[tor-relays] IP addresses as false positives?

eliaz eliaz at riseup.net
Tue Jan 6 10:34:36 UTC 2015 

grarpamp:
>> I run in a dedicated low-power box on my LAN, to save electricity. Is
>> that as good as a VM?
> 
> Whichever way you like. If you've got all sorts of virii/malware
> going on in an environment of exposure you wouldn't want
> your regular personal files or activities exposed to that.

All my connections/boxes/firewalls are OK, generally get very few alert s
> 
>> I don't know  how to confirm that exits are MITMs. I can post the FPs of
> 
> Turn off TBB, Tor, bridge, vidalia, socks, everything about tor.
> Browse to the same place/url you got an alert with normal Firefox
> over clearnet See if you get an alert.
> 
>> the ones that show up, though. So far all the alerts lead me to
>> recognizable nodes that show up OK in Atlas, etc.

My mistake. One IP address can't be found in Atlas or Globe. See below.
> 
> Others have not reporting 'all these alerts' and exits "several days".
> If you wanted to you could post the name and version
> of your "AV program" and your OS version.
> And the full text of one of these alerts (if it's not
> sensitive to you) and the exit FP.

I've gone back to my records. The .txt attachment gives what I'd gotten
for three different IP addresses. I'm not panicked about this & don't
expect anyone to put more time into my query. But the different results
may interest someone. - eliaz


-------------- next part --------------
4:35 AM 1/6/2015
AV alerts on tor nodes

Here follows traces of IP addresses that provoked virus alerts in Avast Pro Antivirus. Five alerts from three IP addresses (2, 1, 2). These were interspersed with some other similar alerts for different IP addresses that I didn't record. See second trace below. 

===================================================================================
Trace 1		(2 instances) 
Object: 	https://95.211.98.159	 
Fingerprint:	64846B8BAEDB6234FEB18E18124CC9C9C279C254 
Via Globe

===================================================================================
Trace 2		(2 instances)
Object: 	https://212.83.183.18	(2 instances)
Fingerprint	Not found:
Could not reach via Atlas or Globe. Clearnet browser times out; got tired of waiting for tor browser to connect. Ping times out. Tracert gives:
tracert 212.83.183.18
Tracing route to this.is.a.tor.exit.afo-tm.org [212.83.183.18]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.1.1
 11   144 ms   142 ms   145 ms  online-gw.ip4.gtt.net [46.33.93.90]
 12   141 ms   143 ms   142 ms  195.154.1.163
 13     *        *        *     Request timed out.
 ...
 15     *        *        *     Request timed out.
 16     *     ^C

===================================================================================
Trace 3		(1 instance)
URL:		https://176.9.232.121	
Fingerprint:	66FDD4CD9C048B42650C2617C7FB7A51095CB31D 
Via Globe

===================================================================================
Detail: 
 All AV scanners up to date.
 Tor box runs Avast Pro Antivirus, and runs tor only. I don't run a tor client from there.
 Other box runs AVG Antivirus usually runs clearnet firefox. I can turn on torbrowser & vidalia as necessay, though. They were off while I tried to rouse Trace 2 in clear.
 OSs are Win7 32 bit (tor box), 64 bit (other box)

More information about the tor-relays mailing list