[tor-relays] suspicious relays

Tim Wilson-Brown - teor teor2345 at gmail.com
Fri Jun 24 12:38:56 UTC 2016 

Dear Nepenthes Development Team,

Do you know anything about the 55 Tor Relays called "Relay127001"?
https://atlas.torproject.org/#search/Relay127001
They appeared around the 23rd of June 2016.

It looks like the relays have a self-signed HTTPS certificate called  "Nepenthes Development Team" on port 443.

If you know about these relays, there are a few things you can do to help the Tor network:
* let us know if the relays are doing anything other than relaying traffic
* provide a ContactInfo in the torrc, typically an email address
* declare the relays to be part of a family using "MyFamily fingerprint0, … fingerprint54" in the torrc

Previous discussion on the tor-relays list is below:

> On 24 Jun 2016, at 16:44, simon <komsat at kalidasa.klamath.ch> wrote:
> 
> On 23.06.2016 22:47, yandereson at riseup.net wrote:
>> I check torstatus/atlas regularly and this was showing up :
>> https://atlas.torproject.org/#search/Relay127001 i just thought i report
>> it here.
> I copypasted some of the IP addresses into my webbrowser's url bar to
> check for a dirfrontpage; but what actually shows up is
> "Directory listing for /"
> for several of them.

None of them have a DirPort, so Tor won't serve any front page.
You're seeing the output from some other web server running on port 80.
No identifying headers.
It looks like a very basic server that serves HTML 3.2.

The HTTPS is more interesting: a self-signed "Nepenthes Development Team" certificate.
It's apparently a malware collection platform that "emulates only the vulnerable parts of a service".
Here's the relevant paper:
https://www1.cs.fau.de/filepool/publications/collecting-malware-final.pdf

> I've seen something similar for "involuntary" FTP servers before. Bonnet?

Or a honeypot. Or a series of cloned servers. It's hard to tell.
But there do seem to be a large number of them, 55 in a recent consensus.
And no contact info, either.

We might want to remove these relays from the network before they pick up too many more flags.

Tim

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP 968F094B
ricochet:ekmygaiu4rzgsk6n



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20160624/3dade5b0/attachment.sig>

More information about the tor-relays mailing list