[tor-relays] exit node experience: abuse over HTTP, stealrat infection

Roger Dingledine arma at mit.edu
Sun Oct 19 11:31:01 UTC 2014

On Sun, Oct 19, 2014 at 01:24:31PM +0200, Kees Goossens wrote:
> However, the only thing I do with my VPS is run tor.  I don???t run a web site, and don???t have apache or whatever installed.
> I didn???t investigate much further, but my hypothesis is that when
>publishing the tor-exit notice on port 80 either tor internally uses a
>web server or enables a web server that???s present in the system. Either
>way, that webserver was hacked through a PHP hack.

It is much more likely that this was a false positive. That is, whoever
sent you the mail was using a wrong-in-your-case mechanism for detecting
whether you're infected with "stealrat". They probably just make a list
of all the computers that connect to them and send certain traffic. And
if your computer connected to them and sent that traffic, onto their
list you go.

The Internet is full of people telling other people that they're
infected and ought to clean up their computer. Sometimes they're right,
sometimes they're wrong. Usually, when it comes to Tor relays they're
wrong, because it never occurred to them that you might be proxying the
traffic from somebody else.

Hope that helps,

More information about the tor-relays mailing list