On Fri, Nov 26, 2010 at 07:09:00PM +0000, James Brown wrote: > Sometimes ago I ren a VDS under Debian Lenny, > ~# uname -a > Linux 2.6.18-028stab070.4-ent #1 SMP Tue Aug 17 19:03:05 MSD 2010 i686 > GNU/Linux > > I set up on that VDS only exit tor-node and nothing more. I didn't stop > apache, proftpd daemon and etc. because I have intended to use it in the > feature but I didn't use it for several month. [snip] > and from rkhunter that my server have problems which you can see in the > attached log inculding detected SHV4 Rootkit and SHV5 Rootkit [snip] > How it was possible to catch that viruses, rootkits and etc. from using > an exit tor-node? Have anybody such problems? What is the security > measures takes of other owners of exit-nodes?
It's much more likely that they broke in through some other service you're running. Sounds like you didn't keep your system up-to-date? > What is the better to me - to try clean the existing system or to give > an order to VDS provider to reinstall my VDS? Reinstall, for sure. They got root, and replaced a lot of files. You're always going to be wondering what else they replaced that you didn't notice. > If the last way is the better (now I am inclined to that) - what files > from tor-node installation I need to save exept torrc and keys of my node? https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#Iwanttoupgrademovemyrelay.HowdoIkeepthesamekey > Or it would better generate new keys through new installation of > tor-node? It's better to generate new keys. Who knows how many people have seen your current keys. That's what compromise means. :) Generating new keys for your relay really doesn't hurt Tor much, so you shouldn't feel bad about doing it in cases like this. > Could existing keys compomise my tor-node after reinstalling > my VDS? > And could it be an attack against exactly my VDS as tor-node? Could it > be an attempt of an Adversary to take control over my tor-node for > attacks against the Tor-net?! Maybe, but it's much more likely that you're just a random victim, and they were planning to use your machine to launch other attacks, run an IRC bouncer, or do whatever else script kiddies do these days. --Roger *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
