Banners injected in web pages at exit nodes TRHCourtney*
Hello! Just stumbled upon a banner injected in html at tor exit node. Nodes in question: router TRHCourtney01 94.76.246.74 443 0 9030 router TRHCourtney02 94.76.247.136 443 0 9030 router TRHCourtney03 94.76.247.137 443 0 9030 router TRHCourtney04 94.76.247.138 443 0 9030 router TRHCourtney05 94.76.247.139 443 0 9030 router TRHCourtney06 94.76.247.140 443 0 9030 router TRHCourtney07 94.76.247.141 443 0 9030 router TRHCourtney08 94.76.247.142 443 0 9030 router TRHCourtney09 94.76.247.143 443 0 9030 router TRHCourtney10 92.48.84.113 443 0 9030 contact Courtney TRH court...@nullroute.net All of them inject a piece of html at end of web pages. Text under banner reads: Courtney TOR/VPN Wifi Exit Node :: Usage subject to Terms and Conditions/Acceptable Use Policy :: Want to advertise here? Contact us Check for yourself: http://www.torproject.org.TRHCourtney01.exit/ . Some more concerns. Page http://courtney.nullroute.net/ contains: WARNING: The TOR Exit Node must *not* be used for illegal means. Connection and session logs are kept and *will* be forwarded onto the police in the event of an abuse report There is no family set for these nodes in descriptors. Port 110 (POP3) accepted in exit policy but not port 995 (POP3/SSL). Just to let you know. Alexander Cherepanov
Re: Banners injected in web pages at exit nodes TRHCourtney*
On Tue, 02 Jun 2009 14:52:18 +0400 Alexander Cherepanov chere...@mccme.ru wrote: Hello! Just stumbled upon a banner injected in html at tor exit node. Nodes in question: Thanks for the heads up.. I wasn't getting the injected banners on the link you provided but when I tried: https://torcheck.xenobite.eu.trhcourtney01.exit/ I got an invalid certificate error.. Definitely man-in-the-middle stuff going on here.. Certificate I received for the above belonged to: Issued to Common Name (CN)*.krauscomputer.de Organization (O)Manuel Kraus Organizational Unit (OU)StartCom Verified Certificate Member Serial Number 00:de Issued By Common Name (CN)StartCom Class 2 Primary Intermediate Server CA Organization (O)StartCom Ltd. Organizational Unit (OU)Secure Digital Certificate Signing Validity Issued On 08-06-25 Expires On 09-06-25 SHA1 Fingerprint 6a:cd:f2:9d:32:4d:c8:c6:af:d9:27:42:09:e2:62:57:49:c8:d0:1e MD5 Fingerprint B1:11:1f:5e:f8:47:38:d4:08:06:28:66:db:91:cf:7f Needless to say this is not the correct certificate. This is a very unfriendly exit node. -- free...@gmail.com free...@yahoo.ca This e-mail has been digitally signed with GnuPG - ( http://gnupg.org/ ) signature.asc Description: PGP signature
Re: Banners injected in web pages at exit nodes TRHCourtney*
On Tue, 02 Jun 2009 Freemor free...@gamil.com wrote: Some rather silly stuff.. Appoligies for the proceeding post.. Certificate is correct.. The .trhcourtney01.exit/ Was throwing the browser into complaining that the certificate didn't match. I really must learn not to post before having my morning coffee. I've tried a couple of other sites now and there definitely is banner injection going on... looking into the html source now to see if there are other exploits. Strange the the provided link didn't have injection... Adaptation on the nodes part? -- free...@gmail.com free...@yahoo.ca This e-mail has been digitally signed with GnuPG - ( http://gnupg.org/ ) signature.asc Description: PGP signature
Re: Banners injected in web pages at exit nodes TRHCourtney*
Definitely abusive. Fortunately, because of how nearby most of the IPs are, Tor will treat them as family even if the operator neglected to, so it doesn't pose a risk to anonymity (other than the one outlying node, but even then it's a maximum of two), but this definitely looks like a badexit situation. Honestly, why does somebody run a tor node if they keep connection/session logs? Seems like an odd place to look for a paycheck. - John Brooks On Tue, Jun 2, 2009 at 4:52 AM, Alexander Cherepanov chere...@mccme.ru wrote: Hello! Just stumbled upon a banner injected in html at tor exit node. Nodes in question: router TRHCourtney01 94.76.246.74 443 0 9030 router TRHCourtney02 94.76.247.136 443 0 9030 router TRHCourtney03 94.76.247.137 443 0 9030 router TRHCourtney04 94.76.247.138 443 0 9030 router TRHCourtney05 94.76.247.139 443 0 9030 router TRHCourtney06 94.76.247.140 443 0 9030 router TRHCourtney07 94.76.247.141 443 0 9030 router TRHCourtney08 94.76.247.142 443 0 9030 router TRHCourtney09 94.76.247.143 443 0 9030 router TRHCourtney10 92.48.84.113 443 0 9030 contact Courtney TRH court...@nullroute.net All of them inject a piece of html at end of web pages. Text under banner reads: Courtney TOR/VPN Wifi Exit Node :: Usage subject to Terms and Conditions/Acceptable Use Policy :: Want to advertise here? Contact us Check for yourself: http://www.torproject.org.TRHCourtney01.exit/ . Some more concerns. Page http://courtney.nullroute.net/ contains: WARNING: The TOR Exit Node must *not* be used for illegal means. Connection and session logs are kept and *will* be forwarded onto the police in the event of an abuse report There is no family set for these nodes in descriptors. Port 110 (POP3) accepted in exit policy but not port 995 (POP3/SSL). Just to let you know. Alexander Cherepanov
Re: Banners injected in web pages at exit nodes TRHCourtney*
On Tue, 2 Jun 2009 05:36:43 -0600
John Brooks spec...@dereferenced.net wrote:
Definitely abusive. Fortunately, because of how nearby most of the IPs
are, Tor will treat them as family even if the operator neglected to,
so it doesn't pose a risk to anonymity (other than the one outlying
node, but even then it's a maximum of two), but this definitely looks
like a badexit situation.
Honestly, why does somebody run a tor node if they keep
connection/session logs? Seems like an odd place to look for a
paycheck.
- John Brooks
Might be worse then that.. at least for improperly configures clients..
there deos seem to be javascript injection:
div id=floaterma9
img src=http://courtney.nullroute.net/2lol.gif;
style=display:none/img script type='text/javascript'
src='http://courtney.nullroute.net/openx-2.8.1/www/delivery/spcjs.php?id=1'/script
style body {
margin: 0 0 0 0 !important;
}
#Banner2 {
width:728px;
height:90px;
}
#textme {
font-family:arial;
color:#333;
font-size:11px;
}
/style
When I Followed
http://courtney.nullroute.net/openx-2.8.1/www/delivery/spcjs.php?id=1
it had an interesting bit bit of code which linked to:
http://courtney.nullroute.net/openx-2.8.1/www/delivery/fl.js
Which tries to load up SWF objects..
Haven't picked it all apart yet (still no coffee) but I'm guessing it's
either decloaking attempts or exploit attempts.
--
free...@gmail.com
free...@yahoo.ca
This e-mail has been digitally signed with GnuPG - ( http://gnupg.org/ )
signature.asc
Description: PGP signature
Re: Banners injected in web pages at exit nodes TRHCourtney*
On Tue, Jun 2, 2009 at 2:20 PM, Freemor free...@gmail.com wrote: On Tue, 2 Jun 2009 05:36:43 -0600 John Brooks spec...@dereferenced.net wrote: Seems like an odd place to look for a paycheck. Might be worse then that.. at least for improperly configures clients.. -8- When I Followed http://courtney.nullroute.net/openx-2.8.1/www/delivery/spcjs.php?id=1 it had an interesting bit bit of code which linked to: http://courtney.nullroute.net/openx-2.8.1/www/delivery/fl.js Which tries to load up SWF objects.. Added to that, http://www.openx.org/ seems to be an advertisement system of some sorts. Seems odd to want to make a buck out of running a tor node, at least one using the public directory. Greetings! -- Simple guidelines to happiness: Work like you don't need the money, Love like your heart has never been broken and Dance like no one can see you.
Re: Banners injected in web pages at exit nodes TRHCourtney*
Strange the the provided link didn't have injection... Adaptation on the nodes part? A few minutes ago I tried http://www.torproject.org.TRHCourtney01.exit/ and got a banner ad. Maybe they do it on a sporadic basis?
Re: Banners injected in web pages at exit nodes TRHCourtney*
Hello, Freemor! You wrote to or-talk@freehaven.net on Tue, 2 Jun 2009 08:52:10 -0300: Thanks for the heads up.. I wasn't getting the injected banners on the link you provided It seems to be an error in an html injecter on exit node or something. In several tests using curl I got the banner injected proxying through privoxy (enabled or disabled) but got no banner going directly through tor. Weird. Alexander Cherepanov
Re: Banners injected in web pages at exit nodes TRHCourtney*
On Tue, Jun 02, 2009 at 02:52:18PM +0400, Alexander Cherepanov wrote: Just stumbled upon a banner injected in html at tor exit node. Nodes in question: router TRHCourtney01 94.76.246.74 443 0 9030 Exciting. Peter and I just added these nodes to the badexit list. That means clients should start learning that in the next several hours. Thanks for pointing it out. Some more concerns. Page http://courtney.nullroute.net/ contains: WARNING: The TOR Exit Node must *not* be used for illegal means. Connection and session logs are kept and *will* be forwarded onto the police in the event of an abuse report Oh. I was going to suggest mailing him/her to ask if the injection was a mistake. (We've had plenty of people sign up as Tor relays and not realize that their local traffic protection tools will affect their Tor traffic too.) But this page makes it pretty clear that they meant to do it. Bleah. --Roger
Re: Banners injected in web pages at exit nodes TRHCourtney*
Hello, Roger! You wrote to or-talk@freehaven.net on Tue, 2 Jun 2009 11:44:03 -0400: Just stumbled upon a banner injected in html at tor exit node. Nodes in question: router TRHCourtney01 94.76.246.74 443 0 9030 Exciting. Peter and I just added these nodes to the badexit list. That means clients should start learning that in the next several hours. Cool, thanks. And many thanks for all your work on tor. Alexander Cherepanov
