January 3, 2021

TAILS pingback to ponynet entrynode, indicators of compromise

Hi,

I found a suspicious pingback from my TAILS OS host to ponynet[dot]eu each time I started a connection to a .onion domain or some other special domains.

The remote host is not my Entry node but the connection is direct from my TAILS host ip, over clearnet, to the remote host port 1310 using TLS 1.3.

from what I found the connection is started from “/usr/bin/tor –defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc –RunAsDaemon 0” when you kill the process tor stops, as expected.

If you block the remote host ip using iptables tor keeps working as usual, .onion and clearnet, meaning the host doesn’t provide essential services.

I suspect, from other analysis, that this might be a “port redirection attack” abusing SSDP/UPNP. The TAILS OS connection is redirected from the local network, through a compromised host in the network, to a remote host (the ponynet remote host); The Tor circuit is, in this way bypassed, and tor network data goes, on clearnet, from the TAILS OS host to an outside host “as it is”.

​

If anyone is interested I am ready to provide further information.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.