stand up and fight. If only I can convince
>> people of my right doing.
>>
>> First of all I am quite surprised that cert-bund.de (the
>> complainant) didn't notice that I am a TOR exit node, so my first
>> question (for people familiar with these guys) is: - How legit are
>> these guys? Do they run for the German government? Are their simply
>> trying to scare the shit out of me by citing europol.europa.eu, and
>> us-cert.gov? (see redacted forwarded message below, my own opinion
>> is "Yes") Then - Do they simply spam hosting company each time they
>> have a probe sensing something somewhere (I know it's vague, but I
>> can use that as a "this complainant is a spammer" kind of
>> argument)
>>
>> Any other thoughts/remarks/comment on that matter?
>>
>> Regards, Chris
>>
>> Thought of the day: Nowadays it looks like server administrator
>> tend to send abuse report each time they receive an illegal ping
>> request! Testimony of the day: Last time I received an "SSH scan"
>> abuse report, I sent back my SSH honeypot logs, which contains more
>> than 5k login attempts per day.
>>
>>
>> -------- Original Message -------- [..] ----- attachment ----- Dear
>> Sir or Madam
>>
>> "Gameover Zeus" is malicious software which is primarily used by
>> cybercriminals to carry out online banking fraud and to spy out
>> login credentials for online services on infected PCs. It can also
>> be used to install further malicious software (including
>> blackmailing trojans such as "CryptoLocker" ransomware) on PCs or
>> to carry out DDoS attacks.
>>
>> In a joint international campaign since the end of May 2014, law
>> enforcement agencies, with the support of private sector partners,
>> have taken action against the "Gameover Zeus" botnet [1].
>>
>> As part of this campaign, it has now been possible to identify the
>> IP addresses of systems infected with "Gameover Zeus" [2].
>>
>> We are sending you a list of infected systems in your net area.
>>
>> Would you please examine the situation thoroughly and take
>> appropriate measures to cleanse the systems.
>>
>> Sources:
>>
>> [1] Europol: International action against 'Gameover Zeus' botnet
>> and 'CryptoLocker' ransomware
>> <https://www.europol.europa.eu/content/international-action-against-
>>
>>
> gameover-zeus-botnet-and-cryptolocker-ransomware>
>>
>> [2] ShadowServer: Gameover Zeus & Cryptolocker
>> <http://blog.shadowserver.org/2014/06/08/gameover-zeus-cryptolocker/>
>>
>>   [3] US-CERT: GameOver Zeus P2P Malware
>> <https://www.us-cert.gov/ncas/alerts/TA14-150A>
>>
>> A list of infected systems in your net area: [...]
>>
>> Kind regards, Team CERT-Bund
>>
>>
>>
>> _______________________________________________ tor-relays mailing
>> list tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
>
> iQIcBAEBAgAGBQJTyklGAAoJEE2uQiaesOsLauoP+gLTI6UG5Ch+vaY68TK6+bT6
> rUI0Q53XN+I4Yd0NDiS26I11OpXMJaUlP1gEk64Zs3VrCUkLaIGSn7xAp4b2dSHD
> vTylavLk/x8zqVFY+aDk0kBMXofHC8bkgUUUB1uCuHr13DsVotIO8AIXLRdlFQsY
> PVHVB8tgizRfm6ePv3hT+LcW1osJ5+PviixE8jlBXcGxXr+olcqjaWAdGN+eXdhr
> 944vlL9Yk7rNWw8Xkhs0rTg/Prqz4Wlqc2pzit+mRVLs/mkTPihzcbgrIEi4kBHW
> L/srUhIoaGpNNG5Qmow8/Ky99k0KAIbnvAeiOOFWwOb3X4XlzsuBS6KYIVkHD7qr
> g0cZj7gjCkkAtMS+6Wb0uk/Idx2LlntCoOOJZVlgMKv6lfV8PP5C/DJQvGoz6ADn
> 0d1jS9VNdLSp+h6daSkRQs19WswH67kdWG5Qbl0TxnBEXULrq/Q36/FfFVbNfGqo
> /b8zux0jHe4LM0zYLvAo+0bjeVhGXnzg4xOPgo0zDU3/JdXLdMvUYzScvu1EYUs8
> /XOzgF0n4eR4mkufoL7a4hCYc1DGB61m45co9mY0+8piTt+OuKxHG6mcVIweucdc
> BYaowXV0pe1mAc4wc07UqtrgDBWNyFnFp6hzgdoEsfEG6qsjLAxj5LKtTu7+9qgo
> BiRSx3NMi4GMPT2z4O6o
> =JFZA
> -----END PGP SIGNATURE-----
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>

-- 
QtCreator/qmakeparser.cpp:42
////////// Parser ///////////
#define fL1S(s) QString::fromLatin1(s)
namespace { // MSVC2010 doesn't seem to know the semantics of "static" ...

More information about the tor-relays mailing list