Hi there,
I'm here to look for advice or comments on how to handle abuse reports when you run a TOR relay exit on a "server for the mass". I'm running the TOR exit node 18B6EBAF10814335242ECA5705A04AAD29774078 on Hetzner netowrk (50E/month, this is my contribution to the TOR project) So far I had to deal with few "easy" abuse reports (ssh scan, forum insults, spams, ...), I think i performed pretty well so far (thanks to Hetzner cooperation?)
But today I just received this botnet related one. I do take this report seriously, I know that malware are more and more using the TOR network as an anonymous covert, I don't like malware, I don't like malicious botnet and I don't like spammers. Still I end up being identify as one of them.
I knew from day one that it was a risky business to run an exit TOR node, but I want to stand up and fight. If only I can convince people of my right doing.
First of all I am quite surprised that cert-bund.de (the complainant) didn't notice that I am a TOR exit node, so my first question (for people familiar with these guys) is: - How legit are these guys? Do they run for the German government? Are their simply trying to scare the shit out of me by citing europol.europa.eu, and us-cert.gov? (see redacted forwarded message below, my own opinion is "Yes") Then - Do they simply spam hosting company each time they have a probe sensing something somewhere (I know it's vague, but I can use that as a "this complainant is a spammer" kind of argument)
Any other thoughts/remarks/comment on that matter?
Regards, Chris
Thought of the day: Nowadays it looks like server administrator tend to send abuse report each time they receive an illegal ping request! Testimony of the day: Last time I received an "SSH scan" abuse report, I sent back my SSH honeypot logs, which contains more than 5k login attempts per day.
-------- Original Message -------- [..] ----- attachment ----- Dear Sir or Madam
"Gameover Zeus" is malicious software which is primarily used by cybercriminals to carry out online banking fraud and to spy out login credentials for online services on infected PCs. It can also be used to install further malicious software (including blackmailing trojans such as "CryptoLocker" ransomware) on PCs or to carry out DDoS attacks.
In a joint international campaign since the end of May 2014, law enforcement agencies, with the support of private sector partners, have taken action against the "Gameover Zeus" botnet [1].
As part of this campaign, it has now been possible to identify the IP addresses of systems infected with "Gameover Zeus" [2].
We are sending you a list of infected systems in your net area.
Would you please examine the situation thoroughly and take appropriate measures to cleanse the systems.
Sources:
[1] Europol: International action against 'Gameover Zeus' botnet and 'CryptoLocker' ransomware <https://www.europol.europa.eu/content/international-action-against- gameover-zeus-botnet-and-cryptolocker-ransomware>
[2] ShadowServer: Gameover Zeus & Cryptolocker http://blog.shadowserver.org/2014/06/08/gameover-zeus-cryptolocker/
[3] US-CERT: GameOver Zeus P2P Malware https://www.us-cert.gov/ncas/alerts/TA14-150A
A list of infected systems in your net area: [...]
Kind regards, Team CERT-Bund