[tor-talk] Is this a practical vulnerability?

Anon Mus my.green.lantern at googlemail.com
Sat Oct 20 15:54:53 UTC 2012


On 20/10/2012 14:46, Andreas Krey wrote:
> On Sat, 20 Oct 2012 11:29:57 +0000, Anon Mus wrote:
> ...
>> I had been creating/running corporate web sites since the mid 1990's, I
>> hardly think that qualified me as a newbie. Not sure what was the
>> purpose of this remark was.
> The purpose of the remark was get any concrete information on the
> kinds of attack you were experiencing. If those are the same that
> everyone on the internet is getting then it is hardly a sign of
> you being under attack specifically after having accessed your
> own hidden service.
>

Sorry, but I don't see any questions in your original remark, so I don't 
see how you you expected to get information from it.

I quote..

"
Welcome to the internet. Have an open web server, and it will get

accessed by scum that tries known vulnerabilities: /memberlist.php,
/index.php, /user/soapCaller.bs, thats normal.
"

I expect most people would read your "remark" as talking down to someone.. more of a game of one-up-man-ship and given the tone of your most recent reply probably done to discredit my experience. Poo is a real stinker.



> Did you run the server before (I suppose not) and have the firewall
> rules before so you could cross-check the attacks after the hidden
> service with the time before?
>

Yes it had been running about 6months without any specific software 
firewalling but with logging on both the soft firewall and the 
webserver, during that time, when I was developing a web forum in php. 
Also the whole system was behind a hardwared (router firmware) firewall, 
which should not have let it in anyway and thats why I logged very 
little (if any) internal traffic beforehand. To come home to see dozens 
of requests from my soft firewall for access to various O/S components 
and a log of gained access was a shock. This fact worried me for a long 
while as I immediately re-loaded my router's firmware and all its 
setting & passwords, but still they got in. Some while later I read of a 
vulnerability with the routers firmware (no details given, just that it 
could be hacked from outside) and I upgraded it. Interestingly the web 
server had been running, logging and all for about a year before this, 
as it came with the O/S. Not a single EXTERNAL request was ever passed 
to it in all that time until I started dev. with it.


> ...
>> Well with you being such an "experienced" and "savvy" web person I am
> I just operate a few http servers that have practically no regular
> traffic, so my httpd logs are a pure trace of the vulnerabilities
> that linger in diverse popular web applications.
>
> Likewise I see the constant influx of windows RPC/messages/RDP stuff
> in my firewall logs; and I wonder whether you actually know what
> life on the internet is, or whether you simply installed the web
> server&  hidden service, saw all the shit hitting the server and
> went 'omg, tor is obviously borken'.
>

Don't you use router firmware firewalls? So you wouldn't see this kind 
of traffic?

I thought the times when nerds spent days looking through router logs 
fuming at the drones that attpemt to access your system were long gone, 
no? Sounds like you are living in the past.

My current router doesn't even have a log on it!

> ...
>> Of course, once again your vast experience will lead you to the
>> conclusion that once alerted to the attacks I used other tools (such as
>> my web server log&  a packet sniffer) to see the details of the traffic.
> So, what *are* the details of the traffic, especially in comparison to
> the usual background, that can even indicate that there was a specific
> attach on your server at that time.
>
> Or, for instance, what are the signs I should be looking for in my
> firewall/httpd logs to see whether there was a similar attack on
> my systems after I started my hidden services.
>

Where all logs end up, on the end, in the bin!

> ...
>> There were many attacks which I am sure you can research on the net
>> yourself.
> Yeah, sure. I can research how you were specifically attacked. Care
> to give some google keywords for that?
>

Good, because I was only telling someone of my experience just so they 
could keep safe.

>> They were mainly aimed at accessing parts of the server such
>> as files and various rpc O/S components.
>>
>> They did focus on trying to identify what web server I was using, I
>> believe there were about 4 or 5 different
> So what? The question is not whether someone is doing that, the
> question is what makes you think you're getting these attacks
> a) in relation to your hidden service and b) they are happening
> only to you.
>

Here's the sequence of event...

Have web server 2 years. no attacks.

Make hidden service

Within 12 hours of going live have seriously large number of attacks

Switch off hidden service and attacks stop a few days later

And somehow they got through a router firewall and a soft firewall !

And then they were looking for "a web-server" 3 / 4 type of web server 
were searched for.
>> Of course my web server did log the traffic that did get through, these
>> logs are now gone but here's a section from one which I queried someone
>> as to what it was..
>>
>>> #Fields:
>>> time c-ip cs-method cs-uri-stem sc-status
>>> 13:05:35 xxx.xxx.xxx.xxx GET /{Tor hidden service
>>> ID}/nonexistentfile.php 404
>>> 13:05:35 xxx.xxx.xxx.xxx GET /adxmlrpc.php 404
>>> 13:05:35 xxx.xxx.xxx.xxx GET /adserver/adxmlrpc.php 404
>>> 13:05:36 xxx.xxx.xxx.xxx GET /phpAdsNew/adxmlrpc.php 404
> ...
>>> 13:05:38 xxx.xxx.xxx.xxx GET /blog/xmlrpc.php 404
>>> 13:05:39 xxx.xxx.xxx.xxx GET /drupal/xmlrpc.php 404
>>> 13:05:39 xxx.xxx.xxx.xxx GET /community/xmlrpc.php 404
> Yeah, sure. I get the same of every http server I have in the open
> internet. Someone is always sweeping the internet for vulnerable
> systems; the vulnerabilities change, the sweeping doesn't.
>

Thats drupal.org

> Nothing to see here, please move along and come up with something else.
>
Oh! why am I NOT surprised....

> Besides, the /{Tor hidden service ID}/nonexistentfile.php is
> /a1b2c3d4e5f6g7h8i9/nonexistentfile.php, right?
>
Yeah you could be right I edited it out when I mailed my expert.

>> I was told the above were attempts to gain access to a web servers
>> management system.
> Yes, they are.
>
>> The attacks all fell on stoney ground because none actually guessed the
>> web server I was using before I closed the loophole.
> Those don't attack the web server per se but some types of blog/forum
> software. That's nothing you need a hidden service to be attacked with.
>
> Andreas
>


This "Hey prove it" nonsense could go on forever.. and I don't have the 
time.

Take it of leave it.

  I wouldn't run a Tor hidden service, given the hassle and given the 
risk, unless I was having problems getting passed my ISP. It makes me 
laugh to see all these prognostications on sophisticated attacks when 
the USA can see it all, transparent, as I explained.

Of course, there will be those who spend their time, perhaps paid for by 
US gov, making asses out of internet users, thats called co-intel  (pros).



More information about the tor-talk mailing list