14 DAY TRIAL // Servers used as exit nodes in the Tor anonymity network have been tampered with and their activity was terminated on Sunday evening; their maintainer warns that using them, if they reappear online, is not safe, until the matter is properly reviewed and a conclusion is reached.
Thomas White, who operates a large exit node cluster for TOR, has announced that the servers he maintained are no longer under his control and that the ISP has suspended his account. He has no information about what caused this situation, which he initially associated to a law enforcement operation of seizing running Tor servers.
However, in a comment on Tor mailing list, he says that “the likelihood of this being the work of law enforcement seems to be lower than originally anticipated.”
Someone gained physical access to the server
By assessing the latest logs received from the machines, White noticed entries pointing to the server chassis that had been opened before an unknown USB device was connected. About one minute after this, the connection with the machine was broken.
“If they come back online without a PGP signed message from myself to further explain the situation, exercise extreme caution and treat even any items delivered over TLS to be potentially hostile,” he said on Sunday evening.
Additional information provided by White includes the fact that many of the logs from the machines have been removed, while the time and date stamp of the remaining ones appeared to have been altered.
As far as Tor users are concerned, the servers are no longer valid, so there is no risk for the network. Furthermore, he explains that there is no risk for the users either because no information about them was stored on the systems.
After talking to the ISP’s support, White received confirmation that someone accessed his account without authorization, although no details were provided about the physical access to the servers.
The exit node maintainer said that he received no notification from authorities at the moment of posting the messages on Tor mailing list.
Anonymity on Tor has not been affected
On Friday, Tor project leader Roger Dingledine, warned that some machines serving Tor relays (directory authorities) may become compromised in the following days. These are systems that offer a list of trusted relays for safety travel of the traffic.
The only detail made available was that some servers in the network called directory authorities would be seized; these are nodes that deliver the client the list of relays in Tor.
He ensured that anonymity would remain untouched in the event of an attack because its architecture is built on the principle of redundancy, the functions of the affected part being automatically taken over by other machines.
Here is the list of mirrors and servers that should be avoided until further information emerges:
https://globe.thecthulhu.com https://atlas.thecthulhu.com https://compass.thecthulhu.com https://onionoo.thecthulhu.com http://globe223ezvh6bps.onion http://atlas777hhh7mcs7.onion http://compass6vpxj32p3.onion 77.95.229.11 77.95.229.12 77.95.229.14 77.95.229.16 77.95.229.17 77.95.229.18 77.95.229.19 77.95.229.20 77.95.229.21 77.95.229.22 77.95.229.23 77.95.224.187 89.207.128.241 5.104.224.15 128.204.207.215