Delivery-Date: Sat, 27 Jun 2015 13:30:37 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 4EC5A1E0A8D;
	Sat, 27 Jun 2015 13:30:35 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 285ED361B5;
	Sat, 27 Jun 2015 17:30:32 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 0E8CB3614E
 for <tor-talk@lists.torproject.org>; Sat, 27 Jun 2015 17:30:28 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id pezZrNBzyia7 for <tor-talk@lists.torproject.org>;
 Sat, 27 Jun 2015 17:30:27 +0000 (UTC)
Received: from meiko.romanrm.net (meiko.romanrm.net
 [IPv6:2001:bc8:3829:100::1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id BA494360FF
 for <tor-talk@lists.torproject.org>; Sat, 27 Jun 2015 17:30:27 +0000 (UTC)
Received: from natsu (unknown [IPv6:fd39::a60:6eff:fef3:b5b3])
 by meiko.romanrm.net (Postfix) with SMTP id EB0A0846EC;
 Sat, 27 Jun 2015 17:30:22 +0000 (UTC)
Date: Sat, 27 Jun 2015 22:30:22 +0500
From: Roman Mamedov <rm@romanrm.net>
To: tor-talk@lists.torproject.org
Message-ID: <20150627223022.196052a9@natsu>
In-Reply-To: <558EC46B.2000107@countermail.com>
References: <558EB972.6040101@countermail.com>
 <558EC46B.2000107@countermail.com>
X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.10; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Subject: Re: [tor-talk] Question regarding some strange behavior on some
 exitnodes
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============3639152860587003479=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

--===============3639152860587003479==
Content-Type: multipart/signed; micalg=PGP-SHA1;
 boundary="Sig_/oPfPhxwHkzCCSTWrshb661E"; protocol="application/pgp-signature"

--Sig_/oPfPhxwHkzCCSTWrshb661E
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

On Sat, 27 Jun 2015 17:42:35 +0200
chloe <chloe@countermail.com> wrote:

>=20
> Hello,
>=20
> I have a question regarding some strange behavior on some nodes(11 of=20
> them).
>=20
>=20
> See this access-log:
>=20
> 81.89.0.201 - - [25/Jun/2015 12:25:30] "GET /db/backups/965110218-2015=20
> HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:00:10] "GET /db/backups/965110218-2015=
=20
> HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:00:35] "GET=20
> /db/backups/965110218-2015?C=3DN;O=3DD HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:00:40] "GET=20
> /db/backups/965110218-2015?C=3DN;O=3DD HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:00:46] "GET=20
> /db/backups/965110218-2015?C=3DN;O=3DD HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:00:51] "GET=20
> /db/backups/965110218-2015?C=3DN;O=3DD HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:00:57] "GET=20
> /db/backups/965110218-2015?C=3DN;O=3DD HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:01:02] "GET=20
> /db/backups/965110218-2015?C=3DN;O=3DD HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:01:08] "GET=20
> /db/backups/965110218-2015?C=3DN;O=3DD HTTP/1.1" 200 5057
> AE4E83B0BFDF679989D746C3B3DEF2EBCA35FA68 was using URL 965110218-2015
>=20
>=20
> Here we can see that node (AE4E83B0BFDF679989D746C3B3DEF2EBCA35FA68)=20
> with IP 81.89.0.201 first visit the unique URL=20
> "/db/backups/965110218-2015"  and then around 1.5 hours later another IP=
=20
> visits the same URL and does some indexing?
>=20
> The other 10 nodes are doing the exact same thing. I'm using Bottlepy as=
=20
> "web server" so no User Agent grabbed, but still, this is a unique URL,=20
> why do I have more than 2 visits on them? The IP 37.187.202.46 is not=20
> part of Tor.
>=20
> Could you please look into this problem? The affected exitnodes are:
>=20
> 1B6D6CCF428AF68619B0B8D9D17324D5FAD6304D
> 8AF4E4D2A13DED432208D3B3889D43256D56FC72
> 252A55672B450929374CBB7279404B22E0D69259
> F94BCE1B6E3899FA4E4CBCC3B19C4FD8CC2B33BB
> B3DA80FF09813020886578D84DD594A32EE280B1
> AA5D47D5A96AE3084379663056C321A0812154D5
> 42F752C0919357CD19B1B36865657072376960CB
> ACA45CB6D5DF151DB88AEF666D8FECC6DDED17FA
> 5C2B2A7AA55C60C56B4DC0BBF7EA3919731ABA1C
> 9FB2DCBE32859CD510EA325FA64237F5AAE78E17
> AE4E83B0BFDF679989D746C3B3DEF2EBCA35FA68
>=20
> Kind regards,
> Chloe

Probably one of those studies on "what people are up to, when they use Tor".

Two that I know of (in Russian):
http://habrahabr.ru/post/92787/ and
http://habrahabr.ru/company/xakep/blog/244485/

Also keep in mind those absolutely don't have to be public, there could be
much more sniffing and crawling going on than we could imagine. Does not
seem too evil however, and I'd say that's not a reason to ban exit nodes.

--=20
With respect,
Roman

--Sig_/oPfPhxwHkzCCSTWrshb661E
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlWO3a4ACgkQTLKSvz+PZwjDNgCfaos9LuPIWqzba7CIq3TPlN11
29IAn29I7plb3nsN6QaiG+8OEGdjgOBF
=e2br
-----END PGP SIGNATURE-----

--Sig_/oPfPhxwHkzCCSTWrshb661E--

--===============3639152860587003479==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============3639152860587003479==--

