Hi,
I found a suspicious pingback from my TAILS OS host to ponynet[dot]eu each time I started a connection to a .onion domain or some other special domains.
The remote host is not my Entry node but the connection is direct from my TAILS host ip, over clearnet, to the remote host port 1310 using TLS 1.3.
from what I found the connection is started from “/usr/bin/tor –defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc –RunAsDaemon 0” when you kill the process tor stops, as expected.
If you block the remote host ip using iptables tor keeps working as usual, .onion and clearnet, meaning the host doesn’t provide essential services.
I suspect, from other analysis, that this might be a “port redirection attack” abusing SSDP/UPNP. The TAILS OS connection is redirected from the local network, through a compromised host in the network, to a remote host (the ponynet remote host); The Tor circuit is, in this way bypassed, and tor network data goes, on clearnet, from the TAILS OS host to an outside host “as it is”.
​
If anyone is interested I am ready to provide further information.