Re: Analyzing TOR-exitnodes for anomalies
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Claude LaFrenière @ 2006/10/06 12:24: For the moment nothings prove that any exit nodes are responsibles for this. We have to do somethings based on facts not fears... How about this then? when navigating to www.ezboard.com the proper page is loaded and displayed. verified by comparing the IP address of www.ezboard.com found with and without tor_resolve.exe. however, after entering your username/password and logging in from that page, the request is handled by login.ezboard.com, which resolved to 64.74.223.198 !! the correct IP for login.ezboard.com is 209.66.118.157. also, the now in-famous URL with the flanding.domainsponsor.com and SUSPECTED+UNDESIRABLE+BOT junk in it was shown as the address. i think 64.74.223.198 possibly now hijacked the ezboard login information! unfortunately during this time i was scurrying about trying to reset my password and wasn't able to get the IP of the exit node i was using. I suggest, If the facts prove that some exit nodes are responsible, that we keep them temporarely, instead of immediatly blocking them, and use them as guinea pig to study their behaviour and prevent that kind of abuse in the future. Consider this as a laboratory experience with cyber-rats ! ;-) Better than [EMAIL PROTECTED] IMHO. :) fact or fear, then? ;) using un-encrypted authentication over Tor is dumb to begin with, but this really emphasizes it i think! this is too unfortunate as many sites still do not use SSL but sometimes Tor users still at least need location privacy. so i for one hope we can dispose of these cyber-rats soon. -BEGIN PGP SIGNATURE- iQA/AwUBRSjCiV4XwiTbvfKgEQKToQCgteioKfQmvUf98AfyhVWEWvJhsB0AoJUB Sr9b930B8WcsJb5Tb9WurqIR =wKWZ -END PGP SIGNATURE-
Re: Analyzing TOR-exitnodes for anomalies
Hi *Taka Khumbartha* : Claude LaFrenière @ 2006/10/06 12:24: For the moment nothings prove that any exit nodes are responsibles for this. We have to do somethings based on facts not fears... How about this then? when navigating to www.ezboard.com the proper page is loaded and displayed. verified by comparing the IP address of www.ezboard.com found with and without tor_resolve.exe. however, after entering your username/password and logging in from that page, the request is handled by login.ezboard.com, which resolved to 64.74.223.198 !! the correct IP for login.ezboard.com is 209.66.118.157. also, the now in-famous URL with the flanding.domainsponsor.com and SUSPECTED+UNDESIRABLE+BOT junk in it was shown as the address. i think 64.74.223.198 possibly now hijacked the ezboard login information! unfortunately during this time i was scurrying about trying to reset my password and wasn't able to get the IP of the exit node i was using. I suggest, If the facts prove that some exit nodes are responsible, that we keep them temporarely, instead of immediatly blocking them, and use them as guinea pig to study their behaviour and prevent that kind of abuse in the future. Consider this as a laboratory experience with cyber-rats ! ;-) Better than [EMAIL PROTECTED] IMHO. :) fact or fear, then? ;) using un-encrypted authentication over Tor is dumb to begin with, but this really emphasizes it i think! this is too unfortunate as many sites still do not use SSL but sometimes Tor users still at least need location privacy. so i for one hope we can dispose of these cyber-rats soon. I found some interesting information about this IP address: 64.74.223.198 *A) First IP query* ... *The domain name for the specified IP address could not be found* Initiating server query ... Looking up the domain name for IP: 64.74.223.198 (The domain name for the specified IP address could not be found.) Connecting to the server on standard HTTP port: 80 [Connected] Requesting the server's default page. The server returned the following response headers: HTTP/1.1 200 OK Connection: close Date: Sun, 08 Oct 2006 13:45:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 p3p: CP=CAO PSA OUR Set-Cookie: Domain=; path=/ Set-Cookie: Domain=223.198; path=/ Set-Cookie: RSAddParams=; path=/ Set-Cookie: RSAddParams=dmxargs=03u3hs9yoaj11qQTDDRRATT40txSy0lsLQ7K3oUg2iAcp4horctsrlkG-ApV8QOKsyB5kP__xvek2IXUyHdaJqI5t6tpKyTKqmJSm0V1DPfpDBHppNXjFKlH8Sm7L3Lvyapfvaaamj6pVRlFechgR5wQkDC7RuB1FqstRZKAhV_EEOZz2zXNybkrsnzAUBfdG-SGB5P-a_1VrJSpHZrlPphCK4r9B1PifOr4w0kNtM-iN3vw-1z6vF07LDwbhPYYYipjk4t0GvDN-nzq_34xVXdgP61cH_Vg..; path=/ Set-Cookie: LastURL=; path=/ Set-Cookie: LastURL=http://64.74.223.198/default.pk; path=/ Set-Cookie: RefPage=; path=/ Set-Cookie: RefPage=0; path=/ Set-Cookie: PCAddParams=; path=/ Set-Cookie: PCAddParams=dmxargs=03u3hs9yoaj11qQTDDRRATT40txSy0lsLQ7K3oUg2iAcp4horctsrlkG-ApV8QOLsy4P_hv7-Pr0nxC0mQbrRNRFdvltLWSTVU5KX2igoZz9K4IzNJi8ZJUk_i03au5b_Jml89plqaTqnFGUV5GGA3nECQcLum4EUWiy1VkhCFf8Qy5svbJc15uVuyjMB8AsGjfpD7srWalaqzkqcjCVxx06BFfV-c6hhPIV-YaUe2n_Rp91Yfp5-Hi3Flw4NEnnMMb0xecb6DOC3en1a_24zSfcIfV1IA; path=/ Set-Cookie: SessionHitCount=; path=/ Set-Cookie: SessionHitCount=1; path=/ Set-Cookie: ActionsTaken=; path=/ Set-Cookie: ActionsTaken=D A1 22L ; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 2381 Vary: Accept-Encoding Content-Encoding: gzip Query complete. *B) Here I found the domain name: enom* *and the Hosting provider: internap* http://www.ipv6tools.com/tools/whois.ch?ip=64.74.223.198src=ShowIP Location: United States [City: Oakland, California] NOTE: More information appears to be available at NET-64-74-223-0-1. Internap Network Services PNAP-SEA-BLOCK4 (NET-64-74-0-0-1) 64.74.0.0 - 64.74.255.255 eNom INAP-SJE-ENOM-3077 (NET-64-74-223-0-1) 64.74.223.0 - 64.74.223.255 http://www.dnsstuff.com/tools/whois.ch?ip=!NET-64-74-223-0-1server=whois.arin.net CustName: eNom Address:2002 156th Ave NE City: Bellevue StateProv: WA PostalCode: 98008 Country:US RegDate:2005-09-23 Updated:2005-09-23 NetRange: 64.74.223.0 - 64.74.223.255 http://www.dnsstuff.com/tools/whois.ch?ip=!INO3-ARINserver=whois.arin.nettype=P Name: InterNap Network Operations Center Handle: INO3-ARIN Company:Internap Network Operations Center Address:Internap Network Services From: http://www.completewhois.com/hijacked/index.htm http://www.completewhois.com/cgi-bin/whois.cgi Completewhois.Com Whois Server, Version 0.91a33, compiled on May 28, 2006 Unknown domain: 64.74.223.198 [IPv4 whois information for 64.74.223.198 ] [whois.arin.net] Internap Network Services PNAP-SEA-BLOCK4 (NET-64-74-0-0-1)
Re: Analyzing TOR-exitnodes for anomalies
On Thu, 2006-10-05 at 11:41, Alexander W. Janssen wrote: OK, well, i checked that whistlersmother as well and got this picture: http://cjoint.com/data/kfr4jmDAsY.htm I've read or skimmed the entire thread which seems to have ended midday Thu, 10-5. Friday morning I clicked on a Cnet newsletter link: http://ct.cnet-ssa.cnet.com/clicks?t=13228073-17329da91d4282a70255804e6ba2f6d5-bfs=5fs=0 Tor was enabled in Firefox and I got a page almost identical to the one Alexander posted above, except it it had Cnet.com at the top. At some subsequent time I copied the URL into an open copy of Firefox, and got a somewhat similar page, except it had a variety of graphic content that made the page look much slicker. I wondered what was going on. Is Cnet blocking anonymous traffic? I tried a browser not using Tor, and got a normal Cnet page with the expected content. I then tried three other anonymizing services, The Cloak, Anonymouse, and HideMyAss with the same URL. All got the same correct result as the non Tor browser. While reading this thread, when I saw Alexander's screen capture, I realized that was just about what I'd seen Friday morning and tried Firefox with Tor again and saw the expected Cnet page. I've tried multiple times since, over a couple hours and each time got the right page. I am very skeptical of one of the hypotheses, that web hosting services are blocking Tor access. If a provider did this without an explicit policy and or informing their customers that this was part of their practices, they could easily be liable for any lost value for every hosted site that had any decrease in traffic as a result of such blocking. Second why would any hosting service care who visited its clients web sites? Who they want as visitors is and should be a matter of concern only to the sites' owners. A hosting service might assist a specific site in blocking some type of unwanted traffic, and charge the customer for the additional service. In the case of Cnet, they are a rather major Internet content provider and I expect they run their own servers. Regardless of who manages Cnet's servers, they are big enough they would expect full control over any policies that denied access to any visitor. A query from the right party to the right people at Cnet should answer conclusively whether or not Cnet has had any part in this. If so then it should be a Tor / EFF education matter and if not, then some other theory needs to be considered. After writing this, I think it makes no sense at all. If Cnet wanted to block someone they would display some kind of error message or page; they would never redirect someone to a link farm of unrelated links. It makes zero business sense to send visitors elsewhere with no explanation. I have one more theory or more accurately, a guess. When I was testing to see if tor was working, I visited grc.com to use the Sheilds Up test. If they showed an IP that wasn't mine, then I could be pretty sure Tor was working. The first time I visited them, I was surprised when they determined I was behind a proxy and refused to go any further. Later, I tried again and this time they just determined a different IP address than mine. I decided to go ahead and do a Common Port scan. I was appalled. The exit node seemed to have all kinds of open ports - a lot more than I thought would be proxied by Tor. Unfortunately I did not think to write down the reverse DNS address or the open ports. My thought is that some exit nodes may be compromised without the operators knowledge. Maintaining good security while running an exit node does not look like a simple task. I'm reluctant to do more of these scans because they are an unauthorized port scan against the exit node. If however I see another of the strange pages discussed in this thread I will try to capture the page and then quickly do a scan. George Shaffer
Re: Analyzing TOR-exitnodes for anomalies
Yesterday, I linked to Slashdot and got a bogus page in German. Restarting my Tor client (i.e., getting a new set of circuits) got me to the real Slashdot page. ??? Clifnor -- http://www.fastmail.fm - Choose from over 50 domains or use your own
Re: Analyzing TOR-exitnodes for anomalies
Greetings! Been experiencing this particular issue since Sunday following the topic here. From 05-Oct: exiting from hotmail account redirected link: http://g.msn.com/frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com%3fa_id%3d1637%26domainname%3dmsn.com%26adultfilter%3doff%26popunder%3doffr=SUSPECTED+UNDESIRABLE+BOT tor exit node: whistlersmother First notice this problem on sunday when the clusty homepage was transformed with porno-style images also had the same catch phrase what you need, when you need it. Unfortunately didn't note the re-directed url on that occassion. I'm quite happy to report further examples as when they occur. Please, if there is any other technical data I can send with these reports let me know what to include (if that's useful).
Re: Analyzing TOR-exitnodes for anomalies
Hi *Stephen* : Greetings! Been experiencing this particular issue since Sunday following the topic here. From 05-Oct: exiting from hotmail account redirected link: http://g.msn.com/frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com%3fa_id%3d1637%26domainname%3dmsn.com%26adultfilter%3doff%26popunder%3doffr=SUSPECTED+UNDESIRABLE+BOT tor exit node: whistlersmother First notice this problem on sunday when the clusty homepage was transformed with porno-style images also had the same catch phrase what you need, when you need it. Unfortunately didn't note the re-directed url on that occassion. I'm quite happy to report further examples as when they occur. Please, if there is any other technical data I can send with these reports let me know what to include (if that's useful). Hmmm... I had this problem with Whistlemother exit node and this site: http://www.iamaphex.net with the same frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com blah blah blah filter ... =SUSPECTED+UNDESIRABLE+BOT My hypothesis was a filter used by Web sites hosting service. But now you find the same frame with Hotmail... *Therefore my hypothesis was wrong* Did this comes from this exit node? From the DNS server (local or remote) of this exit node? From some nodes between? Or what ? I have no idea for the moment. May be Alexander W. Janssen have an idea? Thank you Stephen to help us to fix this problem. Best regards, -- Claude LaFrenière
Re: Analyzing TOR-exitnodes for anomalies
Hmmm... I had this problem with Whistlemother exit node and this site: http://www.iamaphex.net with the same frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com blah blah blah filter ... =SUSPECTED+UNDESIRABLE+BOT i have the same experience using whistlersmother for the same site. -- KlamAV - An Anti-Virus Manager for KDE - http://www.klamav.net TorK - A Tor Controller For KDE - http://tork.sf.net
Re: Analyzing TOR-exitnodes for anomalies
On Friday 06 October 2006 19:21, Robert Hogan wrote: Hmmm... I had this problem with Whistlemother exit node and this site: http://www.iamaphex.net with the same frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com blah blah blah filter ... =SUSPECTED+UNDESIRABLE+BOT i have the same experience using whistlersmother for the same site. And I have the same experience with practically every other exit node I try for this site. So whistlersmother is not the problem... -- KlamAV - An Anti-Virus Manager for KDE - http://www.klamav.net TorK - A Tor Controller For KDE - http://tork.sf.net
Re: Analyzing TOR-exitnodes for anomalies
Hi *Robert Hogan* : On Friday 06 October 2006 19:21, Robert Hogan wrote: Hmmm... I had this problem with Whistlemother exit node and this site: http://www.iamaphex.net with the same frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com blah blah blah filter ... =SUSPECTED+UNDESIRABLE+BOT i have the same experience using whistlersmother for the same site. And I have the same experience with practically every other exit node I try for this site. So whistlersmother is not the problem... Hmmm... Personnaly I don't believed that Whistlemother (or any other nodes) are responsible for this... It looks like web server filter or DNS server filter... But now how to explain the same behaviour with a web site like http://www.iamaphex.net and a web site like hotmail.com ??? They don't share the same web hosting service... Is this a new filter for Web sites or Web Hosting ? An other question: How this filter spot a Tor exit like Whistlemother? I guess it's based on the IP address of this exit node. (Or the browser referer sent to the web site... ??? ) Since no exit nodes have a control on what is doing by Tor users, Is it possible that some bad guys had used Tor for unacceptable things and put the Whistlemother Ip address into a black list of this hypothetical filter ??? One way to check this is to compare exit nodes with a fixed IP address with the exit nodes with a dynamic Ip address and if this make a difference. If an exit node with a dynamic IP address is not spoted as a bad IP in the hypothetical bad list fliter, therefore the filter is based on IP address Many test must be done before to prove this. ... If the behaviour of Fixed Ip address exit nodes and the behaviour of Dynamics Ip address exit nodes are the same therefore a) the hypothetical filter is not based on Ip address b) there is no such filter but somethings else... ??? [not sure ...] :-\ ( !!! Hmmm.. I to revised my formal logic manuals a little bit .. ;-) ) It's hard to find enough data about this problem because there's no way to easily reproduce it. :) -- Claude LaFrenière
Re: Analyzing TOR-exitnodes for anomalies
Hi *M* : How can I see which exit node is using? Check this with Vidalia ... http://www.debian-administration.org/ was mutilated by exit node into something similar that you are reporting. Quite alarming trend. Please let us remain calm like Norwegian sailors in the storm. I think that badly behaving exit nodes should be excluded automagically. How, I dont know =). For the moment nothings prove that any exit nodes are responsibles for this. We have to do somethings based on facts not fears... I suggest, If the facts prove that some exit nodes are responsible, that we keep them temporarely, instead of immediatly blocking them, and use them as guinea pig to study their behaviour and prevent that kind of abuse in the future. Consider this as a laboratory experience with cyber-rats ! ;-) Better than [EMAIL PROTECTED] IMHO. :) -- Claude LaFrenière
Re: Analyzing TOR-exitnodes for anomalies
ok i have played now for more than an half hour with nonsense domainnames. every time the connection goes through an exit node located in texas, one time in the state new york and one time in denver i have got the advertising page. maybe it will be a nice test, that someone unsing the same ISP - and in that case maybe the same dns-route - that one of this strange exit nodes have will test what happened when the write a not registered url? I have also got the advertising one or two times when I was connecting to an exisiting page. But it seemes that nonsenses domainames are a good way for testing cause you can reproduce the advertising. much fun bernd Am 06.10.2006 um 21:34 schrieb bagelcat: hmm. I think this is a problem with some dns-server on second/third level wich make a link to that domainsponsor.com when they are asked for a not registered url. Is it possible?
Re: Analyzing TOR-exitnodes for anomalies
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Maybe a problem with a DNS- Server? Greetz Missi Eben(am 6. 10. 2006 um 22:26 Uhr)hast du eingetippt: ok i have played now for more than an half hour with nonsense domainnames. every time the connection goes through an exit node located in texas, one time in the state new york and one time in denver i have got the advertising page. maybe it will be a nice test, that someone unsing the same ISP - and in that case maybe the same dns-route - that one of this strange exit nodes have will test what happened when the write a not registered url? I have also got the advertising one or two times when I was connecting to an exisiting page. But it seemes that nonsenses domainames are a good way for testing cause you can reproduce the advertising. much fun bernd Am 06.10.2006 um 21:34 schrieb bagelcat: hmm. I think this is a problem with some dns-server on second/third level wich make a link to that domainsponsor.com when they are asked for a not registered url. Is it possible? - -- Webseite: http://www.entartete-kunst.com/ The monitor is plugged into the serial port Songverfehlung des Tages: Paradise Lost - Isolate -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (MingW32) Comment: Ich habe nichts zu verbergen! iD8DBQFFJrz5WTjnF57KrgIRAl+jAJ4u6iBQDLgToostA4XgUcCFYpu01wCfTLFe st2haUI1FQt/xTpQSnqKBww= =XAot -END PGP SIGNATURE-
Re: Analyzing TOR-exitnodes for anomalies
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 How can I see which exit node is using? Check this with Vidalia ... Thanks for the info. I think that badly behaving exit nodes should be excluded automagically. How, I dont know =). For the moment nothings prove that any exit nodes are responsibles for this. We have to do somethings based on facts not fears... I suggest, If the facts prove that some exit nodes are responsible, that we keep them temporarely, instead of immediatly blocking them, and use them as guinea pig to study their behaviour and prevent that kind of abuse in the future. I admit it, perhaps I was too hastily blaming anomalities on exit node without thinking it over. I was just pissed off (ok, thats not an excuse)... Sorry for any inconvience =) M ps: ugghh, my eBay account was freezed 'cause I used it via tor... I', using transparent tor and added some of eBays servers to exclude list but theres ton of them.. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3-cvs (MingW32) Comment: GnuPT 2.7.6 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFJsD/6fSN8IKlpYoRAjp0AJ9+yg59gUqIBBgL9PHLRJe4nO8PDwCgm+QO T0xDBZVpF0QyDVJ9ytBcc50= =fX5t -END PGP SIGNATURE-
Re: Analyzing TOR-exitnodes for anomalies
bagelcat wrote: ok i have played now for more than an half hour with nonsense domainnames. every time the connection goes through an exit node located in texas, one time in the state new york and one time in denver i have got the advertising page. I remember something about a major DNS server that was abusing its power and redirecting requests for nonexistent domains to advertising pages. Also, ISPs sometimes redirect bad requests: http://blogs.earthlink.net/2006/08/handling_dead_domains_1.php ..and get lots of flak for it. (Not nearly enough, I say!) I also came across a note that ISPs may be randomly redirecting requests for existing sites to domainsponsor.com in a bid to up their profits: http://www.infosyssec.com/forum/viewtopic.php?p=11395sid=436f73bb85d55318bf53f7ff80fc64e9 - Tim McCormack
Re: Analyzing TOR-exitnodes for anomalies
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 I am not adding anything useful, but I wish to add my feeling about this situation that people are so rapidly responding to a threat so early. :) tor will never die if people like you all are on it. (which reminds me i've blathered about writing a dns proxy patch for tor so dns leaks are a thing of the past, and i bloody better do something serious about it DANGIT!) dns poisoning is of course a bigger problem than tor, there has been discussion about the 'splitting of the root' some months ago as it turns out that dns servers will give out different addresses depending on the nation of locality. This is a very serious problem and extends beyond the domain of the tor network. I have no idea where to point people with regard to this subject but I hope someone who has a bee in their bonnet about it will very shortly. Claude LaFrenière wrote: Hi *Alexander W. Janssen* : Hi all, considering that I heard from several people that they notice strange sideeffects since a couple of days - altered webpage, advertisement where no ads should be - I started a little investigation if there are any obviously bogus exitnodes in the wild: http://itnomad.wordpress.com/2006/10/04/analyzing-tor-exitnodes-for-anomalies/ I welcome you to start your own investigation; if there are really bogus exitnodes we should be aware of those and we should know their node's nickname to put them on a shitlist. This might leed to an escalation in the future when marketeers realize the possibilities of altering traffic. Comments, ideas, pointers to other projects? Alex. Hmmm... Bogus exit nodes or bogus DNS servers ? Is it possible that the strange side effects comes, not from the exit nodes themselves, but from the DNS server used by these exit nodes ? A kind of DNS poisonning? (From a local DNS server or Remote DNS server...) Ref.: http://en.wikipedia.org/wiki/DNS_poisoning Our suspicions about bogus exit nodes must be based on facts so I suggest to collect information about this issue here. What we can do is to report any strange side effect including: the link to the web site the resulting link with the redirection like the ones we're talking about the exit node used to access this web site :) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFJLAmGkOzwaes7JsRA508AJ0bN6BhDB86etVVlYPwk5/ae7a7GQCfRqZl KUW45IG2fHmy59wYA5bbA04= =usn6 -END PGP SIGNATURE-
Re: Analyzing TOR-exitnodes for anomalies
On Wed, Oct 04, 2006 at 08:45:03PM -0400, Claude LaFrenière wrote: Hmmm... Bogus exit nodes or bogus DNS servers ? One or the other way, brute forcing my way through all exit-nodes should reveil it. Hopefully... Is it possible that the strange side effects comes, not from the exit nodes themselves, but from the DNS server used by these exit nodes ? Could be either way. Things which popped up in my mind: 1) DNS poisoning 2) Exit-node is behind a transparent proxy which is compromised or modified in some way 3) Outbound traffic from the exit-node gets DNATed away by some firewall Things you could do: 1) Replacing complete websites with link-farms (that's what happened me) 2) Using a modified web-proxy which insert advertisement into the HTML-code (possible, it's exactly the reverse of what Privoxy does) 3) Filter content 4) Replacing valid downloads by trojaned versions 5) Replace all pictures of a website with a picture of the goatse-man... 6) Modifying text in a subtle way using simple lex-programs (e.g. replace all must by could or police by SS) 7) insert favourite attack here Our suspicions about bogus exit nodes must be based on facts so I suggest to collect information about this issue here. My first run during the night was not very successful, most of the exitnodes refused to talk to me. I'm in timezone GMT+2 and that's pretty normal for that time of the day, I started another scan just minutes ago. Usually the TOR-network is not that congested in the morning. What we can do is to report any strange side effect including: the link to the web site the resulting link with the redirection like the ones we're talking about the exit node used to access this web site Aye. Claude LaFrenière Alex. -- I am tired of all this sort of thing called science here... We have spent millions in that sort of thing for the last few years, and it is time it should be stopped. -- Simon Cameron, U.S. Senator, on the Smithsonian Institute, 1901. signature.asc Description: Digital signature
Re: Analyzing TOR-exitnodes for anomalies
Currently i'm improving my torstat page to mark nodes with bad http-behavior, using automatic http-throughput comparison of every http-servicing exit-node against a reference exit-node. Then it's up to the users to add a ExcludeNodes statement in torrc using this information. Greets Alexander W. Janssen schrieb: Comments, ideas, pointers to other projects? signature.asc Description: OpenPGP digital signature
Re: Analyzing TOR-exitnodes for anomalies
Hi *Alexander W. Janssen* : On Wed, Oct 04, 2006 at 08:45:03PM -0400, Claude LaFrenière wrote: Hmmm... Bogus exit nodes or bogus DNS servers ? One or the other way, brute forcing my way through all exit-nodes should reveil it. Hopefully... This is a lot a job. May be a very long investigation. You need data from the other Tor users about this issue. Is it possible that the strange side effects comes, not from the exit nodes themselves, but from the DNS server used by these exit nodes ? Could be either way. Things which popped up in my mind: 1) DNS poisoning 2) Exit-node is behind a transparent proxy which is compromised or modified in some way Yes! 3) Outbound traffic from the exit-node gets DNATed away by some firewall ok and the fourth: some infected exit nodes with trojans, virus, worms... This limit the investigation to Windows exit nodes !!! ;-) (No such things with BSD/Linux I presume...) Things you could do: 1) Replacing complete websites with link-farms (that's what happened me) 2) Using a modified web-proxy which insert advertisement into the HTML-code (possible, it's exactly the reverse of what Privoxy does) 3) Filter content 4) Replacing valid downloads by trojaned versions 5) Replace all pictures of a website with a picture of the goatse-man... 6) Modifying text in a subtle way using simple lex-programs (e.g. replace all must by could or police by SS) 7) insert favourite attack here Or the German Tor exit nodes seized by the polizei... Did they return these computers with some add on ??? (Hmmm... to much paranoïd I guess... ;-) ) Our suspicions about bogus exit nodes must be based on facts so I suggest to collect information about this issue here. My first run during the night was not very successful, most of the exitnodes refused to talk to me. I'm in timezone GMT+2 and that's pretty normal for that time of the day, I started another scan just minutes ago. Usually the TOR-network is not that congested in the morning. OK. Let us know if you find somethings interresting. What we can do is to report any strange side effect including: the link to the web site the resulting link with the redirection like the ones we're talking about the exit node used to access this web site Aye. Best regards, -- Claude LaFrenière
Re: Analyzing TOR-exitnodes for anomalies
On Thu, Oct 05, 2006 at 09:31:47PM +0800, Deephay wrote: Also, the logo linux-magazine.com what you need, when you need it is a image or just text? Exactly the same page is at http://www.wdr.tv/. The content of that page is (gathered with tcpdump): frameset rows=100%,* frameborder=no border=0 framespacing=0 frame src=http://searchportal.information.com/?a_id=20223domainname=wdr.tv; /frameset I don't know what the variable a_id is about - maybe a customer-id? However, domainname can be set to any arbitrary value. This seems to be the company behind it: http://oversee.net/ Maybe it is a DNS poisoning job, maybe some guy runs a local DNS server as well as a tor node to make some profit by directing us to this bogus linux-magazine? Interesting. Maybe, that would be an explantion considering how the searchportal-thing is working. However, I'm 75% through my second run with no results so far. Will keep you updated. Deephay Alex. -- I am tired of all this sort of thing called science here... We have spent millions in that sort of thing for the last few years, and it is time it should be stopped. -- Simon Cameron, U.S. Senator, on the Smithsonian Institute, 1901. signature.asc Description: Digital signature
Re: Analyzing TOR-exitnodes for anomalies
Hi *Alexander W. Janssen* : Got it ! I was going to this web site: http://www.iamaphex.net (This is the web site for Torcap, a program to socksify application in Windows O.S.) with the exit node exit node: whistlermother Info: http://node2.xenobite.eu/torstat.php 1195whistlersmother 204.13.236.244 US [X] 9001 0 Running Yes / Guard Yes / Authority No / Fast Yes /Exit Yes / Stable Yes / Valid Yes / V2Dir No http://serifos.eecs.harvard.edu/cgi-bin/exit.pl?textonly=1 US *whistlersmother 204.13.236.244 Exit policies: 22 53 80 110- 143 443 5190 6667 I got this: http://www.iamaphex.net/frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com%3fa_id%3d1637%26domainname%3diamaphex.net%26adultfilter%3doff%26popunder%3doffr=SUSPECTED+UNDESIRABLE+BOT I found no information on that flanding.domainsponsor.com ... With the exit node l3cht3rn3t3 I got this: Picture (remain avalaible for 504 hours) http://cjoint.com/?kfrqWbKjxa The link in the botton of the page is an email address: [EMAIL PROTECTED] With this automatic email object :Inquiring about the domain 'iamaphex.net', with status: CustomVIP With the exit node waabbeel I got this: Picture (remain avalaible for 504 hours) http://cjoint.com/?kfrydRFG6Q and the link on the page is for a web sites hosting: https://www.1blu.de/start.php With the exit node s3j3gm I got the same site... and so on... May be the problem comes from Web sites host server and their sponsors... Looks like a security filter ... :-\ So the problem seems to be related to web hosting not the exit nodes... :) -- Claude LaFrenière
Analyzing TOR-exitnodes for anomalies
Hi all, considering that I heard from several people that they notice strange sideeffects since a couple of days - altered webpage, advertisement where no ads should be - I started a little investigation if there are any obviously bogus exitnodes in the wild: http://itnomad.wordpress.com/2006/10/04/analyzing-tor-exitnodes-for-anomalies/ I welcome you to start your own investigation; if there are really bogus exitnodes we should be aware of those and we should know their node's nickname to put them on a shitlist. This might leed to an escalation in the future when marketeers realize the possibilities of altering traffic. Comments, ideas, pointers to other projects? Alex. -- I am tired of all this sort of thing called science here... We have spent millions in that sort of thing for the last few years, and it is time it should be stopped. -- Simon Cameron, U.S. Senator, on the Smithsonian Institute, 1901. signature.asc Description: Digital signature
Re: Analyzing TOR-exitnodes for anomalies
Hi *Alexander W. Janssen* : Hi all, considering that I heard from several people that they notice strange sideeffects since a couple of days - altered webpage, advertisement where no ads should be - I started a little investigation if there are any obviously bogus exitnodes in the wild: http://itnomad.wordpress.com/2006/10/04/analyzing-tor-exitnodes-for-anomalies/ I welcome you to start your own investigation; if there are really bogus exitnodes we should be aware of those and we should know their node's nickname to put them on a shitlist. This might leed to an escalation in the future when marketeers realize the possibilities of altering traffic. Comments, ideas, pointers to other projects? Alex. Hmmm... Bogus exit nodes or bogus DNS servers ? Is it possible that the strange side effects comes, not from the exit nodes themselves, but from the DNS server used by these exit nodes ? A kind of DNS poisonning? (From a local DNS server or Remote DNS server...) Ref.: http://en.wikipedia.org/wiki/DNS_poisoning Our suspicions about bogus exit nodes must be based on facts so I suggest to collect information about this issue here. What we can do is to report any strange side effect including: the link to the web site the resulting link with the redirection like the ones we're talking about the exit node used to access this web site :) -- Claude LaFrenière