[tor-relays] exit node experience: abuse over HTTP, stealrat infection

Kees Goossens kees at itisgoodtobetheking.com
Sun Oct 19 11:49:35 UTC 2014 

Dear Roger,

Thanks for quick reply.  This possibility did occur to me.  When I asked my VPS provider about getting more information for further diagnosis told me they didn’t have more, but that the party that sent them the notification had been reliable in the past. My provider has been relatively friendly during this process, and I didn’t want to push them further.

Overall, let’s just hope that I’ve been an atypical case in getting two complaints in my first week of operating an exit node.

Thanks,
Kees



> On 19 Oct 2014, at 13:31, Roger Dingledine <arma at mit.edu> wrote:
> 
> On Sun, Oct 19, 2014 at 01:24:31PM +0200, Kees Goossens wrote:
>> However, the only thing I do with my VPS is run tor.  I don???t run a web site, and don???t have apache or whatever installed.
>> I didn???t investigate much further, but my hypothesis is that when
>> publishing the tor-exit notice on port 80 either tor internally uses a
>> web server or enables a web server that???s present in the system. Either
>> way, that webserver was hacked through a PHP hack.
> 
> It is much more likely that this was a false positive. That is, whoever
> sent you the mail was using a wrong-in-your-case mechanism for detecting
> whether you're infected with "stealrat". They probably just make a list
> of all the computers that connect to them and send certain traffic. And
> if your computer connected to them and sent that traffic, onto their
> list you go.
> 
> The Internet is full of people telling other people that they're
> infected and ought to clean up their computer. Sometimes they're right,
> sometimes they're wrong. Usually, when it comes to Tor relays they're
> wrong, because it never occurred to them that you might be proxying the
> traffic from somebody else.
> 
> Hope that helps,
> --Roger
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

More information about the tor-relays mailing list