[tor-relays] exit node experience: abuse over HTTP, stealrat infection

obx obx at riseup.net
Sun Oct 19 13:48:00 UTC 2014


On Sun, Oct 19, 2014 at 01:53:40PM +0200, Tom van der Woerdt wrote:
> Kees Goossens schreef op 19/10/14 13:24:
> >Part 1: Abuse over HTTP.
> >
> >Within one week of being an exit, my provider forwarded the following
> >abuse notification to me (XXXX is the abused Russian website, ZZZZ is me):
> >====
> >Greetings,
> >
> >XXXX abuse team like to inform you, that we have had mass bruteforce
> >attempts to the Joomla / WordPress control panel on the our
> >shared-hosting server XXXX from your network, from IP address ZZZZ
> >
> >During the last 30 minutes we recorded 333 attempts like this:
> >
> >XXXX - [14/Oct/2014:14:17:49 +0400] "POST /administrator/index.php
> >HTTP/1.1" 200 11646 "-" "-"
> >XXXX - [14/Oct/2014:14:17:49 +0400] "POST /administrator/index.php
> >HTTP/1.1" 200 11646 "-" "-"
> >XXXX - [14/Oct/2014:14:17:51 +0400] "POST /administrator/index.php
> >HTTP/1.1" 200 11646 "-" "-"
> >XXXX - [14/Oct/2014:14:17:51 +0400] "POST /administrator/index.php
> >HTTP/1.1" 200 11646 "-" "-“
> >XXXX - [14/Oct/2014:14:17:54 +0400] "POST /administrator/index.php
> >HTTP/1.1" 499 0 "-" "-"
> >====
> >
> >Lesson (for me at least): since HTTP was used, even a very reduced exit
> >policy is does not make one immune to abuse problems.
> >At this point I reverted back to being a non-exit relay, as I have no
> >interest in having to deal with this.
> 
> Hi Kees,
> 
> Sounds familiar. This same company (valuehost.ru?) sends me about 20 abuse
> reports a day. At first I replied with explanations of what Tor is,
> explaining why it's hard to do anything against this kind of abuse. Later I
> started sending the same replies but with a note "Please reply if you have
> read this message." - no replies. Their message mentions a contact address
> so I started cc'ing that address - still no reply. After replying for two
> months and never getting any replies, I stopped replying.
> 
> IANAL but you can probably just ignore those.
> 
> Abuse reports are very common but there's usually not much you can do other
> than write a message back explaining why there's not much you can do. Make
> sure your server provider knows that you run an exit relay!
> 
> Tom
> 

Same here, I've blacklisted their /24 in my torrc. The complaints
stopped.

> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays



More information about the tor-relays mailing list