[tor-relays] exit node experience: abuse over HTTP, stealrat infection

Kees Goossens kees at itisgoodtobetheking.com
Sun Oct 19 11:24:31 UTC 2014

Dear all,

I’ve been running tor non-exit relay freshhumbug at torrelay.nl <http://torrelay.nl/> for about 3 months now.
Recently, I tried running it as an exit relay for a week, with following interesting results.

Set up:
- Ubuntu 14.04 running as VPS with transip.nl <http://transip.nl/>, latest release version of Tor
- bandwidth rate set to between 1 MB/s and 2 MB/s
- VERY reduced exit policy (listed below)

Part 1: Abuse over HTTP.

Within one week of being an exit, my provider forwarded the following abuse notification to me (XXXX is the abused Russian website, ZZZZ is me):

XXXX abuse team like to inform you, that we have had mass bruteforce attempts to the Joomla / WordPress control panel on the our shared-hosting server XXXX from your network, from IP address ZZZZ

During the last 30 minutes we recorded 333 attempts like this:

XXXX - [14/Oct/2014:14:17:49 +0400] "POST /administrator/index.php HTTP/1.1" 200 11646 "-" "-"
XXXX - [14/Oct/2014:14:17:49 +0400] "POST /administrator/index.php HTTP/1.1" 200 11646 "-" "-"
XXXX - [14/Oct/2014:14:17:51 +0400] "POST /administrator/index.php HTTP/1.1" 200 11646 "-" "-"
XXXX - [14/Oct/2014:14:17:51 +0400] "POST /administrator/index.php HTTP/1.1" 200 11646 "-" "-“
XXXX - [14/Oct/2014:14:17:54 +0400] "POST /administrator/index.php HTTP/1.1" 499 0 "-" "-"

Lesson (for me at least): since HTTP was used, even a very reduced exit policy is does not make one immune to abuse problems. 
At this point I reverted back to being a non-exit relay, as I have no interest in having to deal with this.

Part 2: Stealrat infection.

As part of being an exit relay, I set reverse DNS to this-is-a-tor-exit.torrelay.nl <http://this-is-a-tor-exit.torrelay.nl/>, and I displayed the this-is-a-tor-exit-node.html web page on port 80, using the DirPortFrontPage option.
A few days after having shut down my exit, I received notification from my provider that they have been told that my IP address was infected with Stealrat.  It hosted a Stealrat PHP file, used to send spam.
- http://blog.trendmicro.com/trendlabs-security-intelligence/compromised-sites-conceal-stealrat-botnet-operations/ <http://blog.trendmicro.com/trendlabs-security-intelligence/compromised-sites-conceal-stealrat-botnet-operations/>
- http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf <http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf>

However, the only thing I do with my VPS is run tor.  I don’t run a web site, and don’t have apache or whatever installed.
I didn’t investigate much further, but my hypothesis is that when publishing the tor-exit notice on port 80 either tor internally uses a web server or enables a web server that’s present in the system. Either way, that webserver was hacked through a PHP hack.
(Note that I received the Stealrat notification only after stopping my exit node.  I’m not sure if the Stealrat hack was still active or not. I couldn’t find relevant PHP files on my system.)
Since I didn’t want to spend time or effort (figuring out how to) clean my system, I reinstalled ubuntu & tor (only ~40 min work anyway).

Lesson (for me): using the DirPortFrontPage option opens up an unexpected web server vulnerability.

Perhaps this information is useful for others. 

With best regards,

Relevant parts of the torrc:

ORPort 9001                   # port used for relaying traffic
DirPort 80                    # port used for mirroring directory information - not used, since have accountingmax
SocksPort 0                   # prevents tor from being used as a client
RelayBandwidthRate 1000 KB    # limit for the bandwidth we'll use to relay
RelayBandwidthBurst 10 MB     # maximum rate when relaying bursts of traffic
BandwidthRate 1000 KB         # same as RelayBandwidthRate
BandwidthBurst 10 M           # same as RelayBandwidthBurst
DirPortFrontPage /home/administrator/.arm/this-is-a-tor-exit.html
ExitPolicy accept *:20-23     # FTP, SSH, telnet
ExitPolicy accept *:43        # WHOIS
ExitPolicy accept *:53        # DNS
ExitPolicy accept *:79-81     # finger, HTTP
ExitPolicy accept *:88        # kerberos
ExitPolicy accept *:220       # IMAP3
ExitPolicy accept *:389       # LDAP
ExitPolicy accept *:443       # HTTPS
ExitPolicy accept *:464       # kpasswd
ExitPolicy accept *:531       # IRC/AIM
ExitPolicy accept *:543-544   # Kerberos
ExitPolicy accept *:554       # RTSP
ExitPolicy accept *:563       # NNTP over SSL
ExitPolicy accept *:636       # LDAP over SSL
ExitPolicy accept *:749       # kerberos 
ExitPolicy accept *:981       # Remote HTTPS management for firewall
ExitPolicy accept *:989-995   # FTP over SSL, Netnews Administration System, telnets, IMAP over SSL, ircs, POP3 over SSL
ExitPolicy accept *:1194      # OpenVPN
ExitPolicy accept *:1293      # PKT-KRB-IPSec
ExitPolicy accept *:1723      # PPTP
ExitPolicy accept *:1755      # RTSP
ExitPolicy accept *:2086-2087 # GNUnet, ELI
ExitPolicy accept *:3690      # SVN
ExitPolicy accept *:4321      # RWHOIS
ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL
ExitPolicy accept *:5900      # VNC
ExitPolicy accept *:6660-6669 # IRC
ExitPolicy accept *:6679      # IRC SSL  
ExitPolicy accept *:6697      # IRC SSL  
ExitPolicy accept *:8008      # HTTP alternate
ExitPolicy accept *:8080      # HTTP Proxies
ExitPolicy accept *:8082      # HTTPS Electrum Bitcoin port
ExitPolicy accept *:8332-8333 # Bitcoin
ExitPolicy accept *:8443      # PCsync HTTPS
ExitPolicy accept *:8888      # HTTP Proxies, NewsEDGE
ExitPolicy accept *:9418      # git
ExitPolicy accept *:11371     # OpenPGP hkp (http keyserver protocol)
ExitPolicy accept *:50002     # Electrum Bitcoin SSL
ExitPolicy reject *:*

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20141019/0cf5d2e6/attachment.html>

More information about the tor-relays mailing list