[tor-relays] Tor exit nodes attacking SSH?

Mirimir mirimir at riseup.net
Wed Aug 9 06:55:08 UTC 2017 

On 08/08/2017 06:58 PM, Roman Mamedov wrote:
> On Tue, 8 Aug 2017 18:51:51 -1100
> Mirimir <mirimir at riseup.net> wrote:
> 
>> On 08/08/2017 01:48 PM, Steven Chamberlain wrote:
>>> Hi,
>>>
>>> I often run my SSH sessions via Tor using tsocks.  But today I see:
>>>
>>>     @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>>>     @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
>>>     @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>>>     IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>>>     Someone could be eavesdropping on you right now (man-in-the-middle
>>>     attack)!
>>>     It is also possible that a host key has just been changed.
>>>     The fingerprint for the RSA key sent by the remote host is
>>>     e7:0e:73:a5:88:23:67:9c:01:87:3c:61:96:f6:e8:0a.
>>
>> I've seen that happen with Digital Ocean droplets. And when I've
>> checked, I've found that the host key had, in fact, changed. Did you
>> check for that?
>>
>>>     The authenticity of host '8.8.8.8 (8.8.8.8)' can't be established.
>>>     RSA key fingerprint is e7:0e:73:a5:88:23:67:9c:01:87:3c:61:96:f6:e8:0a.
>>>     Are you sure you want to continue connecting (yes/no)? :
>>
>> That's not even a host key change. It's just that you don't yet have the
>> host key.
>>
>>> I could be wrong, but I think this "dropbear" service is most likely
>>> something malicious, running on one or more Tor exit nodes, attempting
>>> to collect passwords of people logging in this way.
>>
>> No, dropbear is an SSH server that 8.8.8.8 seems to be running.
> 
> Did you try ssh'ing into 8.8.8.8 (outside of Tor)? It does not run a public
> SSH server at all (obviously).
> 
> The point was to demonstrate that the exit node intercepts port 22 connections
> to any IP, and redirects them to the same particular instance of dropbear.
> Note how in both cases it's the same key fingerprint of
> e7:0e:73:a5:88:23:67:9c:01:87:3c:61:96:f6:e8:0a.

Oops, I missed the fact that the key fingerprints are the same :(

More information about the tor-relays mailing list