[tor-relays] kelihos infection
scar
scar at drigon.com
Mon Jan 22 20:50:05 UTC 2018
Hello fellow relay operators,
I have received word from my ISP that they detected malicious traffic
from my account. I'm running the exit node "cave" with reduced exit policy,
https://atlas.torproject.org/#details/3875c9c843d33762fa733bcaf128f26a10bc75e7
The information received from my ISP was:
infection => 'kelihos', subtype => 'kelihos.e', port => '52935', asn =>
'209', family => 'kelihos', sourceSummary => 'Drone Report'
Typically they will also provide an IP address related to the infection,
which is usually a sinkhole. The solution is to block the IP in my exit
policy. However no IP was provided in this report and there is not one
available, since my ISP is just relaying information they receive from a
3rd party detection agency. Furthermore, the port mentioned, 52935, is
not allowed in my exit policy, so I'm guessing that port is somewhere
else...
Any ideas about this "infection" and how we could prevent it from using
our exit nodes?
Thanks
More information about the tor-relays
mailing list