Security risks of using vds for setting up tor-nodes?
James Brown
jbrownfirst at gmail.com
Fri Nov 26 19:09:00 UTC 2010
Sometimes ago I ren a VDS under Debian Lenny,
~# uname -a
Linux 2.6.18-028stab070.4-ent #1 SMP Tue Aug 17 19:03:05 MSD 2010 i686
GNU/Linux
I set up on that VDS only exit tor-node and nothing more. I didn't stop
apache, proftpd daemon and etc. because I have intended to use it in the
feature but I didn't use it for several month.
How I have the next problem.
Some days ago I received the next messages from crondaemon:
/etc/cron.daily/rkhunter:
Internal error!
Internal error!
.................................
and from rkhunter that my server have problems which you can see in the
attached log inculding detected SHV4 Rootkit and SHV5 Rootkit
When I try to start rkhunter in the shell of that server it doesn't want
to work.
chkrootkit tell me about problems too (see attached log).
unhide-tcp does not want to work as rkhunter, unhide finds seen in
attached logs.
clamav find the next:
/sbin/ttymon: Trojan.Linux.Rootkit.A FOUND
/usr/bin/find: Linux.Rootkit-25 FOUND
/usr/bin/pstree: Trojan.Rootkit-118 FOUND
/usr/lib/libsh/.sniff/shsniff: Trojan.Linux.Sysniff FOUND
/usr/lib/libsh/shsb: Linux.LionCleaner FOUND
debsums tell me the next:
grep -i failed debsums20101126.log
/bin/ls
FAILED
/usr/bin/md5sum
FAILED
/usr/bin/find
FAILED
/bin/netstat
FAILED
/sbin/ifconfig
FAILED
/bin/ps
FAILED
/usr/bin/top
FAILED
/opt/psa/admin/htdocs/domains/databases/phpMyAdmin/libraries/config.default.php
FAILED
/opt/psa/etc/service/coldfusion.xml
FAILED
/opt/psa/admin/plib/templates/backup/backup_failed_task.tpl
/etc/pam.d/pop3
FAILED
/etc/pam.d/imap
FAILED
/usr/bin/pstree
FAILED
How it was possible to catch that viruses, rootkits and etc. from using
an exit tor-node? Have anybody such problems? What is the security
measures takes of other owners of exit-nodes?
What is the better to me - to try clean the existing system or to give
an order to VDS provider to reinstall my VDS?
If the last way is the better (now I am inclined to that) - what files
from tor-node installation I need to save exept torrc and keys of my node?
Or it would better generate new keys through new installation of
tor-node? Could existing keys compomise my tor-node after reinstalling
my VDS?
And could it be an attack against exactly my VDS as tor-node? Could it
be an attempt of an Adversary to take control over my tor-node for
attacks against the Tor-net?!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: chkrootkit_server20101126.log
Type: text/x-log
Size: 1803 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20101126/58f2b906/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rkhunter_server_20101126.log
Type: text/x-log
Size: 21103 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20101126/58f2b906/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unhide_proc_server20101126.log
Type: text/x-log
Size: 3591 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20101126/58f2b906/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unhide_sys_server20101126.log
Type: text/x-log
Size: 36864 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20101126/58f2b906/attachment-0003.bin>
More information about the tor-talk
mailing list