[tor-relays] Tor relay marked "false positive" from NCSC-FI

Peter Gerber tor-lists at arbitrary.ch
Thu Sep 3 07:13:03 UTC 2020 

Hi

tschador at posteo.de:
> today my ISP received an abuse report from
> ncsc-fi-autoreporter at traficom.fi [1]:
> ---
> The information below is presented in the following format:
> ASN | IP | TIMESTAMP (UTC) | PTR/DNAME | CC | TYPE | CASE | INFO
> 
> 24940|95.217.16.212|2020-09-01 07:27:48
> +0000|95.217.16.212|DE|malweb|1130659|Datasource: b, Url:
> hxxp://95.217.16.212/tor/server/fp/23ad6b165137d957c09aa0f7a3ee7b05cec4a8f2,
> Http Request: GET, Additional Information: This host is most likely
> serving a malware URL., Artifact Hash: 69b9e2721018f0ebaebf901d98d8c9b9
> ---
> The ip belongs to my non-exit relay. [2] There is no action required for
> me, but I wonder why they mark traffic on the dirport as 'malware'?

I've received a similar mail not too long ago. Looking into it, I
couldn't but conclude that it was some sort of phishing scam. When
following the link one was asked to provide a lot of information. The
webpage seems to be outdated, incomplete and nowhere was explained why
they'd scan the internet for anything. All in all, the page looked as
"phishy" as it gets.

For reference, below is the abuse mail I received.

Regards

Peter

-------- Forwarded Message --------
Subject: Fwd: Abuse Message [AbuseID:730BD4:2C]: AbuseCleanMXInfo:
[clean-mx-viruses-172313691](95.216.14.206)-->(abuse at hetzner.de) viruses
sites (1 so far) within your network, please close them! status: As of
2020-08-09 16:47:16 CEST
Date: Sun, 09 Aug 2020 16:48:21 +0200
From: abuse at hetzner.com
Reply-To: abuse at hetzner.com
To: <removed>

Dear Mr Peter Gerber,

For your information we are forwarding you the email of the ticket
[AbuseID:730BD4:2C]. The source email with details about the issue is
attached to this email.

Important note:
When replying to us, please leave the abuse ID [AbuseID:730BD4:2C]
unchanged in the subject line.

Kind regards

Abuse department

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen / Germany
Tel: +49 9831 505-0
Fax: +49 9831 505-3
abuse at hetzner.com
www.hetzner.com

Register Court: Registergericht Ansbach, HRB 6089
CEO: Martin Hetzner, Stephan Konvickova, Günther Müller

For the purposes of this communication, we may save some
of your personal data. For information on our data privacy
policy, please see: www.hetzner.com/datenschutzhinweis

On 09 Aug 16:47, abuse at clean-mx.de wrote:
> Dear abuse team,
>
> please have a look on these perhaps offending viruses sites(1) so far.
>
> Notice: We do NOT urge you to shutdown your customer, but to inform
him about a possible infection/misbehavior !
>
> status: As of 2020-08-09 16:47:16 CEST
>
> Please preserve on any reply our Subject:
[clean-mx-viruses-172313691](95.216.14.206)-->(abuse at hetzner.de) viruses
sites (1  so far) within your network, please close them!  status: As of
2020-08-09 16:47:16 CEST
>
>
>
http://support.clean-mx.de/clean-mx/viruses.php?email=abuse@hetzner.de&response=alive
>
> (for full uri, please scroll to the right end ...
>
> This information has been generated out of our comprehensive real time
database, tracking worldwide viruses URI's
>
> If your review this list of offending site(s), please do this
carefully, pay attention for redirects also!
> Also, please consider this particular machines may have a root kit
installed !
> So simply deleting some files or dirs or disabling cgi may not really
solve the issue !
>
> Advice: The appearance of a Virus Site on a server means that
> someone intruded into the system. The server's owner should
> disconnect and not return the system into service until an
> audit is performed to ensure no data was lost, that all OS and
> internet software is up to date with the latest security fixes,
> and that any backdoors and other exploits left by the intruders
> are closed. Logs should be preserved and analyzed and, perhaps,
> the appropriate law enforcement agencies notified.
>
> DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY
> PROBLEM, THEY WILL BE BACK!
>
> You may forward my information to law enforcement, CERTs,
> other responsible admins, or similar agencies.
>
>
+-----------------------------------------------------------------------------------------------
>
> |date				|id	|virusname	|ip		|domain		|Url|
>
+-----------------------------------------------------------------------------------------------
> |2020-08-09 16:05:31 CEST	|172313691	|PUA.Win.Trojan.Generic-6629274-0
|95.216.14.206	|95.216.14.206
|http://95.216.14.206/tor/status-vote/current/consensus-microdesc/0232af+14c131+23d15d+27102b+49015f+d586d1+e8a9c4+ed03bb+efcbe7.z
>
+-----------------------------------------------------------------------------------------------
>
>
> Your email address has been pulled out of whois concerning this
offending network block(s).
> If you are not concerned with anti-fraud measurements, please forward
this mail to the next responsible desk available...
>
>
> If you just close(d) these incident(s) please give us a feedback, our
automatic walker process may not detect a closed case
>
> explanation of virusnames:
> ==========================
> unknown_html_RFI_php	not yet detected by scanners as RFI, but pure php
code for injection
> unknown_html_RFI_perl	not yet detected by scanners as RFI, but pure
perl code for injection
> unknown_html_RFI_eval	not yet detected by scanners as RFI, but suspect
javascript obfuscationg evals
> unknown_html_RFI	not yet detected by scanners as RFI, but trapped by
our honeypots as remote-code-injection
> unknown_html	not yet detected by scanners as RFI, but suspious, may be
in rare case false positive
> ...javascript.insert	Please pay attention for script code after </html>
> unknown_exe	not yet detected by scanners as malware, but high risk!
> all other names	malwarename detected by scanners
> ==========================
>
>
> yours
>
> Gerhard W. Recher
> (CTO)
>
> net4sec UG (haftungsbeschraenkt)
>
> Leitenweg 6
> D-86929 Penzing
>
> GSM: ++49 171 4802507
>
> Geschaeftsfuehrer: Martina Recher
> Handelsregister Augsburg: HRB 27139
> EG-Identnr: DE283762194
>
> w3: http://www.clean-mx.de
> e-Mail:   mailto:abuse at clean-mx.de
> PGP-KEY:   Fingerprint: A4E317B6DC6494DCC9616366A75AB34CDD0CE552 id:
0xDD0CE552
> Location: http://www.clean-mx.de/downloads/abuse-at-clean-mx.de.pub.asc

More information about the tor-relays mailing list