-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello Chris and many thanks for running a fast exit!
CERT Bund is the CSIRT of the German Federal Office for Information Security (BSI = Bundesamt fuer Sicherheit in der Informationstechnik). (1)(2). They surely know Tor, because they distribute security advices for our anonymizer project (3)(4)(5).
But in your case I guess that their operator did not know that you run an exit, or at least did not look on the exit-list.
When I do a Whois lookup of your server (6), there is only the link to Hetzner. When I do the same for exits of Zwiebelfreunde or CCC, there is the hint at Tor: "This network is used for research in anonymisation services and provides a TOR exit node to end users." (7)(8). I case of Zwiebelfreunde there is also a server running on the exit with a homepage (9).
Probably such a hint will help against a few complaints in future.
Best regards and stay wiretapped!
Anton
1) https://www.bsi.bund.de/EN/Topics/IT-Crisis-Management/Cert-Bund/cert-bund_n... 2) https://www.bsi.bund.de/EN/Home/home_node.html 3) https://www.cert-bund.de/advisoryshort/CB-K13-0005 4) https://www.cert-bund.de/advisoryshort/CB-K14-0112 5) https://www.cert-bund.de/advisoryshort/CB-K14-0722 6) https://apps.db.ripe.net/search/query.html?searchtext=5.9.21.19 7) https://apps.db.ripe.net/search/query.html?searchtext=77.247.181.164 8) https://apps.db.ripe.net/search/query.html?searchtext=77.244.254.227 9) http://77.247.181.164
- -- no.thing_to-hide at cryptopathie dot eu 0x30C3CDF0, RSA 2048, 24 Mar 2014 0FF8 A811 8857 1B7E 195B 649E CC26 E1A5 30C3 CDF0 Bitmessage (no metadata): BM-2cXixKZaqzJmTfz6ojiyLzmKg2JbzDnApC
On 18/07/14 11:08, Ch'Gans wrote:
Hi there,
I'm here to look for advice or comments on how to handle abuse reports when you run a TOR relay exit on a "server for the mass". I'm running the TOR exit node 18B6EBAF10814335242ECA5705A04AAD29774078 on Hetzner netowrk (50E/month, this is my contribution to the TOR project) So far I had to deal with few "easy" abuse reports (ssh scan, forum insults, spams, ...), I think i performed pretty well so far (thanks to Hetzner cooperation?)
But today I just received this botnet related one. I do take this report seriously, I know that malware are more and more using the TOR network as an anonymous covert, I don't like malware, I don't like malicious botnet and I don't like spammers. Still I end up being identify as one of them.
I knew from day one that it was a risky business to run an exit TOR node, but I want to stand up and fight. If only I can convince people of my right doing.
First of all I am quite surprised that cert-bund.de (the complainant) didn't notice that I am a TOR exit node, so my first question (for people familiar with these guys) is: - How legit are these guys? Do they run for the German government? Are their simply trying to scare the shit out of me by citing europol.europa.eu, and us-cert.gov? (see redacted forwarded message below, my own opinion is "Yes") Then - Do they simply spam hosting company each time they have a probe sensing something somewhere (I know it's vague, but I can use that as a "this complainant is a spammer" kind of argument)
Any other thoughts/remarks/comment on that matter?
Regards, Chris
Thought of the day: Nowadays it looks like server administrator tend to send abuse report each time they receive an illegal ping request! Testimony of the day: Last time I received an "SSH scan" abuse report, I sent back my SSH honeypot logs, which contains more than 5k login attempts per day.
-------- Original Message -------- [..] ----- attachment ----- Dear Sir or Madam
"Gameover Zeus" is malicious software which is primarily used by cybercriminals to carry out online banking fraud and to spy out login credentials for online services on infected PCs. It can also be used to install further malicious software (including blackmailing trojans such as "CryptoLocker" ransomware) on PCs or to carry out DDoS attacks.
In a joint international campaign since the end of May 2014, law enforcement agencies, with the support of private sector partners, have taken action against the "Gameover Zeus" botnet [1].
As part of this campaign, it has now been possible to identify the IP addresses of systems infected with "Gameover Zeus" [2].
We are sending you a list of infected systems in your net area.
Would you please examine the situation thoroughly and take appropriate measures to cleanse the systems.
Sources:
[1] Europol: International action against 'Gameover Zeus' botnet and 'CryptoLocker' ransomware <https://www.europol.europa.eu/content/international-action-against-
gameover-zeus-botnet-and-cryptolocker-ransomware>
[2] ShadowServer: Gameover Zeus & Cryptolocker http://blog.shadowserver.org/2014/06/08/gameover-zeus-cryptolocker/
[3] US-CERT: GameOver Zeus P2P Malware https://www.us-cert.gov/ncas/alerts/TA14-150A
A list of infected systems in your net area: [...]
Kind regards, Team CERT-Bund