[tor-talk] SIGAINT email service targeted by 70 bad exit nodes

Ralf-Philipp Weinmann ralf at coderpunks.org
Thu Apr 23 08:41:44 UTC 2015


>> I think we are being targeted by some agency here. That's a lot of exit
>> nodes.
> 
> See above question about number of relays vs capacity of the relays --
> it would be great to learn more information before jumping to conclusions.
> Some very dedicated jerk can probably spin up VPSes at a bunch of places,
> at least for a while.

Hi Roger,

the diversity here is interesting. My hunch is that we are looking at 38 popped boxes (IPs are according to Philipps tarball, of course most of the IPs were running 2 relays as is economical for attacks):

104.207.150.52	domain name pointer 104.207.150.52.vultr.com.
104.238.132.150	domain name pointer 104.238.132.150.vultr.com.
104.238.133.3	domain name pointer 104.238.133.3.vultr.com.
104.238.136.249	domain name pointer 104.238.136.249.vultr.com.
104.238.138.19	Host 19.138.238.104.in-addr.arpa. not found: 3(NXDOMAIN)
104.238.161.45	domain name pointer 104.238.161.45.vultr.com.
104.238.180.244	domain name pointer 104.238.180.244.vultr.com.
107.191.46.79	domain name pointer 107.191.46.79.vultr.com.
108.61.177.165	domain name pointer 108.61.177.165.vultr.com.
108.61.188.90	domain name pointer 108.61.188.90.vultr.com.
108.61.198.179	domain name pointer 108.61.198.179.vultr.com.
108.61.199.44	domain name pointer 108.61.199.44.vultr.com.
176.31.208.207	Host 207.208.31.176.in-addr.arpa. not found: 3(NXDOMAIN)
179.43.152.240	domain name pointer smtp11.sicurezza.kz.
179.43.152.247	domain name pointer hosted-ny.securefastserver.com.
185.12.46.132	domain name pointer peraz.co.nz.
185.65.201.196	domain name pointer 196.cloudlix.com.
185.77.129.133	domain name pointer hosted-by.securefastserver.com.
185.77.129.145	domain name pointer hosted-by.securefastserver.com.
185.77.129.222	domain name pointer hosted-by.securefastserver.com.
185.77.129.241	domain name pointer hosted-by.securefastserver.com.
185.92.222.53	Host 53.222.92.185.in-addr.arpa. not found: 3(NXDOMAIN)
185.92.222.57	Host 57.222.92.185.in-addr.arpa. not found: 3(NXDOMAIN)
217.172.190.19	domain name pointer atlantic691.dedicatedpanel.com.
45.63.124.58	Host 58.124.63.45.in-addr.arpa. not found: 3(NXDOMAIN)
5.39.26.209	Host 209.26.39.5.in-addr.arpa. not found: 3(NXDOMAIN)
5.39.26.210	Host 210.26.39.5.in-addr.arpa. not found: 3(NXDOMAIN)
5.39.26.211	Host 211.26.39.5.in-addr.arpa. not found: 3(NXDOMAIN)
85.204.74.104	domain name pointer hosted-by.securefastserver.com.
85.204.74.120	domain name pointer hosted-by.securefastserver.com.
85.204.74.156	domain name pointer hosted-by.securefastserver.com.
85.204.74.189	domain name pointer hosted-by.securefastserver.com.
87.117.255.174	domain name pointer hosted-by.securefastserver.com.
87.117.255.187	domain name pointer hosted-by.securefastserver.com.
87.117.255.188	domain name pointer hosted-by.securefastserver.com.
87.117.255.194	domain name pointer hosted-by.securefastserver.com.
89.248.164.62	domain name pointer indohosting.info.
94.242.254.81	domain name pointer ip-static-94-242-254-81.server.lu.

with least 9 hosters involved (culled from the as_name field in the descriptors);

Choopa, LLC
Ecatel Network
Iomart
OVH SAS
PlusServer AG
Private Layer INC
QHOSTER LTD.
UAB DUOMENU CENTRAS
root SA

The question to me is: Do they all have something in common? What was the vector of compromise?

Curiously enough, they all run Debian stable (according to the SSH version string "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2” *ALL* of them spit out on port 22 — no exception!).

Cheers,
Ralf




More information about the tor-talk mailing list