[tor-bugs] #12109 [Tor]: malicious relay suspect
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri May 23 15:48:28 UTC 2014
#12109: malicious relay suspect
------------------------------+----------------------------------
Reporter: cypherpunks | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: unspecified
Component: Tor | Version: Tor: 0.2.4.22
Keywords: Tor bad activity | Actual Points:
Parent ID: | Points:
------------------------------+----------------------------------
Possible malicious relay using the heartbleed exploit. Or a false positive
ID flag. Or a user with no heartbleed patch installed. I am a non-exit
relay.
LOG from the IDS-built-in (Norton):
23/5/2014 05:59:57 pm,High,An intrusion attempt by 109.201.138.201 was
blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160, ,
,"109.201.138.201, 57244"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP,
Port 57244",,
23/5/2014 05:59:57 pm,High,An intrusion attempt by 109.201.138.201 was
blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160 3, ,
,"109.201.138.201, 57244"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP,
Port 57244",,
23/5/2014 04:59:59 pm,High,An intrusion attempt by 109.201.138.201 was
blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160, ,
,"109.201.138.201, 52269"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP,
Port 52269",,
23/5/2014 04:59:59 pm,High,An intrusion attempt by 109.201.138.201 was
blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160 3, ,
,"109.201.138.201, 52269"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP,
Port 52269",,
23/5/2014 06:00:00 am,High,An intrusion attempt by 109.201.138.201 was
blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160, ,
,"109.201.138.201, 53919"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP,
Port 53919",,
23/5/2014 06:00:00 am,Info,Intrusion Prevention Signature Auto Block has
blocked IP: 109.201.138.201 for a period of: 30 minutes,Detected, ,,No
23/5/2014 06:00:00 am,High,An intrusion attempt by 109.201.138.201 was
blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160 3, ,
,"109.201.138.201, 53919"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP,
Port 53919",,
23/5/2014 05:00:01 am,High,An intrusion attempt by 109.201.138.201 was
blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160, ,
,"109.201.138.201, 48941"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP,
Port 48941",,
23/5/2014 05:00:01 am,Info,Intrusion Prevention Signature Auto Block has
blocked IP: 109.201.138.201 for a period of: 30 minutes,Detected, ,,No
23/5/2014 05:00:01 am,High,An intrusion attempt by 109.201.138.201 was
blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160 3, ,
,"109.201.138.201, 48941"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP,
Port 48941",,
23/5/2014 04:00:01 am,High,An intrusion attempt by 109.201.138.201 was
blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160, ,
,"109.201.138.201, 43936"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP,
Port 43936",,
23/5/2014 04:00:01 am,High,An intrusion attempt by 109.201.138.201 was
blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160 3, ,
,"109.201.138.201, 43936"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP,
Port 43936",,
23/5/2014 03:00:01 am,High,An intrusion attempt by 109.201.138.201 was
blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160, ,
,"109.201.138.201, 38913"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP,
Port 38913",,
<etc>
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12109>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list