Here's the "boiler plate" I use for such things (137.148.5.13 was
previously the exit-node router "csutor"). You should obviously
's/137.148.5.13/your.ip.address/g':
--snip--
137.148.5.13 is an anonymous proxy that's part of the TOR network. You
can learn more about TOR at http://tor.eff.org.
We are unable to assist you in tracing the source of this attack, but it
did not originate from us -- TOR requires all traffic traverse three
"onion routers" in physically separate locations -- 137.148.5.13 just
happened to be the "exit node" for this particular session.
You're welcome to block 137.148.5.13 as you see fit. There are also
several free sites that assist in dynamic (DNSBL) blocking of TOR if you
so desire -- one is http://www.ahbl.org. TOR developers also make
available a Python script : http://tor.eff.org/cvs/tor/contrib/exitlist
which can obtain the IP addresses of all TOR exit nodes, given a copy of
the current directory : http://belegost.mit.edu/
Please let me know if I can be of further assistance.
Regards,
Michael Holstein CISSP GCIA
IS&T Information Security
Cleveland State University
xiando wrote:
Subject: EZZI.net Abuse Warning
Date: Tuesday 23 januar 2007 22:39
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
[EMAIL PROTECTED]
Regarding Server Main IP: 66.199.236.130
We got a notice from the Undernet IRC Network about a number of servers on
our network making suspicious connections to their network, your server
appears to be one of those boxes. It appears whoever caused this hacked the
servers by brute forcing SSH logins and uploading a fake httpd binary and
launching it.
Please look into this matter immediately, if you need help feel free to open
a trouble ticket. It is also suggested you check your servers password
policy and make sure your passwords are secure. We suggest at least 6
characters, uppercase and lowercase letters and numbers.
We thank you in advance for your swift cooperation in this important matter.
Thank you,
EZZI.net Support Team
-------------------------------------------------------
I got multiple copies of this (I have more than one Tor exit server).
There are - apparently - bad people on the Internet (no shit). It is likely
the first time EZZI.net has got a (very much likely) Tor-related abuse
complaint.
Please share any view on how to respond to EZZI.net about some person on the
Internet hacking some box on the Internet using Tor (which seems to be why
EZZI.net wants me to explain myself).
Thanks.