Discussion:
Banners injected in web pages at exit nodes TRHCourtney*
Freemor
2009-06-02 12:01:03 UTC
Permalink
On Tue, 02 Jun 2009
"Freemor" <freemor at gamil.com> wrote:

Some rather silly stuff..

Appoligies for the proceeding post.. Certificate is correct.. The
.trhcourtney01.exit/ Was throwing the browser into complaining that the
certificate didn't match.

I really must learn not to post before having my morning coffee.

I've tried a couple of other sites now and there definitely is banner
injection going on... looking into the html source now to see if there
are other exploits.

Strange the the provided link didn't have injection... Adaptation on
the nodes part?
--
freemor at gmail.com
freemor at yahoo.ca

This e-mail has been digitally signed with GnuPG - ( http://gnupg.org/ )
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20090602/aa314337/attachment.pgp>
John Brooks
2009-06-02 11:36:43 UTC
Permalink
Definitely abusive. Fortunately, because of how nearby most of the IPs
are, Tor will treat them as family even if the operator neglected to,
so it doesn't pose a risk to anonymity (other than the one outlying
node, but even then it's a maximum of two), but this definitely looks
like a badexit situation.

Honestly, why does somebody run a tor node if they keep
connection/session logs? Seems like an odd place to look for a
paycheck.

- John Brooks
Hello!
Just stumbled upon a banner injected in html at tor exit node.
?router TRHCourtney01 94.76.246.74 443 0 9030
?router TRHCourtney02 94.76.247.136 443 0 9030
?router TRHCourtney03 94.76.247.137 443 0 9030
?router TRHCourtney04 94.76.247.138 443 0 9030
?router TRHCourtney05 94.76.247.139 443 0 9030
?router TRHCourtney06 94.76.247.140 443 0 9030
?router TRHCourtney07 94.76.247.141 443 0 9030
?router TRHCourtney08 94.76.247.142 443 0 9030
?router TRHCourtney09 94.76.247.143 443 0 9030
?router TRHCourtney10 92.48.84.113 443 0 9030
?contact Courtney TRH <courtney at nullroute.net>
All of them inject a piece of html at end of web pages. Text under
?Courtney TOR/VPN & Wifi Exit Node :: Usage subject to Terms and
?Conditions/Acceptable Use Policy :: Want to advertise here? Contact
?us
Check for yourself: http://www.torproject.org.TRHCourtney01.exit/ .
?WARNING: The TOR Exit Node must *not* be used for illegal means.
?Connection and session logs are kept and *will* be forwarded onto
?the police in the event of an abuse report
There is no family set for these nodes in descriptors.
Port 110 (POP3) accepted in exit policy but not port 995 (POP3/SSL).
Just to let you know.
Alexander Cherepanov
Freemor
2009-06-02 12:20:11 UTC
Permalink
On Tue, 2 Jun 2009 05:36:43 -0600
Post by John Brooks
Definitely abusive. Fortunately, because of how nearby most of the IPs
are, Tor will treat them as family even if the operator neglected to,
so it doesn't pose a risk to anonymity (other than the one outlying
node, but even then it's a maximum of two), but this definitely looks
like a badexit situation.
Honestly, why does somebody run a tor node if they keep
connection/session logs? Seems like an odd place to look for a
paycheck.
- John Brooks
Might be worse then that.. at least for improperly configures clients..
there deos seem to be javascript injection:

<div id="floaterma9">
<img src="Loading Image..."
style="display:none"></img> <script type='text/javascript'
src='http://courtney.nullroute.net/openx-2.8.1/www/delivery/spcjs.php?id=1'></script>
<style> body {
margin: 0 0 0 0 !important;
}
#Banner2 {
width:728px;
height:90px;
}
#textme {
font-family:arial;
color:#333;
font-size:11px;
}
</style>

When I Followed
http://courtney.nullroute.net/openx-2.8.1/www/delivery/spcjs.php?id=1
it had an interesting bit bit of code which linked to:
http://courtney.nullroute.net/openx-2.8.1/www/delivery/fl.js
Which tries to load up SWF objects..
Haven't picked it all apart yet (still no coffee) but I'm guessing it's
either decloaking attempts or exploit attempts.
--
freemor at gmail.com
freemor at yahoo.ca

This e-mail has been digitally signed with GnuPG - ( http://gnupg.org/ )
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20090602/9ddde073/attachment.pgp>
Nils Vogels
2009-06-02 12:55:49 UTC
Permalink
Post by Freemor
On Tue, 2 Jun 2009 05:36:43 -0600
Seems like an odd place to look for a paycheck.
Might be worse then that.. at least for improperly configures clients..
-8<-
Post by Freemor
When I Followed
http://courtney.nullroute.net/openx-2.8.1/www/delivery/spcjs.php?id=1
http://courtney.nullroute.net/openx-2.8.1/www/delivery/fl.js
Which tries to load up SWF objects..
Added to that, http://www.openx.org/ seems to be an advertisement
system of some sorts. Seems odd to want to make a buck out of running
a tor node, at least one using the public directory.

Greetings!
--
Simple guidelines to happiness:
Work like you don't need the money,
Love like your heart has never been broken and
Dance like no one can see you.
Jim McClanahan
2009-06-02 13:15:56 UTC
Permalink
Post by Freemor
Strange the the provided link didn't have injection... Adaptation on
the nodes part?
A few minutes ago I tried http://www.torproject.org.TRHCourtney01.exit/
and got a banner ad. Maybe they do it on a sporadic basis?
Alexander Cherepanov
2009-06-02 14:13:05 UTC
Permalink
Hello, Freemor!
Thanks for the heads up.. I wasn't getting the injected banners on the
link you provided
It seems to be an error in an html injecter on exit node or something.
In several tests using curl I got the banner injected proxying through
privoxy (enabled or disabled) but got no banner going directly through
tor. Weird.

Alexander Cherepanov
Roger Dingledine
2009-06-02 15:44:03 UTC
Permalink
Just stumbled upon a banner injected in html at tor exit node.
router TRHCourtney01 94.76.246.74 443 0 9030
Exciting. Peter and I just added these nodes to the badexit list. That
means clients should start learning that in the next several hours.

Thanks for pointing it out.
WARNING: The TOR Exit Node must *not* be used for illegal means.
Connection and session logs are kept and *will* be forwarded onto
the police in the event of an abuse report
Oh. I was going to suggest mailing him/her to ask if the injection was a
mistake. (We've had plenty of people sign up as Tor relays and not realize
that their local traffic "protection" tools will affect their Tor traffic
too.) But this page makes it pretty clear that they meant to do it. Bleah.

--Roger
Alexander Cherepanov
2009-06-02 17:04:21 UTC
Permalink
Hello, Roger!
Post by Roger Dingledine
Just stumbled upon a banner injected in html at tor exit node.
router TRHCourtney01 94.76.246.74 443 0 9030
Exciting. Peter and I just added these nodes to the badexit list. That
means clients should start learning that in the next several hours.
Cool, thanks. And many thanks for all your work on tor.

Alexander Cherepanov
Alexander Cherepanov
2009-06-02 10:52:18 UTC
Permalink
Hello!

Just stumbled upon a banner injected in html at tor exit node.
Nodes in question:

router TRHCourtney01 94.76.246.74 443 0 9030
router TRHCourtney02 94.76.247.136 443 0 9030
router TRHCourtney03 94.76.247.137 443 0 9030
router TRHCourtney04 94.76.247.138 443 0 9030
router TRHCourtney05 94.76.247.139 443 0 9030
router TRHCourtney06 94.76.247.140 443 0 9030
router TRHCourtney07 94.76.247.141 443 0 9030
router TRHCourtney08 94.76.247.142 443 0 9030
router TRHCourtney09 94.76.247.143 443 0 9030
router TRHCourtney10 92.48.84.113 443 0 9030
contact Courtney TRH <courtney at nullroute.net>

All of them inject a piece of html at end of web pages. Text under
banner reads:

Courtney TOR/VPN & Wifi Exit Node :: Usage subject to Terms and
Conditions/Acceptable Use Policy :: Want to advertise here? Contact
us

Check for yourself: http://www.torproject.org.TRHCourtney01.exit/ .

Some more concerns. Page http://courtney.nullroute.net/ contains:

WARNING: The TOR Exit Node must *not* be used for illegal means.
Connection and session logs are kept and *will* be forwarded onto
the police in the event of an abuse report

There is no family set for these nodes in descriptors.

Port 110 (POP3) accepted in exit policy but not port 995 (POP3/SSL).

Just to let you know.

Alexander Cherepanov
Freemor
2009-06-02 11:52:10 UTC
Permalink
On Tue, 02 Jun 2009 14:52:18 +0400
Hello!
Just stumbled upon a banner injected in html at tor exit node.
Thanks for the heads up.. I wasn't getting the injected banners on the
link you provided but when I tried:

https://torcheck.xenobite.eu.trhcourtney01.exit/

I got an invalid certificate error.. Definitely man-in-the-middle stuff
going on here.. Certificate I received for the above belonged to:

Issued to
Common Name (CN) *.krauscomputer.de
Organization (O) Manuel Kraus
Organizational Unit (OU) StartCom Verified Certificate Member
Serial Number 00:de

Issued By
Common Name (CN) StartCom Class 2 Primary Intermediate
Server CA
Organization (O) StartCom Ltd.
Organizational Unit (OU) Secure Digital Certificate Signing

Validity
Issued On 08-06-25
Expires On 09-06-25

SHA1 Fingerprint
6a:cd:f2:9d:32:4d:c8:c6:af:d9:27:42:09:e2:62:57:49:c8:d0:1e
MD5 Fingerprint
B1:11:1f:5e:f8:47:38:d4:08:06:28:66:db:91:cf:7f

Needless to say this is not the correct certificate.
This is a very unfriendly exit node.
--
freemor at gmail.com
freemor at yahoo.ca

This e-mail has been digitally signed with GnuPG - ( http://gnupg.org/ )
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20090602/cb35fbbc/attachment.pgp>
Loading...