[tor-relays] Network Scan through Tor Exit Node (Port 80)
Bianco Veigel
devel at zivillian.de
Fri Feb 25 16:45:04 UTC 2011
Today I got the second abuse mail within two weeks from my hosting
provider. They forced me to take down the exit node, otherwise they will
shutdown my server.
How could I detect such a scan and take counter measures to prevent a
network scan through tor? I've thougt about Snort, but I've never used
it before. The exit node is running in a Xen-vm, behind a pfSense firewall.
I've attached the report from the abuse mail. Does anyone have an idea,
what steps should/could be taken?
Thanks in advance,
Bianco Veigel
----- attachment -----
##########################################################################
# Netscan detected from host 188.40.98.54 #
##########################################################################
time protocol src_ip src_port dest_ip dest_port
---------------------------------------------------------------------------
Fri Feb 25 06:53:15 2011 TCP 188.40.98.54 45237 => 138.160.29.194 20019
Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 27681 => 94.207.140.89 80
Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 6869 => 94.207.140.93
80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 33258 =>
94.207.140.94 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 53464 =>
94.207.140.95 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 31041
=> 94.207.140.96 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54
6299 => 94.207.140.97 80 Fri Feb 25 07:15:00 2011 TCP
188.40.98.54 40964 => 94.207.140.98 80 Fri Feb 25 07:15:00 2011 TCP
188.40.98.54 8703 => 94.207.140.99 80 Fri Feb 25 07:14:59 2011
TCP 188.40.98.54 56759 => 94.207.140.187 80 Fri Feb 25 07:14:56
2011 TCP 188.40.98.54 26247 => 94.207.140.227 80 Fri Feb 25
07:14:59 2011 TCP 188.40.98.54 26247 => 94.207.140.227 80 Fri Feb
25 07:14:56 2011 TCP 188.40.98.54 27847 => 94.207.140.228 80 Fri
Feb 25 07:14:59 2011 TCP 188.40.98.54 27847 => 94.207.140.228 80
Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 1219 => 94.207.140.229 80
Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 1219 => 94.207.140.229
80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 38929 =>
94.207.140.230 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 38929
=> 94.207.140.230 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54
62958 => 94.207.140.235 80 Fri Feb 25 07:15:00 2011 TCP
188.40.98.54 46469 => 94.207.140.236 80 Fri Feb 25 07:15:00 2011 TCP
188.40.98.54 2704 => 94.207.140.237 80 Fri Feb 25 07:14:56 2011
TCP 188.40.98.54 17272 => 94.207.141.12 80 Fri Feb 25 07:14:59
2011 TCP 188.40.98.54 17272 => 94.207.141.12 80 Fri Feb 25
07:14:56 2011 TCP 188.40.98.54 32482 => 94.207.141.13 80 Fri Feb
25 07:14:59 2011 TCP 188.40.98.54 32482 => 94.207.141.13 80 Fri
Feb 25 07:14:56 2011 TCP 188.40.98.54 55860 => 94.207.141.14 80
Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 55860 => 94.207.141.14 80
Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 43390 => 94.207.141.15
80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 43390 =>
94.207.141.15 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 31712 =>
94.207.141.16 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 31712
=> 94.207.141.16 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54
29316 => 94.207.141.17 80 Fri Feb 25 07:14:59 2011 TCP
188.40.98.54 29316 => 94.207.141.17 80 Fri Feb 25 07:14:56 2011 TCP
188.40.98.54 5286 => 94.207.141.18 80 Fri Feb 25 07:14:59 2011
TCP 188.40.98.54 5286 => 94.207.141.18 80 Fri Feb 25 07:14:56
2011 TCP 188.40.98.54 45139 => 94.207.141.19 80 Fri Feb 25
07:14:59 2011 TCP 188.40.98.54 45139 => 94.207.141.19 80 Fri Feb
25 07:14:56 2011 TCP 188.40.98.54 25311 => 94.207.141.20 80 Fri
Feb 25 07:14:59 2011 TCP 188.40.98.54 25311 => 94.207.141.20 80
Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 3675 => 94.207.141.21 80
Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 3675 => 94.207.141.21
80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 51753 =>
94.207.141.22 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 51753 =>
94.207.141.22 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 8993
=> 94.207.141.23 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54
8993 => 94.207.141.23 80 Fri Feb 25 07:14:58 2011 TCP
188.40.98.54 48305 => 94.207.141.24 80 Fri Feb 25 07:15:00 2011 TCP
188.40.98.54 25717 => 94.207.141.25 80 Fri Feb 25 07:15:00 2011
TCP 188.40.98.54 15142 => 94.207.141.26 80 Fri Feb 25 07:15:00
2011 TCP 188.40.98.54 24618 => 94.207.141.27 80 Fri Feb 25
07:15:00 2011 TCP 188.40.98.54 43060 => 94.207.141.28 80 Fri Feb
25 07:14:59 2011 TCP 188.40.98.54 45003 => 94.207.141.45 80 Fri
Feb 25 07:14:59 2011 TCP 188.40.98.54 18691 => 94.207.141.48 80
Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 48452 => 94.207.141.60 80
Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 48452 => 94.207.141.60
80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 37237 =>
94.207.141.61 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 37237 =>
94.207.141.61 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 39153
=> 94.207.141.62 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54
10678 => 94.207.141.63 80 Fri Feb 25 07:14:57 2011 TCP
188.40.98.54 23127 => 94.207.141.64 80 Fri Feb 25 07:14:57 2011 TCP
188.40.98.54 10755 => 94.207.141.65 80 Fri Feb 25 07:14:57 2011
TCP 188.40.98.54 13206 => 94.207.141.66 80 Fri Feb 25 07:14:57
2011 TCP 188.40.98.54 32657 => 94.207.141.67 80 Fri Feb 25
07:14:57 2011 TCP 188.40.98.54 1909 => 94.207.141.68 80 Fri Feb
25 07:14:57 2011 TCP 188.40.98.54 3475 => 94.207.141.69 80 Fri
Feb 25 07:15:00 2011 TCP 188.40.98.54 3475 => 94.207.141.69 80
Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 1810 => 94.207.141.70 80
Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 1810 => 94.207.141.70
80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 52358 =>
94.207.141.71 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 3828 =>
94.207.141.72 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 46151
=> 94.207.141.73 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54
17930 => 94.207.141.74 80 Fri Feb 25 07:14:55 2011 TCP
188.40.98.54 4025 => 94.207.141.103 80 Fri Feb 25 07:14:58 2011 TCP
188.40.98.54 4025 => 94.207.141.103 80 Fri Feb 25 07:14:55 2011
TCP 188.40.98.54 48216 => 94.207.141.104 80 Fri Feb 25 07:14:58
2011 TCP 188.40.98.54 48216 => 94.207.141.104 80 Fri Feb 25
07:14:55 2011 TCP 188.40.98.54 61033 => 94.207.141.105 80 Fri Feb
25 07:14:58 2011 TCP 188.40.98.54 61033 => 94.207.141.105 80 Fri
Feb 25 07:14:55 2011 TCP 188.40.98.54 35460 => 94.207.141.106 80
Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 35460 => 94.207.141.106 80
Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 34686 => 94.207.141.107
80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 34686 =>
94.207.141.107 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 8517
=> 94.207.141.108 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54
8517 => 94.207.141.108 80 Fri Feb 25 07:14:57 2011 TCP
188.40.98.54 34989 => 94.207.141.109 80 Fri Feb 25 07:14:57 2011 TCP
188.40.98.54 16795 => 94.207.141.110 80 Fri Feb 25 07:14:58 2011
TCP 188.40.98.54 54679 => 94.207.141.111 80 Fri Feb 25 07:14:58
2011 TCP 188.40.98.54 36103 => 94.207.141.112 80 Fri Feb 25
07:14:58 2011 TCP 188.40.98.54 59119 => 94.207.141.113 80 Fri Feb
25 07:14:58 2011 TCP 188.40.98.54 29831 => 94.207.141.114 80 Fri
Feb 25 07:14:58 2011 TCP 188.40.98.54 24490 => 94.207.141.115 80
Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 8880 => 94.207.141.116 80
Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 43624 => 94.207.141.117
80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 31266 =>
94.207.141.118 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 33438
=> 94.207.141.119 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54
43359 => 94.207.141.120 80 Fri Feb 25 07:14:59 2011 TCP
188.40.98.54 8168 => 94.207.141.121 80 Fri Feb 25 07:14:59 2011 TCP
188.40.98.54 36716 => 94.207.141.122 80 Fri Feb 25 07:14:59 2011
TCP 188.40.98.54 5648 => 94.207.141.123 80 Fri Feb 25 07:15:00
2011 TCP 188.40.98.54 57277 => 94.207.141.124 80 Fri Feb 25
07:14:55 2011 TCP 188.40.98.54 20586 => 94.207.141.134 80 Fri Feb
25 07:14:58 2011 TCP 188.40.98.54 20586 => 94.207.141.134 80 Fri
Feb 25 07:14:55 2011 TCP 188.40.98.54 29953 => 94.207.141.135 80
Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 29953 => 94.207.141.135 80
Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 10770 => 94.207.141.136
80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 10770 =>
94.207.141.136 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 4466
=> 94.207.141.137 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54
4466 => 94.207.141.137 80 Fri Feb 25 07:14:56 2011 TCP
188.40.98.54 27801 => 94.207.141.138 80 Fri Feb 25 07:14:59 2011 TCP
188.40.98.54 27801 => 94.207.141.138 80 Fri Feb 25 07:14:56 2011
TCP 188.40.98.54 14288 => 94.207.141.139 80 Fri Feb 25 07:14:59
2011 TCP 188.40.98.54 14288 => 94.207.141.139 80 Fri Feb 25
07:14:56 2011 TCP 188.40.98.54 11846 => 94.207.141.140 80 Fri Feb
25 07:14:59 2011 TCP 188.40.98.54 11846 => 94.207.141.140 80 Fri
Feb 25 07:14:56 2011 TCP 188.40.98.54 42636 => 94.207.141.141 80
Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 42636 => 94.207.141.141 80
Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 7837 => 94.207.141.142
80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 7837 =>
94.207.141.142 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 62271
=> 94.207.141.143 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54
62271 => 94.207.141.143 80 Fri Feb 25 07:14:56 2011 TCP
188.40.98.54 6908 => 94.207.141.144 80 Fri Feb 25 07:14:59 2011 TCP
188.40.98.54 6908 => 94.207.141.144 80 Fri Feb 25 07:14:56 2011
TCP 188.40.98.54 29951 => 94.207.141.145 80 Fri Feb 25 07:14:59
2011 TCP 188.40.98.54 29951 => 94.207.141.145 80 Fri Feb 25
07:14:57 2011 TCP 188.40.98.54 10582 => 94.207.141.146 80 Fri Feb
25 07:15:00 2011 TCP 188.40.98.54 10582 => 94.207.141.146 80 Fri
Feb 25 07:14:57 2011 TCP 188.40.98.54 61463 => 94.207.141.147 80
Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 61463 => 94.207.141.147 80
Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 32072 => 94.207.141.148
80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 32072 =>
94.207.141.148 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 31807
=> 94.207.141.149 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54
41404 => 94.207.141.152 80 Fri Feb 25 07:15:00 2011 TCP
188.40.98.54 6669 => 94.207.141.153 80 Fri Feb 25 07:14:55 2011 TCP
188.40.98.54 24449 => 94.207.141.172 80 Fri Feb 25 07:14:58 2011
TCP 188.40.98.54 24449 => 94.207.141.172 80 Fri Feb 25 07:14:55
2011 TCP 188.40.98.54 19439 => 94.207.141.173 80 Fri Feb 25
07:14:58 2011 TCP 188.40.98.54 19439 => 94.207.141.173 80 Fri Feb
25 07:14:56 2011 TCP 188.40.98.54 55637 => 94.207.141.174 80 Fri
Feb 25 07:14:59 2011 TCP 188.40.98.54 55637 => 94.207.141.174 80
Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 22382 => 94.207.141.175 80
Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 25961 => 94.207.141.176
80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 49493 =>
94.207.141.177 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 10996
=> 94.207.141.178 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54
52247 => 94.207.141.179 80 Fri Feb 25 07:14:59 2011 TCP
188.40.98.54 26122 => 94.207.141.180 80 Fri Feb 25 07:15:00 2011 TCP
188.40.98.54 44654 => 94.207.141.181 80
More information about the tor-relays
mailing list