Someone manipulating Tor routing?

Dave Korn davek_throwaway at hotmail.com
Sat Feb 18 18:18:28 UTC 2006


>From: Peter Palfrader Date: Fri, 17 Feb 2006 16:28:10 +0100

>On Fri, 17 Feb 2006, Mike Zanker wrote:
>
> > On 17/02/2006 09:06, Sebastian Wiesinger wrote:
> >
> > > 200.222.72.146 is also a real POP3 server.
> >
> > Yes - that was the same IP address mine connected to.
>
>That's a Tor server, or at least tries to be.
>
>[..]
>Feb 17 15:19:55.308 [info] connection_read_to_buf(): tls error. breaking 
>(nickname $3AE0FCB8B1A8C9AB66B149C15EEED0EEC6EED262, address 
>200.222.72.146).

  No, it _really_ is a POP server:

Z:\csrrt-malware>echo USER guest | nc -v -v -w 5 200.222.72.146 110
200.222.72.146: inverse host lookup failed:  : Operation not permitted
(UNKNOWN) [200.222.72.146] 110 (pop3) open
+OK ready
+OK Password required for guest.
sent 13, rcvd 47

  Although it was at one stage a tor node or client:

G:\WINNT\Internet Logs>grep "200.222.72" ZALog.txt
FWIN,2005/12/27,13:42:28 +0:00 GMT,200.222.72.146:2843,82.18.35.54:9001,TCP 
(flags:S)

And a little while later..

FWIN,2006/01/06,04:56:01 +0:00 GMT,200.222.72.146:0,82.18.35.54:0,ICMP 
(type:3/subtype:3)
FWIN,2006/01/06,10:50:11 +0:00 GMT,200.222.72.146:0,82.18.35.54:0,ICMP 
(type:3/subtype:3)
FWIN,2006/01/06,11:56:36 +0:00 GMT,200.222.72.146:0,82.18.35.54:0,ICMP 
(type:3/subtype:3)

It's also got some kind of webmail app on port 80.

>It's likely that the operator set a ORPort of 110 and it tries to check if 
>it's
>reachable.  Which it isn't.  Hopefully the owner will look into their log 
>some
>time.

But if it isn't listed in the directory, how come someone's trying to route 
to it?

I've seen it happen before, to other destination hosts.  One on cox.net, 
another which was iirc a domestic dsl line in germany.  Again, not listed in 
the directory.  Strange.  Here's the cox.net one:

G:\WINNT\Internet Logs>grep "68.110.196.110" ZALog.txt
PE,2005/11/16,12:46:11 +0:00 GMT,tor.exe,68.110.196.110:110,N/A
PE,2005/11/16,12:46:11 +0:00 GMT,tor.exe,68.110.196.110:110,N/A
PE,2005/11/23,09:22:57 +0:00 GMT,tor.exe,68.110.196.110:110,N/A

Which /is/ listed as a tor node on one web page I found

http://www.google.co.uk/search?hl=en&hs=mcq&lr=&client=firefox-a&rls=org.mozilla:en-US:official&q=%2268.110.196.110%22
-> http://sv2ch.baila6.jp/torlist.txt

02/18/06 18:12:04 dig 68.110.196.110 @ 194.168.4.100
Dig 110.196.110.68.in-addr.arpa at 194.168.4.100 ...
Non-authoritative answer
Recursive queries supported by this server
Query for 110.196.110.68.in-addr.arpa type=255 class=1
  110.196.110.68.in-addr.arpa PTR (Pointer) ip68-110-196-110.ri.ri.cox.net

..but doesn't seem to be there any more.  I'm still not sure what's going 
on.

       DaveK




More information about the tor-talk mailing list