I recent days I have gotten 3 complaints from people who report hack attempts from my exit node, at 82.221.99.229. One problem: this IP address is not in use by me and never has been.

The RDNS for this address is "tor-exit.burratino.net" and there is the standard Tor explanatory page on http://82.221.99.229/. The "email the maintainer" is a mailto link to my e-mail address, thus the contacts from people reporting hack attempts.

I guess that the page on port 80 was ripped from my actual exit although it is slightly different in that my page has my IP address on it, and http://82.221.99.229/ doesn't reference any particular IP address.

Further, I can find no evidence ( https://metrics.torproject.org/exonerator.html ) that this IP address has ever actually run a Tor node.

Am I crazy or is someone doing port-scanning and making it appear to be from a Tor exit node?