Hi
I have today, reluctantly, switched my node torofotheworld.aibohphobia.org from an exit node to relay only. My ISP has stayed faithful over several abuse reports in the past, but this week following two more in quick sucession (from brazilian government services by the look of it) they have asked that I shut down the exit policy. Rather than lose the node entirely, I have agreed.
Some bozo has been using sqlmap to scan servers through tor.
Mick
--------------------------------------------------------------------- blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423 ---------------------------------------------------------------------
same here. someone using sqlmap
-- []s Fosforo ------------------------------------------------------------- "Only the wisest and stupidest of men never change." -Confusio -------------------------------------------------------------
On Tue, May 22, 2012 at 8:18 AM, mick mbm@rlogin.net wrote:
Hi
I have today, reluctantly, switched my node torofotheworld.aibohphobia.org from an exit node to relay only. My ISP has stayed faithful over several abuse reports in the past, but this week following two more in quick sucession (from brazilian government services by the look of it) they have asked that I shut down the exit policy. Rather than lose the node entirely, I have agreed.
Some bozo has been using sqlmap to scan servers through tor.
Mick
blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Tue, May 22, 2012 at 10:37 AM, Fosforo fosforo@gmail.com wrote:
same here. someone using sqlmap
-- []s Fosforo
"Only the wisest and stupidest of men never change."
-Confusio
On Tue, May 22, 2012 at 8:18 AM, mick mbm@rlogin.net wrote:
Hi
I have today, reluctantly, switched my node torofotheworld.aibohphobia.org from an exit node to relay only. My ISP has stayed faithful over several abuse reports in the past, but this week following two more in quick sucession (from brazilian government services by the look of it) they have asked that I shut down the exit policy. Rather than lose the node entirely, I have agreed.
Some bozo has been using sqlmap to scan servers through tor.
Mick
blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423
Yep same here, got notice today from ISP on a report of the 20th for alledged hacking with someone using sqlmap. the reporting ip was a brazilian gov ip address.
I just blocked the port and kept on serving....
Jon
On Tue, 22 May 2012 13:29:54 -0500 Jon torance.ca@gmail.com allegedly wrote:
Yep same here, got notice today from ISP on a report of the 20th for alledged hacking with someone using sqlmap. the reporting ip was a brazilian gov ip address.
I just blocked the port and kept on serving....
I assume you mean "IP address" rather than "port" here.
Despite offering, I wasn't given the opportunity to do that.
Interesting that you also seem to have been used in targetting the brazilian government.
Mick
--------------------------------------------------------------------- blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423 ---------------------------------------------------------------------
mick mbm@rlogin.net wrote on 22.05.2012:
I assume you mean "IP address" rather than "port" here.
Despite offering, I wasn't given the opportunity to do that.
Interesting that you also seem to have been used in targetting the brazilian government.
I can confirm abuse messages for same target, same attack.
I can also confirm same attack.... it must have been huge o.o
On 22 May 2012 20:17, tor-admin tor-admin@torland.me wrote:
mick mbm@rlogin.net wrote on 22.05.2012:
I assume you mean "IP address" rather than "port" here.
Despite offering, I wasn't given the opportunity to do that.
Interesting that you also seem to have been used in targetting the brazilian government.
I can confirm abuse messages for same target, same attack.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Can you be more specific with your resolution for this issue? I've received a second abuse report in a week for the same issue - SQL scanning - and I'll have to shut down my node unless I can somehow block this activity. I have source and destination ports and IPs available, but it lists the source as my IP so I'm not sure how to see what the originating IP was.
On Tue, May 22, 2012 at 3:03 PM, mick mbm@rlogin.net wrote:
On Tue, 22 May 2012 13:29:54 -0500 Jon torance.ca@gmail.com allegedly wrote:
Yep same here, got notice today from ISP on a report of the 20th for alledged hacking with someone using sqlmap. the reporting ip was a brazilian gov ip address.
I just blocked the port and kept on serving....
I assume you mean "IP address" rather than "port" here.
Despite offering, I wasn't given the opportunity to do that.
Interesting that you also seem to have been used in targetting the brazilian government.
Mick
blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Michael Millspaugh tk421storm@gmail.com wrote on 22.05.2012:
Can you be more specific with your resolution for this issue? I've received a second abuse report in a week for the same issue - SQL scanning - and I'll have to shut down my node unless I can somehow block this activity. I have source and destination ports and IPs available, but it lists the source as my IP so I'm not sure how to see what the originating IP was.
Ask your ISP for the email address of the complainant, send them an email explaining Tor and ask which IPs they would like to have blocked.
Regards
On Tue, 22 May 2012 15:27:41 -0400 Michael Millspaugh tk421storm@gmail.com allegedly wrote:
Can you be more specific with your resolution for this issue? I've received a second abuse report in a week for the same issue - SQL scanning - and I'll have to shut down my node unless I can somehow block this activity. I have source and destination ports and IPs available, but it lists the source as my IP so I'm not sure how to see what the originating IP was.
In my case, at the request of my ISP, I have changed my exit policy to:
ExitPolicy reject *:*
i.e. I am now a relay, not an exit node. Brutal, but that's what my ISP wanted.
Mick
--------------------------------------------------------------------- blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423 ---------------------------------------------------------------------
Thus spake mick (mbm@rlogin.net):
On Tue, 22 May 2012 13:29:54 -0500 Jon torance.ca@gmail.com allegedly wrote:
Yep same here, got notice today from ISP on a report of the 20th for alledged hacking with someone using sqlmap. the reporting ip was a brazilian gov ip address.
I just blocked the port and kept on serving....
As of yet, no one has mentioned the port. Out of curiosity, is it included in the Reduced Exit Policy? https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
Also, I think the right answer is a solution like https://trac.torproject.org/projects/tor/wiki/doc/TorAbuseTemplates#SSHBrute... rather than blocking anything on the relay side.
I assume you mean "IP address" rather than "port" here.
Despite offering, I wasn't given the opportunity to do that.
Yeah, this sucks. But hey, if you're forced to be a middle relay, you now have a lot of really super cheap options for bandwidth. You should consider shopping around. Bandwidth litterally gets cheaper every year.
For example, last year, FDCservers was charging $600/mo for 1 Gbit dedicated. This year, they now provide a 10 Gbit line for that price!
FDC doesn't allow exits either, but the falling price points tells me you should seriously try to renegotiate price with your ISP (or just move elsewhere) if they are degrading your service by forcing you into non-exit.
Exit bandwidth is worth paying a premium for, because it does require more resources at the ISPs end in terms of occasional abuse noise. You could also try negotiating upwards if your ISP's prices are already competitive with FDC's for middle service. Something tells me they're not, though :).
On Tue, May 22, 2012 at 3:17 PM, Mike Perry mikeperry@torproject.orgwrote:
Thus spake mick (mbm@rlogin.net):
On Tue, 22 May 2012 13:29:54 -0500 Jon torance.ca@gmail.com allegedly wrote:
Yep same here, got notice today from ISP on a report of the 20th for alledged hacking with someone using sqlmap. the reporting ip was a brazilian gov ip address.
I just blocked the port and kept on serving....
As of yet, no one has mentioned the port. Out of curiosity, is it included in the Reduced Exit Policy? https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
Mike Perry
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
The port was 57734 - of course that doesn't mean another port could be used
Thus spake Jon (torance.ca@gmail.com):
On Tue, May 22, 2012 at 3:17 PM, Mike Perry mikeperry@torproject.orgwrote:
On Tue, 22 May 2012 13:29:54 -0500 Jon torance.ca@gmail.com allegedly wrote:
Yep same here, got notice today from ISP on a report of the 20th for alledged hacking with someone using sqlmap. the reporting ip was a brazilian gov ip address.
I just blocked the port and kept on serving....
As of yet, no one has mentioned the port. Out of curiosity, is it included in the Reduced Exit Policy? https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
The port was 57734 - of course that doesn't mean another port could be
used
Are you sure that's not the source port (which is randomized) for the incident? This is a weird destination port.
If so, simply switching to the Reduced Exit Policy (or adding a reject line for *:57734) would prevent the attack from using your exit. No need to stop exiting entirely.
On Tue, May 22, 2012 at 11:18 PM, Mike Perry mikeperry@torproject.orgwrote:
Thus spake Jon (torance.ca@gmail.com):
On Tue, May 22, 2012 at 3:17 PM, Mike Perry <mikeperry@torproject.org wrote:
On Tue, 22 May 2012 13:29:54 -0500 Jon torance.ca@gmail.com allegedly wrote:
Yep same here, got notice today from ISP on a report of the 20th
for
alledged hacking with someone using sqlmap. the reporting ip was a brazilian gov ip address.
I just blocked the port and kept on serving....
As of yet, no one has mentioned the port. Out of curiosity, is it included in the Reduced Exit Policy? https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
The port was 57734 - of course that doesn't mean another port could be
used
Are you sure that's not the source port (which is randomized) for the incident? This is a weird destination port.
If so, simply switching to the Reduced Exit Policy (or adding a reject line for *:57734) would prevent the attack from using your exit. No need to stop exiting entirely.
-- Mike Perry
Yes, that was the source port that was used thru my machine. ( you are
correct, Mike )
The destination port was 80. The Host: 200.189.123.184
COSED [CSG-GOP-009] SCAN Sqlmap SQL Injection Scan = The Alert that started the alleged hack attempt
I have had similar incidents in the past and all I did was block the port that was used and never had any more issues of the type that was reported.
This particular issue is the 1st for me. Time will tell if it did work or not. At this point, I am still running a Exit relay.
Jon
Timestamp: 2012-05-09 15:43:12 (GMT) Alert: COSED [CSG-GOP-009] SCAN Sqlmap SQL Injection Scan Source: 78.46.66.112 (43741) Destination: 200.189.113.50 (80)
Timestamp: 2012-05-15 09:08:23 (GMT) Alert: COSED [CSG-GOP-009] SCAN Sqlmap SQL Injection Scan Source: 78.46.66.112 (56067) Destination: 200.189.113.49 (80)
Timestamp: 2012-05-20 23:41:10 (GMT) Alert: COSED [CSG-GOP-009] SCAN Sqlmap SQL Injection Scan Source: 78.46.66.112 (50283) Destination: 200.189.123.184 (80)
7 abuse reports this month ...
xorox
On Tue, 22 May 2012 16:21:46 -0500 Jon torance.ca@gmail.com allegedly wrote:
The port was 57734 - of course that doesn't mean another port could be used
That looks like a source port to me. In my case, the (allegedly) attacked ports were 80, so clearly webservers.
Mick --------------------------------------------------------------------- blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423 ---------------------------------------------------------------------
I just blocked the port and kept on serving....
As of yet, no one has mentioned the port. Out of curiosity, is it included in the Reduced Exit Policy? https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
I cannot say. However it may be as simple as blocking sql's default port. Why exit to them anyways, as opposed to 80, 443, 22, 25 which are fairly obvious keepers. mysql 3306 postgres 5432 ms 1433/1434 etc
On Tue, 22 May 2012 13:17:20 -0700 Mike Perry mikeperry@torproject.org allegedly wrote:
As of yet, no one has mentioned the port. Out of curiosity, is it included in the Reduced Exit Policy? https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
Mike
The port number reported was 80. My exit policy was restricted to 80 and 443 anyway. Interestingly (and confusingly) though, one report was for an attack on port 8080. But since the report gave this evidence:
"Destination: 10.15.116.34 (8080) Content: os=185--technique=BES HTTP/1.1 Accept-Encoding: identity Accept-Language: en-us,en;q=0.5 Connection: close Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: sqlmap/1.0-dev (r4997) (http://www.sqlmap.org) Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 Host: 200.189.116.10 Pragma: no-cache Cache-Control: no-cache,no-store"
and the address of the target is clearly an RFC1918 reserved net, I figured this host was behind some device doing NAT, possibly a web load balancer of some kind. Sort of (sadly) amusing though that the complainant didn't notice that they were accusing me of attacking an unrouteable network.......
Also, I think the right answer is a solution like https://trac.torproject.org/projects/tor/wiki/doc/TorAbuseTemplates#SSHBrute... rather than blocking anything on the relay side.
Given the above, I doubt the capability of the complainant to implement such a strategy. Simpler just to complain to another ISP and get them to own the problem.
Yeah, this sucks. But hey, if you're forced to be a middle relay, you now have a lot of really super cheap options for bandwidth. You should consider shopping around. Bandwidth litterally gets cheaper every year.
For example, last year, FDCservers was charging $600/mo for 1 Gbit dedicated. This year, they now provide a 10 Gbit line for that price!
FDC doesn't allow exits either, but the falling price points tells me you should seriously try to renegotiate price with your ISP (or just move elsewhere) if they are degrading your service by forcing you into non-exit.
Exit bandwidth is worth paying a premium for, because it does require more resources at the ISPs end in terms of occasional abuse noise. You could also try negotiating upwards if your ISP's prices are already competitive with FDC's for middle service. Something tells me they're not, though :).
I'm not in the market for a $600/month server. I'm a private individual paying for as much bandwidth as I can afford on a VPS dedicated to tor. I also provide a tails mirror on another VPS. But yes, I may now move to another provider. My current ISP seems no longer to want to support me.
Mick
--------------------------------------------------------------------- blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423 ---------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
We also get (and ignore) these automated reports. Try to convince your ISP to reassign the IP range and list you as abuse contact.
If that does not work, you can simply block celepar's ranges. Scanning 129 recent mails:
Destination: 200.189.113.170 (80) Destination: 200.189.113.212 (80) Destination: 200.189.113.213 (80) Destination: 200.189.113.220 (80) Destination: 200.189.113.49 (80) Destination: 200.189.113.50 (80) Destination: 200.189.123.184 (80) Destination: 200.189.123.185 (80)
inetnum: 200.189.112/20 aut-num: AS19723 abuse-c: ADC633 owner: COMPANHIA DE INFORMATICA DO PARANA - CELEPAR
- -- Moritz Bartl https://www.torservers.net/
On 05/22/2012 05:18 PM, mick wrote:
Hi
I have today, reluctantly, switched my node torofotheworld.aibohphobia.org from an exit node to relay only. My ISP has stayed faithful over several abuse reports in the past, but this week following two more in quick sucession (from brazilian government services by the look of it) they have asked that I shut down the exit policy. Rather than lose the node entirely, I have agreed.
Some bozo has been using sqlmap to scan servers through tor.
Mick
blog: baldric.net
fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
We also get (and ignore) these automated reports. Try to convince your ISP to reassign the IP range and list you as abuse contact.
If that does not work, you can simply block celepar's ranges. Scanning 129 recent mails:
Destination: 200.189.113.170 (80) Destination: 200.189.113.212 (80) Destination: 200.189.113.213 (80) Destination: 200.189.113.220 (80) Destination: 200.189.113.49 (80) Destination: 200.189.113.50 (80) Destination: 200.189.123.184 (80) Destination: 200.189.123.185 (80)
inetnum: 200.189.112/20 aut-num: AS19723 abuse-c: ADC633 owner: COMPANHIA DE INFORMATICA DO PARANA - CELEPAR
- - -- Moritz Bartl https://www.torservers.net/
On 05/22/2012 05:18 PM, mick wrote:
Hi
I have today, reluctantly, switched my node torofotheworld.aibohphobia.org from an exit node to relay only. My ISP has stayed faithful over several abuse reports in the past, but this week following two more in quick sucession (from brazilian government services by the look of it) they have asked that I shut down the exit policy. Rather than lose the node entirely, I have agreed.
Some bozo has been using sqlmap to scan servers through tor.
Mick
blog: baldric.net
fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
We also get (and ignore) these automated reports. Try to convince your ISP to reassign the IP range and list you as abuse contact.
If that does not work, you can simply block celepar's ranges: - From scanning 129 recent mails:
Destination: 200.189.113.170 (80) Destination: 200.189.113.212 (80) Destination: 200.189.113.213 (80) Destination: 200.189.113.220 (80) Destination: 200.189.113.49 (80) Destination: 200.189.113.50 (80) Destination: 200.189.123.184 (80) Destination: 200.189.123.185 (80)
inetnum: 200.189.112/20 aut-num: AS19723 abuse-c: ADC633 owner: COMPANHIA DE INFORMATICA DO PARANA - CELEPAR
- -- Moritz Bartl https://www.torservers.net/
tor-relays@lists.torproject.org
-
Daniel Case -
Fosforo -
grarpamp -
Jon -
Michael Millspaugh -
mick -
Mike Perry -
Moritz Bartl -
tor-admin -
xorox