[tor-relays] Tor exit nodes attacking SSH?
Roman Mamedov
rm at romanrm.net
Wed Aug 9 05:58:01 UTC 2017
On Tue, 8 Aug 2017 18:51:51 -1100
Mirimir <mirimir at riseup.net> wrote:
> On 08/08/2017 01:48 PM, Steven Chamberlain wrote:
> > Hi,
> >
> > I often run my SSH sessions via Tor using tsocks. But today I see:
> >
> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> > Someone could be eavesdropping on you right now (man-in-the-middle
> > attack)!
> > It is also possible that a host key has just been changed.
> > The fingerprint for the RSA key sent by the remote host is
> > e7:0e:73:a5:88:23:67:9c:01:87:3c:61:96:f6:e8:0a.
>
> I've seen that happen with Digital Ocean droplets. And when I've
> checked, I've found that the host key had, in fact, changed. Did you
> check for that?
>
> > The authenticity of host '8.8.8.8 (8.8.8.8)' can't be established.
> > RSA key fingerprint is e7:0e:73:a5:88:23:67:9c:01:87:3c:61:96:f6:e8:0a.
> > Are you sure you want to continue connecting (yes/no)? :
>
> That's not even a host key change. It's just that you don't yet have the
> host key.
>
> > I could be wrong, but I think this "dropbear" service is most likely
> > something malicious, running on one or more Tor exit nodes, attempting
> > to collect passwords of people logging in this way.
>
> No, dropbear is an SSH server that 8.8.8.8 seems to be running.
Did you try ssh'ing into 8.8.8.8 (outside of Tor)? It does not run a public
SSH server at all (obviously).
The point was to demonstrate that the exit node intercepts port 22 connections
to any IP, and redirects them to the same particular instance of dropbear.
Note how in both cases it's the same key fingerprint of
e7:0e:73:a5:88:23:67:9c:01:87:3c:61:96:f6:e8:0a.
--
With respect,
Roman
More information about the tor-relays
mailing list