Re: Analyzing TOR-exitnodes for anomalies

2006-10-08 Thread Taka Khumbartha
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Claude LaFrenière @ 2006/10/06 12:24:
 For the moment nothings prove that any exit nodes are responsibles for this.
 We have to do somethings based on facts not fears...
 

How about this then?  when navigating to www.ezboard.com the proper page is 
loaded and displayed.  verified by comparing the IP address of www.ezboard.com 
found with and without tor_resolve.exe.  however, after entering your 
username/password and logging in from that page, the request is handled by 
login.ezboard.com, which resolved to 64.74.223.198 !!  the correct IP for 
login.ezboard.com is 209.66.118.157.  also, the now in-famous URL with the 
flanding.domainsponsor.com and SUSPECTED+UNDESIRABLE+BOT junk in it was shown 
as the address.  i think 64.74.223.198 possibly now hijacked the ezboard login 
information!  unfortunately during this time i was scurrying about trying to 
reset my password and wasn't able to get the IP of the exit node i was using.


 I suggest, If the facts prove that some exit nodes are responsible, that we
 keep them temporarely, instead of immediatly blocking them, and use them
 as guinea pig to study their behaviour and prevent that kind of abuse in
 the future.
 
 Consider this as a laboratory experience with cyber-rats !  ;-)
 Better than [EMAIL PROTECTED] IMHO.
 
 :)
 

fact or fear, then? ;)

using un-encrypted authentication over Tor is dumb to begin with, but this 
really emphasizes it i think!  this is too unfortunate as many sites still do 
not use SSL but sometimes Tor users still at least need location privacy.  so i 
for one hope we can dispose of these cyber-rats soon.
-BEGIN PGP SIGNATURE-

iQA/AwUBRSjCiV4XwiTbvfKgEQKToQCgteioKfQmvUf98AfyhVWEWvJhsB0AoJUB
Sr9b930B8WcsJb5Tb9WurqIR
=wKWZ
-END PGP SIGNATURE-


Re: Analyzing TOR-exitnodes for anomalies

2006-10-08 Thread Claude LaFrenière
Hi  *Taka Khumbartha*   :


 Claude LaFrenière @ 2006/10/06 12:24:
 For the moment nothings prove that any exit nodes are responsibles for this.
 We have to do somethings based on facts not fears...
 
 
 How about this then?  when navigating to www.ezboard.com the proper page 
 is loaded and displayed.  
 verified by comparing the IP address of www.ezboard.com found with and 
 without tor_resolve.exe.  
 however, after entering your username/password and logging in from that page, 
 the request is handled 
 by login.ezboard.com, which resolved to 64.74.223.198 !!  the correct IP for 
 login.ezboard.com is 209.66.118.157. 
 also, the now in-famous URL with the flanding.domainsponsor.com and 
 SUSPECTED+UNDESIRABLE+BOT junk in it was shown as the address.  
 i think 64.74.223.198 possibly now hijacked the ezboard login information!  
 unfortunately during this time i was scurrying about trying to reset 
 my password and wasn't able to get the IP of the exit node i was using.
 
 I suggest, If the facts prove that some exit nodes are responsible, that we
 keep them temporarely, instead of immediatly blocking them, and use them
 as guinea pig to study their behaviour and prevent that kind of abuse in
 the future.
 
 Consider this as a laboratory experience with cyber-rats !  ;-)
 Better than [EMAIL PROTECTED] IMHO.
 
 :)
 
 
 fact or fear, then? ;)
 
 using un-encrypted authentication over Tor is dumb to begin with, but this 
 really emphasizes it i think!  
this is too unfortunate as many sites still do not use SSL but sometimes Tor 
users still at least need location privacy.  
 so i for one hope we can dispose of these cyber-rats soon.

I found some interesting information about this IP address: 64.74.223.198

*A)  First IP query* ...
*The domain name for the specified IP address could not be found*

Initiating server query ...
Looking up the domain name for IP: 64.74.223.198
(The domain name for the specified IP address could not be found.)
Connecting to the server on standard HTTP port: 80
[Connected]  Requesting the server's default page.
The server returned the following response headers:
HTTP/1.1 200 OK
Connection: close
Date: Sun, 08 Oct 2006 13:45:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
p3p: CP=CAO PSA OUR
Set-Cookie: Domain=; path=/
Set-Cookie: Domain=223.198; path=/
Set-Cookie: RSAddParams=; path=/
Set-Cookie:
RSAddParams=dmxargs=03u3hs9yoaj11qQTDDRRATT40txSy0lsLQ7K3oUg2iAcp4horctsrlkG-ApV8QOKsyB5kP__xvek2IXUyHdaJqI5t6tpKyTKqmJSm0V1DPfpDBHppNXjFKlH8Sm7L3Lvyapfvaaamj6pVRlFechgR5wQkDC7RuB1FqstRZKAhV_EEOZz2zXNybkrsnzAUBfdG-SGB5P-a_1VrJSpHZrlPphCK4r9B1PifOr4w0kNtM-iN3vw-1z6vF07LDwbhPYYYipjk4t0GvDN-nzq_34xVXdgP61cH_Vg..;
path=/
Set-Cookie: LastURL=; path=/
Set-Cookie: LastURL=http://64.74.223.198/default.pk; path=/
Set-Cookie: RefPage=; path=/
Set-Cookie: RefPage=0; path=/
Set-Cookie: PCAddParams=; path=/
Set-Cookie:
PCAddParams=dmxargs=03u3hs9yoaj11qQTDDRRATT40txSy0lsLQ7K3oUg2iAcp4horctsrlkG-ApV8QOLsy4P_hv7-Pr0nxC0mQbrRNRFdvltLWSTVU5KX2igoZz9K4IzNJi8ZJUk_i03au5b_Jml89plqaTqnFGUV5GGA3nECQcLum4EUWiy1VkhCFf8Qy5svbJc15uVuyjMB8AsGjfpD7srWalaqzkqcjCVxx06BFfV-c6hhPIV-YaUe2n_Rp91Yfp5-Hi3Flw4NEnnMMb0xecb6DOC3en1a_24zSfcIfV1IA;
path=/
Set-Cookie: SessionHitCount=; path=/
Set-Cookie: SessionHitCount=1; path=/
Set-Cookie: ActionsTaken=; path=/
Set-Cookie: ActionsTaken=D A1 22L ; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 2381
Vary: Accept-Encoding
Content-Encoding: gzip
Query complete.

*B) Here I found the domain name: enom*
 *and the Hosting provider: internap*

http://www.ipv6tools.com/tools/whois.ch?ip=64.74.223.198src=ShowIP

Location: United States [City: Oakland, California]

NOTE: More information appears to be available at NET-64-74-223-0-1.

Internap Network Services PNAP-SEA-BLOCK4 (NET-64-74-0-0-1) 
  64.74.0.0 - 64.74.255.255
eNom INAP-SJE-ENOM-3077 (NET-64-74-223-0-1) 
  64.74.223.0 - 64.74.223.255

http://www.dnsstuff.com/tools/whois.ch?ip=!NET-64-74-223-0-1server=whois.arin.net

CustName:   eNom
Address:2002 156th Ave NE
City:   Bellevue
StateProv:  WA
PostalCode: 98008
Country:US
RegDate:2005-09-23
Updated:2005-09-23

NetRange:   64.74.223.0 - 64.74.223.255 

http://www.dnsstuff.com/tools/whois.ch?ip=!INO3-ARINserver=whois.arin.nettype=P

Name:   InterNap Network Operations Center 
Handle: INO3-ARIN
Company:Internap Network Operations Center
Address:Internap Network Services

From:
http://www.completewhois.com/hijacked/index.htm
http://www.completewhois.com/cgi-bin/whois.cgi
Completewhois.Com Whois Server, Version 0.91a33, compiled on May 28, 2006

Unknown domain: 64.74.223.198
[IPv4 whois information for 64.74.223.198 ]
[whois.arin.net]
Internap Network Services PNAP-SEA-BLOCK4 (NET-64-74-0-0-1) 
   

Re: Analyzing TOR-exitnodes for anomalies

2006-10-07 Thread George Shaffer
On Thu, 2006-10-05 at 11:41, Alexander W. Janssen wrote:

 OK, well, i checked that whistlersmother as well and got this picture:
 http://cjoint.com/data/kfr4jmDAsY.htm

I've read or skimmed the entire thread which seems to have ended midday
Thu, 10-5. Friday morning I clicked on a Cnet newsletter link:

http://ct.cnet-ssa.cnet.com/clicks?t=13228073-17329da91d4282a70255804e6ba2f6d5-bfs=5fs=0

Tor was enabled in Firefox and I got a page almost identical to the one
Alexander posted above, except it it had Cnet.com at the top. At some
subsequent time I copied the URL into an open copy of Firefox, and got a
somewhat similar page, except it had a variety of graphic content that
made the page look much slicker.

I wondered what was going on. Is Cnet blocking anonymous traffic? I
tried a browser not using Tor, and got a normal Cnet page with the
expected content. I then tried three other anonymizing services, The
Cloak, Anonymouse, and HideMyAss with the same URL. All got the same
correct result as the non Tor browser.

While reading this thread, when I saw Alexander's screen capture, I
realized that was just about what I'd seen Friday morning and tried
Firefox with Tor again and saw the expected Cnet page. I've tried
multiple times since, over a couple hours and each time got the right
page.

I am very skeptical of one of the hypotheses, that web hosting services
are blocking Tor access. If a provider did this without an explicit
policy and or informing their customers that this was part of their
practices, they could easily be liable for any lost value for every
hosted site that had any decrease in traffic as a result of such
blocking. Second why would any hosting service care who visited its
clients web sites? Who they want as visitors is and should be a matter
of concern only to the sites' owners. A hosting service might assist a
specific site in blocking some type of unwanted traffic, and charge the
customer for the additional service. 

In the case of Cnet, they are a rather major Internet content provider
and I expect they run their own servers. Regardless of who manages
Cnet's servers, they are big enough they would expect full control over
any policies that denied access to any visitor. A query from the right
party to the right people at Cnet should answer conclusively whether or
not Cnet has had any part in this. If so then it should be a Tor / EFF
education matter and if not, then some other theory needs to be
considered. After writing this, I think it makes no sense at all. If
Cnet wanted to block someone they would display some kind of error
message or page; they would never redirect someone to a link farm of
unrelated links. It makes zero business sense to send visitors elsewhere
with no explanation.

I have one more theory or more accurately, a guess. When I was testing
to see if tor was working, I visited grc.com to use the Sheilds Up
test. If they showed an IP that wasn't mine, then I could be pretty sure
Tor was working. The first time I visited them, I was surprised when
they determined I was behind a proxy and refused to go any further.
Later, I tried again and this time they just determined a different IP
address than mine. I decided to go ahead and do a Common Port scan. I
was appalled. The exit node seemed to have all kinds of open ports - a
lot more than I thought would be proxied by Tor. Unfortunately I did not
think to write down the reverse DNS address or the open ports. 

My thought is that some exit nodes may be compromised without the
operators knowledge. Maintaining good security while running an exit
node does not look like a simple task. I'm reluctant to do more of these
scans because they are an unauthorized port scan against the exit node.
If however I see another of the strange pages discussed in this thread I
will try to capture the page and then quickly do a scan.

George Shaffer



Re: Analyzing TOR-exitnodes for anomalies

2006-10-07 Thread clifnor
Yesterday, I linked to Slashdot and got a bogus page in German.
Restarting my Tor client (i.e., getting a new set of circuits) got me to
the real Slashdot page.

???

Clifnor

-- 
http://www.fastmail.fm - Choose from over 50 domains or use your own



Re: Analyzing TOR-exitnodes for anomalies

2006-10-06 Thread Stephen
Greetings!

Been experiencing this particular issue since Sunday  following the topic here.

From 05-Oct:

exiting from hotmail account

redirected link: 
http://g.msn.com/frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com%3fa_id%3d1637%26domainname%3dmsn.com%26adultfilter%3doff%26popunder%3doffr=SUSPECTED+UNDESIRABLE+BOT

tor exit node: whistlersmother

First notice this problem on sunday when the clusty homepage was transformed 
with porno-style images  also had the same catch phrase what you need, when 
you need it. Unfortunately didn't note the re-directed url on that occassion. 

I'm quite happy to report further examples as  when they occur. Please, if 
there is any other technical data I can send with these reports let me know 
what to include (if that's useful).




Re: Analyzing TOR-exitnodes for anomalies

2006-10-06 Thread Claude LaFrenière
Hi  *Stephen*   :

 Greetings!
 
 Been experiencing this particular issue since Sunday  following the topic 
 here.
 
 From 05-Oct:
 
 exiting from hotmail account
 
 redirected link: 
 http://g.msn.com/frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com%3fa_id%3d1637%26domainname%3dmsn.com%26adultfilter%3doff%26popunder%3doffr=SUSPECTED+UNDESIRABLE+BOT
 
 tor exit node: whistlersmother
 
 First notice this problem on sunday when the clusty homepage was transformed 
 with porno-style images  also had the same catch phrase what you need, when 
 you need it. Unfortunately didn't note the re-directed url on that 
 occassion. 
 
 I'm quite happy to report further examples as  when they occur. Please, if 
 there is any other technical data I can send with these reports let me know 
 what to include (if that's useful).

Hmmm... I had this problem with Whistlemother exit node and this site: 
http://www.iamaphex.net 
with the same frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com blah blah 
blah filter ... =SUSPECTED+UNDESIRABLE+BOT

My hypothesis was a filter used by Web sites hosting service.
But now you find the same frame with Hotmail...

*Therefore my hypothesis was wrong*  

Did this comes from this exit node?
From the DNS server (local or remote) of this exit node?
From some nodes between?
Or what ?

I have no idea for the moment.
May be Alexander W. Janssen have an idea?

Thank you Stephen to help us to fix this problem.

Best regards,
-- 
Claude LaFrenière   



Re: Analyzing TOR-exitnodes for anomalies

2006-10-06 Thread Robert Hogan

 Hmmm... I had this problem with Whistlemother exit node and this site:
 http://www.iamaphex.net with the same
 frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com blah blah blah
 filter ... =SUSPECTED+UNDESIRABLE+BOT


i have the same experience using whistlersmother for the same site. 

-- 

KlamAV - An Anti-Virus Manager for KDE - http://www.klamav.net
TorK   - A Tor Controller For KDE  - http://tork.sf.net


Re: Analyzing TOR-exitnodes for anomalies

2006-10-06 Thread Robert Hogan
On Friday 06 October 2006 19:21, Robert Hogan wrote:
  Hmmm... I had this problem with Whistlemother exit node and this site:
  http://www.iamaphex.net with the same
  frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com blah blah blah
  filter ... =SUSPECTED+UNDESIRABLE+BOT

 i have the same experience using whistlersmother for the same site.

And I have the same experience with practically every other exit node I try 
for this site. So whistlersmother is not the problem...
-- 

KlamAV - An Anti-Virus Manager for KDE - http://www.klamav.net
TorK   - A Tor Controller For KDE  - http://tork.sf.net


Re: Analyzing TOR-exitnodes for anomalies

2006-10-06 Thread Claude LaFrenière
Hi  *Robert Hogan*   :

 On Friday 06 October 2006 19:21, Robert Hogan wrote:
 Hmmm... I had this problem with Whistlemother exit node and this site:
 http://www.iamaphex.net with the same
 frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com blah blah blah
 filter ... =SUSPECTED+UNDESIRABLE+BOT

 i have the same experience using whistlersmother for the same site.
 
 And I have the same experience with practically every other exit node I try 
 for this site. So whistlersmother is not the problem...

Hmmm... 

Personnaly I don't believed that Whistlemother (or any other nodes)
are responsible for this...  It looks like web server filter or DNS server
filter...

But now how to explain the same behaviour with
a web site like  http://www.iamaphex.net 
and
a web site like hotmail.com ???

They don't share the same web hosting service...

Is this a new filter for Web sites or Web Hosting ?

An other question:
How this filter spot a Tor exit like Whistlemother?

I guess it's based on the IP address of this exit node.
(Or the browser referer sent to the web site... ??? )

Since no exit nodes have a control on what is doing by Tor users, Is it
possible that some bad guys had used Tor for unacceptable things and 
put the Whistlemother Ip address into a black list of this hypothetical
filter ???

One way to check this is to compare exit nodes with a fixed IP address
with the exit nodes with a dynamic Ip address and if this make a
difference.  

If an exit node with a dynamic IP address is not spoted as a bad IP in the
hypothetical bad list fliter, therefore the filter is based on IP address 

Many test must be done before to prove this.
...

If the behaviour of Fixed Ip address exit nodes 
and 
the behaviour of Dynamics Ip address exit nodes
are the same
therefore
a) the hypothetical filter is not based on Ip address
b) there is no such filter but somethings else...

??? [not sure ...]  :-\

( !!! Hmmm.. I to revised my formal logic manuals a little bit .. ;-)  )

It's hard to find enough data about this problem because there's no way to
easily reproduce it.

:)

-- 
Claude LaFrenière   



Re: Analyzing TOR-exitnodes for anomalies

2006-10-06 Thread Claude LaFrenière
Hi  *M*   :


 How can I see which exit node is using?

Check this with Vidalia ... 

 
 http://www.debian-administration.org/ was mutilated by exit node into
 something similar that you are reporting. Quite alarming trend.

Please let us remain calm like Norwegian sailors in the storm. 

 
 I think that badly behaving exit nodes should be excluded automagically.
 How, I dont know =).

For the moment nothings prove that any exit nodes are responsibles for this.
We have to do somethings based on facts not fears...

I suggest, If the facts prove that some exit nodes are responsible, that we
keep them temporarely, instead of immediatly blocking them, and use them
as guinea pig to study their behaviour and prevent that kind of abuse in
the future.

Consider this as a laboratory experience with cyber-rats !  ;-)
Better than [EMAIL PROTECTED] IMHO.

:)

-- 
Claude LaFrenière   



Re: Analyzing TOR-exitnodes for anomalies

2006-10-06 Thread bagelcat
ok i have played now for more than an half hour with nonsense  
domainnames. every time the connection goes through an exit node  
located in texas, one time in the state new york and one time in  
denver i have got the advertising page.


maybe it will be a nice test, that someone unsing the same ISP - and  
in that case maybe the same dns-route - that one of this strange exit  
nodes have will test what happened when the write a not registered url?



I have also got the advertising one or two times when I was  
connecting to an exisiting page. But it seemes that nonsenses  
domainames are a good way for testing cause you can reproduce the  
advertising.


much fun
bernd


Am 06.10.2006 um 21:34 schrieb bagelcat:

hmm. I think this is a problem with some dns-server on second/third  
level wich make a link to that domainsponsor.com when they are  
asked for a not registered url. Is it possible?




Re: Analyzing TOR-exitnodes for anomalies

2006-10-06 Thread missi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Maybe a problem with a DNS- Server?

Greetz
Missi

Eben(am 6. 10. 2006 um 22:26 Uhr)hast du eingetippt:
 ok i have played now for more than an half hour with nonsense
 domainnames. every time the connection goes through an exit node
 located in texas, one time in the state new york and one time in
 denver i have got the advertising page.

 maybe it will be a nice test, that someone unsing the same ISP - and
 in that case maybe the same dns-route - that one of this strange exit
 nodes have will test what happened when the write a not registered url?


 I have also got the advertising one or two times when I was
 connecting to an exisiting page. But it seemes that nonsenses
 domainames are a good way for testing cause you can reproduce the
 advertising.

 much fun
 bernd


 Am 06.10.2006 um 21:34 schrieb bagelcat:

 hmm. I think this is a problem with some dns-server on second/third
 level wich make a link to that domainsponsor.com when they are
 asked for a not registered url. Is it possible?


- --
Webseite: http://www.entartete-kunst.com/
The monitor is plugged into the serial port
Songverfehlung des Tages: Paradise Lost - Isolate
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (MingW32)
Comment: Ich habe nichts zu verbergen!

iD8DBQFFJrz5WTjnF57KrgIRAl+jAJ4u6iBQDLgToostA4XgUcCFYpu01wCfTLFe
st2haUI1FQt/xTpQSnqKBww=
=XAot
-END PGP SIGNATURE-



Re: Analyzing TOR-exitnodes for anomalies

2006-10-06 Thread M
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


 How can I see which exit node is using?
 
 Check this with Vidalia ... 

Thanks for the info.

 I think that badly behaving exit nodes should be excluded automagically.
 How, I dont know =).
 
 For the moment nothings prove that any exit nodes are responsibles for this.
 We have to do somethings based on facts not fears...
 
 I suggest, If the facts prove that some exit nodes are responsible, that we
 keep them temporarely, instead of immediatly blocking them, and use them
 as guinea pig to study their behaviour and prevent that kind of abuse in
 the future.

I admit it, perhaps I was too hastily blaming anomalities on exit node
without thinking it over. I was just pissed off (ok, thats not an excuse)...

Sorry for any inconvience =)

M

ps: ugghh, my eBay account was freezed 'cause I used it via tor... I',
using transparent tor and added some of eBays servers to exclude list
but theres ton of them..
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3-cvs (MingW32)
Comment: GnuPT 2.7.6
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFJsD/6fSN8IKlpYoRAjp0AJ9+yg59gUqIBBgL9PHLRJe4nO8PDwCgm+QO
T0xDBZVpF0QyDVJ9ytBcc50=
=fX5t
-END PGP SIGNATURE-


Re: Analyzing TOR-exitnodes for anomalies

2006-10-06 Thread Tim McCormack
bagelcat wrote:
 ok i have played now for more than an half hour with nonsense
 domainnames. every time the connection goes through an exit node located
 in texas, one time in the state new york and one time in denver i have
 got the advertising page.

I remember something about a major DNS server that was abusing its power
and redirecting requests for nonexistent domains to advertising pages.

Also, ISPs sometimes redirect bad requests:

http://blogs.earthlink.net/2006/08/handling_dead_domains_1.php

..and get lots of flak for it. (Not nearly enough, I say!)

I also came across a note that ISPs may be randomly redirecting requests
for existing sites to domainsponsor.com in a bid to up their profits:

http://www.infosyssec.com/forum/viewtopic.php?p=11395sid=436f73bb85d55318bf53f7ff80fc64e9

 - Tim McCormack


Re: Analyzing TOR-exitnodes for anomalies

2006-10-05 Thread glymr
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

I am not adding anything useful, but I wish to add my feeling about this
situation that people are so rapidly responding to a threat so early.

:) tor will never die if people like you all are on it. (which reminds
me i've blathered about writing a dns proxy patch for tor so dns leaks
are a thing of the past, and i bloody better do something serious about
it DANGIT!)

dns poisoning is of course a bigger problem than tor, there has been
discussion about the 'splitting of the root' some months ago as it turns
out that dns servers will give out different addresses depending on the
nation of locality. This is a very serious problem and extends beyond
the domain of the tor network. I have no idea where to point people with
regard to this subject but I hope someone who has a bee in their bonnet
about it will very shortly.

Claude LaFrenière wrote:
 Hi  *Alexander W. Janssen*   :
 
 Hi all,

 considering that I heard from several people that they notice strange
 sideeffects since a couple of days - altered webpage, advertisement where no
 ads should be - I started a little investigation if there are any obviously
 bogus exitnodes in the wild:

 http://itnomad.wordpress.com/2006/10/04/analyzing-tor-exitnodes-for-anomalies/

 I welcome you to start your own investigation; if there are really bogus
 exitnodes we should be aware of those and we should know their node's 
 nickname
 to put them on a shitlist.

 This might leed to an escalation in the future when marketeers realize the
 possibilities of altering traffic.

 Comments, ideas, pointers to other projects?

 Alex.
 
 Hmmm...  Bogus exit nodes or bogus DNS servers ?
 
 Is it possible that the strange side effects comes, not from the exit nodes
 themselves, but from the DNS server used by these exit nodes ?
 
 A kind of DNS poisonning? (From a local DNS server or Remote DNS server...)
 Ref.: http://en.wikipedia.org/wiki/DNS_poisoning
 
 Our suspicions about bogus exit nodes must be based on facts 
 so I suggest to collect information about this issue here.
 
 What we can do is to report any strange side effect including:
 
 the link to the web site
 the resulting link with the redirection like the ones we're talking about
 the exit node used to access this web site
 
 
 :)
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFJLAmGkOzwaes7JsRA508AJ0bN6BhDB86etVVlYPwk5/ae7a7GQCfRqZl
KUW45IG2fHmy59wYA5bbA04=
=usn6
-END PGP SIGNATURE-


Re: Analyzing TOR-exitnodes for anomalies

2006-10-05 Thread Alexander W. Janssen
On Wed, Oct 04, 2006 at 08:45:03PM -0400, Claude LaFrenière wrote:
 Hmmm...  Bogus exit nodes or bogus DNS servers ?

One or the other way, brute forcing my way through all exit-nodes should
reveil it. Hopefully...

 Is it possible that the strange side effects comes, not from the exit nodes
 themselves, but from the DNS server used by these exit nodes ?

Could be either way. Things which popped up in my mind:
1) DNS poisoning
2) Exit-node is behind a transparent proxy which is compromised or modified in
some way
3) Outbound traffic from the exit-node gets DNATed away by some firewall

Things you could do:
1) Replacing complete websites with link-farms (that's what happened me)
2) Using a modified web-proxy which insert advertisement into the HTML-code
(possible, it's exactly the reverse of what Privoxy does)
3) Filter content
4) Replacing valid downloads by trojaned versions
5) Replace all pictures of a website with a picture of the goatse-man...
6) Modifying text in a subtle way using simple lex-programs (e.g. replace all
must by could or police by SS)
7) insert favourite attack here
 
 Our suspicions about bogus exit nodes must be based on facts 
 so I suggest to collect information about this issue here.

My first run during the night was not very successful, most of the exitnodes
refused to talk to me. I'm in timezone GMT+2 and that's pretty normal for that
time of the day, I started another scan just minutes ago. Usually the
TOR-network is not that congested in the morning.

 What we can do is to report any strange side effect including:
 
 the link to the web site
 the resulting link with the redirection like the ones we're talking about
 the exit node used to access this web site

Aye.
 
 Claude LaFrenière   

Alex.

-- 
I am tired of all this sort of thing called science here... We have spent
millions in that sort of thing for the last few years, and it is time it
should be stopped.
 -- Simon Cameron, U.S. Senator, on the Smithsonian Institute, 1901. 


signature.asc
Description: Digital signature


Re: Analyzing TOR-exitnodes for anomalies

2006-10-05 Thread BlueStar88




Currently i'm improving my torstat page to mark nodes with bad
http-behavior, using automatic http-throughput comparison of every
http-servicing exit-node against a reference exit-node.
Then it's up to the users to add a ExcludeNodes statement in
torrc using this information.


Greets


Alexander W. Janssen schrieb:

  
Comments, ideas, pointers to other projects?
  





signature.asc
Description: OpenPGP digital signature


Re: Analyzing TOR-exitnodes for anomalies

2006-10-05 Thread Claude LaFrenière
Hi  *Alexander W. Janssen*   :

 On Wed, Oct 04, 2006 at 08:45:03PM -0400, Claude LaFrenière wrote:
 Hmmm...  Bogus exit nodes or bogus DNS servers ?
 
 One or the other way, brute forcing my way through all exit-nodes should
 reveil it. Hopefully...

This is a lot a job. May be a very long investigation.
You need data from the other Tor users about this issue.

 
 Is it possible that the strange side effects comes, not from the exit nodes
 themselves, but from the DNS server used by these exit nodes ?
 
 Could be either way. Things which popped up in my mind:
 1) DNS poisoning
 2) Exit-node is behind a transparent proxy which is compromised or modified in
 some way

Yes!

 3) Outbound traffic from the exit-node gets DNATed away by some firewall

ok

and the fourth:
some infected exit nodes with trojans, virus, worms...
This limit the investigation to Windows exit nodes !!!  ;-)
(No such things with BSD/Linux  I presume...)

 
 Things you could do:
 1) Replacing complete websites with link-farms (that's what happened me)
 2) Using a modified web-proxy which insert advertisement into the HTML-code
 (possible, it's exactly the reverse of what Privoxy does)
 3) Filter content
 4) Replacing valid downloads by trojaned versions
 5) Replace all pictures of a website with a picture of the goatse-man...
 6) Modifying text in a subtle way using simple lex-programs (e.g. replace all
 must by could or police by SS)
 7) insert favourite attack here

Or the German Tor exit nodes seized by the polizei...
Did they return these computers with some add on ???
(Hmmm... to much paranoïd I guess...  ;-)  )

  
 Our suspicions about bogus exit nodes must be based on facts 
 so I suggest to collect information about this issue here.
 
 My first run during the night was not very successful, most of the exitnodes
 refused to talk to me. I'm in timezone GMT+2 and that's pretty normal for that
 time of the day, I started another scan just minutes ago. Usually the
 TOR-network is not that congested in the morning.

OK. Let us know if you find somethings interresting.

 
 What we can do is to report any strange side effect including:
 
 the link to the web site
 the resulting link with the redirection like the ones we're talking about
 the exit node used to access this web site
 
 Aye.

Best regards,

-- 
Claude LaFrenière   



Re: Analyzing TOR-exitnodes for anomalies

2006-10-05 Thread Alexander W. Janssen
On Thu, Oct 05, 2006 at 09:31:47PM +0800, Deephay wrote:
 Also, the logo linux-magazine.com what you need, when you
 need it is a image or just text?

Exactly the same page is at http://www.wdr.tv/.

The content of that page is (gathered with tcpdump):
frameset rows=100%,* frameborder=no border=0 framespacing=0
frame
src=http://searchportal.information.com/?a_id=20223domainname=wdr.tv;
/frameset

I don't know what the variable a_id is about - maybe a customer-id? However,
domainname can be set to any arbitrary value.

This seems to be the company behind it: http://oversee.net/

 Maybe it is a DNS poisoning job, maybe some guy runs a local DNS
 server as well as a tor node to make some profit by directing us to
 this bogus linux-magazine? Interesting.

Maybe, that would be an explantion considering how the searchportal-thing is
working.
However, I'm 75% through my second run with no results so far.

Will keep you updated.

 Deephay

Alex.

-- 
I am tired of all this sort of thing called science here... We have spent
millions in that sort of thing for the last few years, and it is time it
should be stopped.
 -- Simon Cameron, U.S. Senator, on the Smithsonian Institute, 1901. 


signature.asc
Description: Digital signature


Re: Analyzing TOR-exitnodes for anomalies

2006-10-05 Thread Claude LaFrenière
Hi  *Alexander W. Janssen*   :

Got it !

I was going to this web site: http://www.iamaphex.net
(This is the web site for Torcap, a program to socksify application in Windows 
O.S.)
with the exit node exit node: whistlermother

Info: http://node2.xenobite.eu/torstat.php
1195whistlersmother 204.13.236.244  US  [X] 9001
0   

Running Yes /   Guard  Yes / Authority  No / Fast  Yes /Exit  Yes / 
Stable  Yes / Valid  Yes / V2Dir No

http://serifos.eecs.harvard.edu/cgi-bin/exit.pl?textonly=1
US *whistlersmother 204.13.236.244
Exit policies: 22   53   80  110-  143  443 5190 6667

I got this:

http://www.iamaphex.net/frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com%3fa_id%3d1637%26domainname%3diamaphex.net%26adultfilter%3doff%26popunder%3doffr=SUSPECTED+UNDESIRABLE+BOT

I found no information on that flanding.domainsponsor.com ...

With the exit node l3cht3rn3t3 I got this:

Picture (remain avalaible for 504 hours)
http://cjoint.com/?kfrqWbKjxa
The link in the botton of the page is an email address: 
[EMAIL PROTECTED]  
With this automatic email object :Inquiring about the domain 'iamaphex.net', 
with status: CustomVIP


With the exit node waabbeel I got this:
Picture (remain avalaible for 504 hours)
http://cjoint.com/?kfrydRFG6Q

and the link on the page is for a web sites hosting:
https://www.1blu.de/start.php

With the exit node s3j3gm I got the same site...

and so on...

May be the problem comes from Web sites host server and their sponsors...
Looks like a security filter ...  :-\

So the problem seems to be related to web hosting not the exit nodes...

:)
-- 
Claude LaFrenière   



Analyzing TOR-exitnodes for anomalies

2006-10-04 Thread Alexander W. Janssen
Hi all,

considering that I heard from several people that they notice strange
sideeffects since a couple of days - altered webpage, advertisement where no
ads should be - I started a little investigation if there are any obviously
bogus exitnodes in the wild:

http://itnomad.wordpress.com/2006/10/04/analyzing-tor-exitnodes-for-anomalies/

I welcome you to start your own investigation; if there are really bogus
exitnodes we should be aware of those and we should know their node's nickname
to put them on a shitlist.

This might leed to an escalation in the future when marketeers realize the
possibilities of altering traffic.

Comments, ideas, pointers to other projects?

Alex.


-- 
I am tired of all this sort of thing called science here... We have spent
millions in that sort of thing for the last few years, and it is time it
should be stopped.
 -- Simon Cameron, U.S. Senator, on the Smithsonian Institute, 1901. 


signature.asc
Description: Digital signature


Re: Analyzing TOR-exitnodes for anomalies

2006-10-04 Thread Claude LaFrenière
Hi  *Alexander W. Janssen*   :

 Hi all,
 
 considering that I heard from several people that they notice strange
 sideeffects since a couple of days - altered webpage, advertisement where no
 ads should be - I started a little investigation if there are any obviously
 bogus exitnodes in the wild:
 
 http://itnomad.wordpress.com/2006/10/04/analyzing-tor-exitnodes-for-anomalies/
 
 I welcome you to start your own investigation; if there are really bogus
 exitnodes we should be aware of those and we should know their node's nickname
 to put them on a shitlist.
 
 This might leed to an escalation in the future when marketeers realize the
 possibilities of altering traffic.
 
 Comments, ideas, pointers to other projects?
 
 Alex.

Hmmm...  Bogus exit nodes or bogus DNS servers ?

Is it possible that the strange side effects comes, not from the exit nodes
themselves, but from the DNS server used by these exit nodes ?

A kind of DNS poisonning? (From a local DNS server or Remote DNS server...)
Ref.: http://en.wikipedia.org/wiki/DNS_poisoning

Our suspicions about bogus exit nodes must be based on facts 
so I suggest to collect information about this issue here.

What we can do is to report any strange side effect including:

the link to the web site
the resulting link with the redirection like the ones we're talking about
the exit node used to access this web site


:)

-- 
Claude LaFrenière