Malicious events from my Tor Exit Router

Updated Tor Exit Router display page: http://ipv4-tor-exit-1.okfn.us/

New to Tor? Read about it on Wikipedia: http://en.wikipedia.org/wiki/Tor_(anonymity_network)

Earlier this month, my ISP, CondoInternet, called me to inform me of an attack from an IPv4 address belonging to the Tor Exit Router (TER) that I operate. Immediately I was interested because I wanted to verify that the web host was not compromised. Fortunately and unfortunately, since no network traffic is being logged, I wasn’t able to verify any details from a network access perspective. CondoInternet’s NOC was very helpful and understanding, having stated that they are aware of what Tor is, and forwarded me the 4 complaints that they’ve received since I started running the TER over a year ago. Out of curiosity, I asked their NOC if there were any other TERs on their network, and I’m the only one (sad face).

Below are some snippets from emails that CondoInternet’s NOC forwarded me. They stated that they did not want me to contact any of the senders directly, which I’m happy to oblige. The most recent and most serious is first, since prior to this event, CondoInternet hasn’t felt like the malicious activity from the TER has been worth much attention.

Thu, 30 May 2013 16:49:32 -0700

Hello, our company servers were recently hacked by the IP address
216.243.58.198 which is a customer of CondoInternet. We are requesting that
you shut the user in question down and share all subscriber information
with our company for further litigation. Thank you.

Below is a snippet of our logs with further information of the hack.
vb_init.php is a malicious file which was uploaded to our server by the
offender and was used to take control of the server and steal our company
and customer data.

216.243.58.198 - - [27/May/2013:03:33:26 -0500] "POST /x_admin/vb_init.php
HTTP/1.1" 200 7810 "http://www.[removed].com/x_admin/vb_init.php"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0"
216.243.58.198 - - [27/May/2013:03:33:35 -0500] "POST /x_admin/vb_init.php
HTTP/1.1" 200 8877 "http://www.[removed].com/x_admin/vb_init.php"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0"
216.243.58.198 - - [27/May/2013:03:33:41 -0500] "POST /x_admin/vb_init.php
HTTP/1.1" 200 4641 "http://www.[removed].com/x_admin/vb_init.php"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0"
216.243.58.198 - - [27/May/2013:03:34:15 -0500] "POST /x_admin/vb_init.php
HTTP/1.1" 200 22242 "http://www.[removed].com/x_admin/vb_init.php"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0"
216.243.58.198 - - [27/May/2013:03:37:03 -0500] "POST /x_admin/vb_init.php
HTTP/1.1" 200 8884 "http://www.[removed].com/x_admin/vb_init.php"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0"
216.243.58.198 - - [27/May/2013:03:37:09 -0500] "POST /x_admin/vb_init.php
HTTP/1.1" 200 10086 "http://www.[removed].com/x_admin/vb_init.php"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0"
216.243.58.198 - - [27/May/2013:03:39:48 -0500] "POST /x_admin/vb_init.php
HTTP/1.1" 200 15189 "http://www.[removed].com/x_admin/vb_init.php"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0"

Here are the other three:

Mon, 13 May 2013 08:08:12 -0700

Please remove this script kiddie from your network IP Address:
216.243.58.198.

and

Thu, 25 Apr 2013 04:08:07 -0700

Dear Administrator(s),

We have detected an attack attempt from an IP address of your
responsibility (216.243.58.198) !

Sample:
Timestamp: 2013-04-24 22:55:59 (GMT)
Alert: COSED [CSG-GOP-009] WEB-ATTACK w3af User Agent
Source: 216.243.58.198 (60882)
Destination: [removed] (80)
Content:
GET /modules/istats/not-index.php HTTP/1.1
Host: [removed]
Cookie: PHPSESSID=1edd40fc052372b17b343f9be8203907
Accept-encoding: gzip
Accept: */*
User-agent: w3af.sourceforge.net
Connection: keep-alive

and

Wed, 24 Apr 2013 04:45:01 -0700

Dear Administrator(s),

We have detected an attack attempt from an IP address of your
responsibility (216.243.58.198) !

Sample:
Timestamp: 2013-04-23 14:24:59 (GMT)
Alert: COSED [CSG-GOP-009] WEB-ATTACK w3af User Agent
Source: 216.243.58.198 (38451)
Destination: [removed] (80)
Content:
ndor=exact&mids%5B%5D=2&mids%5B%5D=12&mids%5B%5D=20&mids%5B%5D=21&mids%5B%5
D=22&mids%5B%5D=23 HTTP/1.1
Host: [removed]
Cookie: PHPSESSID=0656e61c0d0780a526ae392dde555bd3
Accept-encoding: gzip
Accept: */*
User-agent: w3af.sourceforge.net
Connection: keep-alive

GET 
/search.php?skipValidationJS=0&action=results&id=bce23d0828f9ddc1c360fefd676
0594a&query=palavra-chave&andor=d%27z%220&mids%5B%5D=2&mids%5B%5D=12&mids%5B
%5D=20&mids%5B%5D=21&mids%5B%5D=22&mids%5B%5D=23 HTTP/1.1

CondoInternet has been an amazing ISP. Recently I upgraded to 1 Gbps, and so far I’ve been peaking at around 9.25 MB/s RX and 9.25 MB/s TX. I expect to have more complaints come in as more traffic passes through my TER.

This TER has processed over 160 Terabytes of Tor traffic. The known malicious events discussed above are mere kilobytes of data being transmitted. Open Knowledge Foundation America will continue to support The Tor Project by donating time (skill) and money (bandwidth). A few “bad apples” are not concerning given the state of the internet–authors and readers of information need trusted tools to remain safe online.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s