nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

STAY AWAY: Popular Tor exit relays look raided

USB plugged into Atlas, Global servers before control was lost

By Darren Pauli, 22 Dec 2014

As foreshadowed last week, Tor network exit nodes have gone down after what appear to be raids by law enforcement authorities.

Thomas White (@CthulhuSec) warned users to steer clear of his Tor servers after he lost control following what he's called "unusual activity" that meant "I have now lost control of all servers under the ISP and my account has been suspended," White wrote in an update on the Tor mailing list.

"Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken.

"From experience I know this trend of activity is similar to the protocol of sophisticated law enforcement who carry out a search and seizure of running servers."

White said users should treat the servers as hostile until control was regained signified by a PGP signed message from himself.

He also urged them not to jump to conclusions about the identity of any possible agency nor harbour concern for the integrity of the Tor network.

"If any of the mirrors or IPs do come back online, I would welcome anyone who is capable of doing so checking for any malicious code to ensure they are not used to deploy any kind of state malware or attacks against users should my theory prove to be the case," he added.

Should no further updates be delivered, White said users were welcome to assume he was under a gag order.

Exit nodes are the bridge between the Tor network and the public internet and funnel all forms of traffic regardless of the intent of the user. As a result they are of interest to cyber crime agencies, which occasionally raided operators suspected of assisting the distribution of child exploitation material and other net menaces.

The possible raids came less than a week after White served Globe and Atlas mirrors as Tor hidden services.

It also followed warnings Saturday by Tor Project leader Roger Dingledine that the network could be disrupted after a source warned of a possible raid against directory authorities which help users find relays.

Tor users should note and temporarily avoid the affected mirrors below:

  • https://globe.thecthulhu.com
  • https://atlas.thecthulhu.com
  • https://compass.thecthulhu.com
  • https://onionoo.thecthulhu.com
  • http://globe223ezvh6bps.onion
  • http://atlas777hhh7mcs7.onion
  • http://compass6vpxj32p3.onion
  • 77.95.229.11
  • 77.95.229.12
  • 77.95.229.14
  • 77.95.229.16
  • 77.95.229.17
  • 77.95.229.18
  • 77.95.229.19
  • 77.95.229.20
  • 77.95.229.21
  • 77.95.229.22
  • 77.95.229.23
  • 77.95.224.187
  • 89.207.128.241
  • 5.104.224.15
  • 128.204.207.215

®

The Register - Independent news and views for the tech community. Part of Situation Publishing