[tor-relays] exit node experience: abuse over HTTP, stealrat infection

Tom van der Woerdt info at tvdw.eu
Sun Oct 19 11:53:40 UTC 2014

Kees Goossens schreef op 19/10/14 13:24:
> Part 1: Abuse over HTTP.
> Within one week of being an exit, my provider forwarded the following
> abuse notification to me (XXXX is the abused Russian website, ZZZZ is me):
> ====
> Greetings,
> XXXX abuse team like to inform you, that we have had mass bruteforce
> attempts to the Joomla / WordPress control panel on the our
> shared-hosting server XXXX from your network, from IP address ZZZZ
> During the last 30 minutes we recorded 333 attempts like this:
> XXXX - [14/Oct/2014:14:17:49 +0400] "POST /administrator/index.php
> HTTP/1.1" 200 11646 "-" "-"
> XXXX - [14/Oct/2014:14:17:49 +0400] "POST /administrator/index.php
> HTTP/1.1" 200 11646 "-" "-"
> XXXX - [14/Oct/2014:14:17:51 +0400] "POST /administrator/index.php
> HTTP/1.1" 200 11646 "-" "-"
> XXXX - [14/Oct/2014:14:17:51 +0400] "POST /administrator/index.php
> HTTP/1.1" 200 11646 "-" "-“
> XXXX - [14/Oct/2014:14:17:54 +0400] "POST /administrator/index.php
> HTTP/1.1" 499 0 "-" "-"
> ====
> Lesson (for me at least): since HTTP was used, even a very reduced exit
> policy is does not make one immune to abuse problems.
> At this point I reverted back to being a non-exit relay, as I have no
> interest in having to deal with this.

Hi Kees,

Sounds familiar. This same company (valuehost.ru?) sends me about 20 
abuse reports a day. At first I replied with explanations of what Tor 
is, explaining why it's hard to do anything against this kind of abuse. 
Later I started sending the same replies but with a note "Please reply 
if you have read this message." - no replies. Their message mentions a 
contact address so I started cc'ing that address - still no reply. After 
replying for two months and never getting any replies, I stopped replying.

IANAL but you can probably just ignore those.

Abuse reports are very common but there's usually not much you can do 
other than write a message back explaining why there's not much you can 
do. Make sure your server provider knows that you run an exit relay!


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3729 bytes
Desc: S/MIME-cryptografische ondertekening
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20141019/5861b360/attachment-0001.bin>

More information about the tor-relays mailing list