[tor-relays] suspicious exit?
Michael Wolf
mikewolf at riseup.net
Sat Jun 7 08:28:02 UTC 2014
On 6/6/2014 7:39 PM, JB wrote:
> I just setup my relay node today, and am keeping a hawkish(ish) eye on
> traffic.... And noticed a flurry of activity from SSH port (22) at
> 5.104.224.5 - which is listed as an exit.
That exit node uses port 22 as its ORPort (where other relays send Tor
traffic). There is nothing suspicious about this. You can verify this
info here:
https://globe.torproject.org/#/relay/30D983762D3993AD8F17EB5DCD522A5D6AAE8C59
> But it's also listed on http://cbl.abuseat.org/lookup.cgi?ip=5.104.224.5
> as infected (or NATting for a computer that is infected) with the
> Conficker botnet.
Exits are going to show up in all sorts of lists, because a small group
of bad people abuse Tor. Exit nodes get blamed because the "victims"
think the traffic actually originates at the exit.
> I've black-holed it in the meantime, but am wondering if I'm being
> overly cautious...
Yes :) Please don't block other tor nodes. Tor can communicate to/from
any port the admin has configured.
-- Mike
More information about the tor-relays
mailing list