On Tue, May 22, 2012 at 11:18 PM, Mike Perry <mikeperry@torproject.org> wrote:
Thus spake Jon (torance.ca@gmail.com):

> On Tue, May 22, 2012 at 3:17 PM, Mike Perry <mikeperry@torproject.org>wrote:
>
> > > On Tue, 22 May 2012 13:29:54 -0500
> > > Jon <torance.ca@gmail.com> allegedly wrote:
> > >
> > > > Yep same here, got notice today from ISP on a report of the 20th for
> > > > alledged hacking with someone using sqlmap. the reporting ip was a
> > > > brazilian gov ip address.
> > > >
> > > > I just blocked the port and kept on serving....
> >
> > As of yet, no one has mentioned the port. Out of curiosity, is it
> > included in the Reduced Exit Policy?
> > https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
> >
> >  The port was 57734 - of course that doesn't mean another port could be
> used

Are you sure that's not the source port (which is randomized) for the
incident? This is a weird destination port.

If so, simply switching to the Reduced Exit Policy (or adding a reject
line for *:57734) would prevent the attack from using your exit. No need
to stop exiting entirely.


--
Mike Perry

______________________________________________

Yes, that was the source port that was used thru my machine. ( you are correct, Mike )

The destination port was 80. The Host: 200.189.123.184

COSED [CSG-GOP-009] SCAN Sqlmap SQL Injection Scan = The Alert  that started the alleged hack attempt


 I have had similar incidents in the past and all I did was block the port that was used and never had any more issues of the type that was reported.

This particular issue is the 1st for me. Time will tell if it did work or not. At this point, I am still running a Exit relay.


Jon