[tor-relays] kelihos infection

scar scar at drigon.com
Mon Jan 22 20:50:05 UTC 2018

Hello fellow relay operators,

I have received word from my ISP that they detected malicious traffic 
from my account.  I'm running the exit node "cave" with reduced exit policy,


The information received from my ISP was:

infection => 'kelihos', subtype => 'kelihos.e', port => '52935', asn => 
'209', family => 'kelihos', sourceSummary => 'Drone Report'

Typically they will also provide an IP address related to the infection, 
which is usually a sinkhole.  The solution is to block the IP in my exit 
policy.  However no IP was provided in this report and there is not one 
available, since my ISP is just relaying information they receive from a 
3rd party detection agency.  Furthermore, the port mentioned, 52935, is 
not allowed in my exit policy, so I'm guessing that port is somewhere 

Any ideas about this "infection" and how we could prevent it from using 
our exit nodes?


More information about the tor-relays mailing list