-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Chris and many thanks for running a fast exit!
CERT Bund is the CSIRT of the German Federal Office for Information Security (BSI = Bundesamt fuer Sicherheit in der Informationstechnik). (1)(2). They surely know Tor, because they distribute security advices for our anonymizer project (3)(4)(5). But in your case I guess that their operator did not know that you run an exit, or at least did not look on the exit-list. When I do a Whois lookup of your server (6), there is only the link to Hetzner. When I do the same for exits of Zwiebelfreunde or CCC, there is the hint at Tor: "This network is used for research in anonymisation services and provides a TOR exit node to end users." (7)(8). I case of Zwiebelfreunde there is also a server running on the exit with a homepage (9). Probably such a hint will help against a few complaints in future. Best regards and stay wiretapped! Anton 1) https://www.bsi.bund.de/EN/Topics/IT-Crisis-Management/Cert-Bund/cert-bund_node.html 2) https://www.bsi.bund.de/EN/Home/home_node.html 3) https://www.cert-bund.de/advisoryshort/CB-K13-0005 4) https://www.cert-bund.de/advisoryshort/CB-K14-0112 5) https://www.cert-bund.de/advisoryshort/CB-K14-0722 6) https://apps.db.ripe.net/search/query.html?searchtext=5.9.21.19 7) https://apps.db.ripe.net/search/query.html?searchtext=77.247.181.164 8) https://apps.db.ripe.net/search/query.html?searchtext=77.244.254.227 9) http://77.247.181.164 - -- no.thing_to-hide at cryptopathie dot eu 0x30C3CDF0, RSA 2048, 24 Mar 2014 0FF8 A811 8857 1B7E 195B 649E CC26 E1A5 30C3 CDF0 Bitmessage (no metadata): BM-2cXixKZaqzJmTfz6ojiyLzmKg2JbzDnApC On 18/07/14 11:08, Ch'Gans wrote: > Hi there, > > I'm here to look for advice or comments on how to handle abuse > reports when you run a TOR relay exit on a "server for the mass". > I'm running the TOR exit node > 18B6EBAF10814335242ECA5705A04AAD29774078 on Hetzner netowrk > (50E/month, this is my contribution to the TOR project) So far I > had to deal with few "easy" abuse reports (ssh scan, forum insults, > spams, ...), I think i performed pretty well so far (thanks to > Hetzner cooperation?) > > But today I just received this botnet related one. I do take this > report seriously, I know that malware are more and more using the > TOR network as an anonymous covert, I don't like malware, I don't > like malicious botnet and I don't like spammers. Still I end up > being identify as one of them. > > I knew from day one that it was a risky business to run an exit > TOR node, but I want to stand up and fight. If only I can convince > people of my right doing. > > First of all I am quite surprised that cert-bund.de (the > complainant) didn't notice that I am a TOR exit node, so my first > question (for people familiar with these guys) is: - How legit are > these guys? Do they run for the German government? Are their simply > trying to scare the shit out of me by citing europol.europa.eu, and > us-cert.gov? (see redacted forwarded message below, my own opinion > is "Yes") Then - Do they simply spam hosting company each time they > have a probe sensing something somewhere (I know it's vague, but I > can use that as a "this complainant is a spammer" kind of > argument) > > Any other thoughts/remarks/comment on that matter? > > Regards, Chris > > Thought of the day: Nowadays it looks like server administrator > tend to send abuse report each time they receive an illegal ping > request! Testimony of the day: Last time I received an "SSH scan" > abuse report, I sent back my SSH honeypot logs, which contains more > than 5k login attempts per day. > > > -------- Original Message -------- [..] ----- attachment ----- Dear > Sir or Madam > > "Gameover Zeus" is malicious software which is primarily used by > cybercriminals to carry out online banking fraud and to spy out > login credentials for online services on infected PCs. It can also > be used to install further malicious software (including > blackmailing trojans such as "CryptoLocker" ransomware) on PCs or > to carry out DDoS attacks. > > In a joint international campaign since the end of May 2014, law > enforcement agencies, with the support of private sector partners, > have taken action against the "Gameover Zeus" botnet [1]. > > As part of this campaign, it has now been possible to identify the > IP addresses of systems infected with "Gameover Zeus" [2]. > > We are sending you a list of infected systems in your net area. > > Would you please examine the situation thoroughly and take > appropriate measures to cleanse the systems. > > Sources: > > [1] Europol: International action against 'Gameover Zeus' botnet > and 'CryptoLocker' ransomware > <https://www.europol.europa.eu/content/international-action-against- > > gameover-zeus-botnet-and-cryptolocker-ransomware> > > [2] ShadowServer: Gameover Zeus & Cryptolocker > <http://blog.shadowserver.org/2014/06/08/gameover-zeus-cryptolocker/> > > [3] US-CERT: GameOver Zeus P2P Malware > <https://www.us-cert.gov/ncas/alerts/TA14-150A> > > A list of infected systems in your net area: [...] > > Kind regards, Team CERT-Bund -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTyYJ9AAoJEMwm4aUww83w2/IH/1gAhX1oV/vfdFCL5oai4vdF RONKF53IYywlFISSoz9fDjQc1VAiTPDKphTtvxKVCiVdP2BmN3iQszmfaV25Tn5h 8tWkdkwEUZR1kTHoSOV+ksBX52rzNJWmbHONG9aYIWObjZEQns2dtcRvc/4fS8cj 7vdg/KHNT4qr1EB0jDnB25hClefhea82ycLn7Qpb6i2uHCcRC8n0UhHPT9QpYo3Q AhNp6hOMl7BJDMidohvdo0KOKKsS/aEupurUtYXnRUi/RvuehXgzXiiwDT+qWMRw CZ8aXoW1XyaX7CT1DjBYpbxBKxvOfahP4e3ju9b/qqwHDWWhm+uFadRS3i6si7s= =cNon -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
