[tor-talk] SIGAINT email service targeted by 70 bad exit nodes
Ralf-Philipp Weinmann
ralf at coderpunks.org
Thu Apr 23 08:41:44 UTC 2015
>> I think we are being targeted by some agency here. That's a lot of exit
>> nodes.
>
> See above question about number of relays vs capacity of the relays --
> it would be great to learn more information before jumping to conclusions.
> Some very dedicated jerk can probably spin up VPSes at a bunch of places,
> at least for a while.
Hi Roger,
the diversity here is interesting. My hunch is that we are looking at 38 popped boxes (IPs are according to Philipps tarball, of course most of the IPs were running 2 relays as is economical for attacks):
104.207.150.52 domain name pointer 104.207.150.52.vultr.com.
104.238.132.150 domain name pointer 104.238.132.150.vultr.com.
104.238.133.3 domain name pointer 104.238.133.3.vultr.com.
104.238.136.249 domain name pointer 104.238.136.249.vultr.com.
104.238.138.19 Host 19.138.238.104.in-addr.arpa. not found: 3(NXDOMAIN)
104.238.161.45 domain name pointer 104.238.161.45.vultr.com.
104.238.180.244 domain name pointer 104.238.180.244.vultr.com.
107.191.46.79 domain name pointer 107.191.46.79.vultr.com.
108.61.177.165 domain name pointer 108.61.177.165.vultr.com.
108.61.188.90 domain name pointer 108.61.188.90.vultr.com.
108.61.198.179 domain name pointer 108.61.198.179.vultr.com.
108.61.199.44 domain name pointer 108.61.199.44.vultr.com.
176.31.208.207 Host 207.208.31.176.in-addr.arpa. not found: 3(NXDOMAIN)
179.43.152.240 domain name pointer smtp11.sicurezza.kz.
179.43.152.247 domain name pointer hosted-ny.securefastserver.com.
185.12.46.132 domain name pointer peraz.co.nz.
185.65.201.196 domain name pointer 196.cloudlix.com.
185.77.129.133 domain name pointer hosted-by.securefastserver.com.
185.77.129.145 domain name pointer hosted-by.securefastserver.com.
185.77.129.222 domain name pointer hosted-by.securefastserver.com.
185.77.129.241 domain name pointer hosted-by.securefastserver.com.
185.92.222.53 Host 53.222.92.185.in-addr.arpa. not found: 3(NXDOMAIN)
185.92.222.57 Host 57.222.92.185.in-addr.arpa. not found: 3(NXDOMAIN)
217.172.190.19 domain name pointer atlantic691.dedicatedpanel.com.
45.63.124.58 Host 58.124.63.45.in-addr.arpa. not found: 3(NXDOMAIN)
5.39.26.209 Host 209.26.39.5.in-addr.arpa. not found: 3(NXDOMAIN)
5.39.26.210 Host 210.26.39.5.in-addr.arpa. not found: 3(NXDOMAIN)
5.39.26.211 Host 211.26.39.5.in-addr.arpa. not found: 3(NXDOMAIN)
85.204.74.104 domain name pointer hosted-by.securefastserver.com.
85.204.74.120 domain name pointer hosted-by.securefastserver.com.
85.204.74.156 domain name pointer hosted-by.securefastserver.com.
85.204.74.189 domain name pointer hosted-by.securefastserver.com.
87.117.255.174 domain name pointer hosted-by.securefastserver.com.
87.117.255.187 domain name pointer hosted-by.securefastserver.com.
87.117.255.188 domain name pointer hosted-by.securefastserver.com.
87.117.255.194 domain name pointer hosted-by.securefastserver.com.
89.248.164.62 domain name pointer indohosting.info.
94.242.254.81 domain name pointer ip-static-94-242-254-81.server.lu.
with least 9 hosters involved (culled from the as_name field in the descriptors);
Choopa, LLC
Ecatel Network
Iomart
OVH SAS
PlusServer AG
Private Layer INC
QHOSTER LTD.
UAB DUOMENU CENTRAS
root SA
The question to me is: Do they all have something in common? What was the vector of compromise?
Curiously enough, they all run Debian stable (according to the SSH version string "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2” *ALL* of them spit out on port 22 — no exception!).
Cheers,
Ralf
More information about the tor-talk
mailing list