[tor-talk] Many more Tor users in the past week?

lucia lucia at rankexploits.com
Fri Aug 30 15:10:47 UTC 2013


> /"Error 503 : Service Temporarily Unavailable"/
> I guess this one got hit too? ;)

Probably yes. But if you weren't visiting with Tor, there is a good chance
you would not see the 503 message. Loads fine for me. ;)

Spambotsecurity.com is Zaphod's site. He write ZBBlock which blocks any
connection that violates certain 'rules'. (SQL injection patterns and so
on.) It also has two switches that permits tor blocking with TOR IPs being
'rule' violations if that is turned on. (One switch only blocks posting
from TOR. The other bans all connections.)

A first violation by an IP within 1 hour sees a 403 page with an
explanation. 503's are shown after a number of violations by the same IP.
The default is 3 violations but certain rule violations result in
'instabann' which means they are served 503's after the first visit. I
think that's what Zap uses. The 503 page is shown for 1 day, afterwards,
it reverts to 403-- for 3 more violations by that IP or for a violation
that merited an instaban. If visits from that IP recurr ZBBlock swtiches
back to 503. (The 503 page saves the server cpu because it's just a quick
local look up for that IP.)

So if you saw the 503 address, the IP you connected with had visited and
violated a rule at least 3 times in the past 24 hours. I don't know if Zap
has the "Tor" switch on or off.  You would need to as Zap himself. And if
you wanted to know why a specific IP was blocked, you would have to ask
Zap.

But generally speaking, if you want to read sites that block hostile
connections generally, and/or which block Tor specifically, you will need
to visit and read without using Tor (and often without using certain
proxies that tend to be used by scrapers and hackers.)

So I suspect if you want to see the discussion of the bots using Tor doing
SQL injection you will need to use a non-Tor IP.

FWIW, I'll edit the entry. But the series of ZBblock entries read more or
less like this:

#: 3934 @: Thu, 18 Jul 2013 13:49:00 -0400 Running: 0.4.10a3 / 74c
Host: sipb-tor.mit.edu
IP: 18.187.1.68
Score: 5
Violation count: 1 INSTA-BANNED
Why blocked: No access allowed from hosts listed as hostile on Stop Forum
Spam (http://www.stopforumspam.com/removal) (local block). RFI attack/SQL
injection
(QU-001). RFI attack/SQL injection (QU-002). RFI attack/SQL injection
(QU-024). Blind poke detected. INSTA-BAN (IB-023). Heavy hit. INSTA-BAN.
You have been
instantly banned due to extremely hazardous behavior!
Query:
fontstyle=999999.9%20%2F*%2130000union%20all%20select%200x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303
536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0
x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x313032
35343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x3130323534383
0303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536*%2F--
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.0; MEGAUPLOAD
2.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.5.21022; FDM)
Reconstructed URL: http:// mysite.com
/index.php/solutions/acquisition-solutions/protest-proof-awards?fontstyle=999999.9%20%2F*%2130000union%20all%20select%20
0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303
235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x313032353438
30303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x3130323534383030353
6%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x3
1303235343830303536%2C0x31303235343830303536*%2F--

With hosts that include:
#: 3935 @: Thu, 18 Jul 2013 13:49:43 -0400 Running: 0.4.10a3 / 74c
Host: axigy2.torservers.net

#: 3936 @: Thu, 18 Jul 2013 13:53:35 -0400 Running: 0.4.10a3 / 74c
Host: tor-exit-router39-readme.formlessnetworking.net

Host: tor-exit-router41-readme.formlessnetworking.net

Host: herngaard.torservers.net

And so on.  This continues. All were 'instabanned'. That means all the IPs
that hit were served 503's on their second visit.

So if the IP you used happens to have recently hit that particular forum
with requests similar to those above, you would be served the 503 too. The
IP I use hasn't been banned there, so I am served the forum page.

Lucia
----
> Read the thread at
> http://www.spambotsecurity.com/forum/viewtopic.php?f=15&t=2095  The title
> is
> "Anyone else get hit by TOR-cloaked(?) botnet?"
>
> Bot with Tor addresses hitting sites and attempting SQL injection have
> been seen. I don't know how widespread it is.
> Lucia

/"Error 503 : Service Temporarily Unavailable"/
I guess this one got hit too? ;)




More information about the tor-talk mailing list