[tor-talk] OnionBalance Hidden Service has over 1 million successful hits in just 3 days

Thomas White thomaswhite at riseup.net
Thu Jul 9 09:58:03 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

304 is people visiting using the Tor browser where the data is cached,
304 just lets it know the cache data is still valid instead of
redownloading.

404 look like they might be either scanners or some cases, and in
other just look like random attempts to find pages. Here is an exampe:

127.0.0.1 - - [redacted redacted] "GET /id=123 HTTP/1.1" 404 432 "-"
"Mozilla/5.0 (Windows NT 6.1; rv: 31.0) Geck0/20100101 Firefox/31.0
(Tor Browser Bundle)"

Here is a 403 attempt to get the mod_status module in apache installs.

127.0.0.1 - - [redacted redacted] "GET /server-status HTTP/1.1" 403
402 "-" "-"

So afaik just people crawling to find details on the site or looking
if we have some vulnerability.

T



On 09/07/2015 07:12, Jim wrote:
> Ben wrote:
>> I forgot to tell it to add a timestamp, so comparison against 
>> your logs would be nigh on impossible - have set the same script 
>> running with timestamps added, will keep an eye to see whether 
>> any failed connections have been logged.
>> 
>> I do, however, have some entries in my tor client logs
>> 
>> Jul 08 09:03:55.000 [notice] Rend stream is 120 seconds late. 
>> Giving up on address '[scrubbed].onion'.
> 
> For various reasons I have only been able to make a few 
> connections, but they have been more than 10 minutes apart so, as
> I understand it, they should all have established new circuits.
> This was scripted using wget. I have had over 40 successes with
> one failure, logged as follows (I have adjusted the time to UTC):
> 
> Jul  9 05:10:23 host Tor[15947]: Tried for 120 seconds to get a 
> connection to [scrubbed]:80. Giving up. (waiting for rendezvous 
> desc)
> 
> Following this failure I have had some successes. (Initially I 
> thought maybe the test site had been shut down.)
> 
> Also, Thomas, I am wondering if you can explain what the 304 (Not 
> Modified), 404 (Not Found), and 403 (Forbidden) codes were caused 
> by.  I suppose for 404 somebody could have requested a
> non-existent page on the site, but the other two have me baffled.
> 
> Jim
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJVnkWqAAoJEIC+hZxcLl/kXC4P/jCDJwbFkqY3qqwklL9wK2bE
C/8/Il2z9F8LjYTYT4/nf8EbMH2QnAq1p3umCYzAgAXXIa7i4l5/uiXDjjE1ktlj
XPH/7llQeabrU6jToQ0wgEKGjBEM22wrWSSpxYiDz8KQVrT6tpD69CjiZ/sVVqyW
N/Djit0SfoUkPHEuobfaw2ql5CQ5c2tivK9vBHG5brnovQd3Lf+DGWvcQhyS8Qw/
5iq/1JK3/+RGO1/dsN35QSsQJOvZ8v2BiPheGQo/THCa0+ttGk1tGgBM+147sd67
SmXlmU8O9KbjNMeqgJ0+/nc+q34lOzcaNPCCusJ1U+K/zCrwdOuHlQ1OAqb+jWsE
hNsc+BlOYSP+OOwyUJ9A620gnoFhzMlbVzirOkavtVNu/Ya61Q7GL29SkmsPxPFI
6NATySf4CQRL4U6LbqKS4HZu2B5gFRbKH9DW55nszgkOJiFFrQ9HWODXSjn7sxzi
Y9CYMElC0ubH77vHhcb+GQ8/dEiwiQjI/Tia5erkBDq5rMQ+I7w3qeDeNT/8cr4d
ol5VHytnMj4i5xC8adw7AHvisNjlrF/nsOKr7HRXJxvoO7b1FLFSWlVcngvMoPig
IWG0jIIuj2J6RAsdtybZApVyw7BuuoxBpqMAv4LBgc+Hz8MTB3GLPOObE9+Rjjab
HsdWUrtt24fXW2MKSon3
=Lli0
-----END PGP SIGNATURE-----


More information about the tor-talk mailing list