[tor-relays] Is my exit affected by a botnet?

Sec INT sec.int9 at gmail.com
Wed Dec 7 14:27:52 UTC 2016 

I get abuse reports like that - my exit is not yet officially recognised as an exit so is curretly seen as the source of the attack - its unlikely your server is infected its just the traffic from your exit - especially as you using port 443 - just send standard abuse template to them if its a problem for the isp

U could always install clamav and do a quick check on your server if u think its necessary 

regards

Mark B


> On 7 Dec 2016, at 14:09, Volker Mink <volker.mink at gmx.de> wrote:
> 
> hey folks.
>  
> i got an abuse-information from my provider, please see details attached.
> could this propably be caused by some malware on my tor exit?
>  
> Any ideas on this?
>  
> Best,
> volker
>  
>  
>  
> 
> https://unity.abusehq.net/share/gFraliWxA_A-0uCFJvSxAkPRxYn536JoReAkl2MNUuCq3TNWJ8f4uXJVypwWAnVa
> 
>  
> 
>  
> 
> MAC Address               IP
> 
> f07959d25289             109.90.11.123
> 
>  
> 
> Date:
> 
> 06.12.2016 11:16
> 
>  
> 
> Type:
> 
> bot-infection
> 
>  
> 
> Reporter:
> 
> security at libertyglobal.com
> 
>  
> 
> IP address:
> 
> 109.90.11.123
> 
>  
> 
> Incident part:
> 
> - malware family: virut
> 
> - destination ip: 148.81.111.121
> 
> - destination port: 80
> 
> - feeder: team cymru
> 
> - description: This host is most likely infected with malware.
> 
>  
> 
> Date:
> 
> 05.12.2016 10:00
> 
>  
> 
> Type:
> 
> malware
> 
>  
> 
> Reporter:
> 
> reports at reports.cert-bund.de
> 
>  
> 
> IP address:
> 
> 109.90.11.123
> 
>  
> 
> Incident part:
> 
> - malware: urlzone
> 
> - destination ip: 64.71.166.50
> 
> - destination port: 443
> 
> - destination hostname: didnadinka.net
> 
> - asn: 6830
> 
>  
> 
> Date:
> 
> 02.12.2016 19:16
> 
>  
> 
> Type:
> 
> bot-infection
> 
>  
> 
> Reporter:
> 
> security at libertyglobal.com
> 
>  
> 
> IP address:
> 
> 109.90.11.123
> 
>  
> 
> Incident part:
> 
> - malware family: zeus
> 
> - destination ip: 87.106.18.112
> 
> - http request: /config
> 
> - destination port: 80
> 
> - destination domain name: mabqg.com
> 
> - feeder: shadowserver
> 
> - report type: botnet_drone
> 
> - description: This host is most likely infected with malware.
> 
>  
> 
>  
> <smime.p7s>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161207/8d0bf5fa/attachment.html>

More information about the tor-relays mailing list