homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

The Onion Strikes - TOR Proxy Comment Spammers
tor exit node drive-by

 9:54 am on Apr 30, 2012 (gmt 0)

Tor Exit Node drive-by at a WordPress site. All are known comment spammers.

"GET /samepage/ HTTP/1.0" ... "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; WOW64; SV1; .NET CLR 2.0.50727)" - - [30/Apr/2012:03:28:55 +0200] gorz.torservers.net - - [30/Apr/2012:03:29:01 +0200] torsrvh.snydernet.net - - [30/Apr/2012:03:29:05 +0200] torproject.org.all.de - - [30/Apr/2012:03:29:09 +0200] tor-exit-router35-readme.formlessnetworking.net - - [30/Apr/2012:03:29:13 +0200] exit1.ipredator.se - - [30/Apr/2012:03:29:16 +0200] h-188-63.a189.priv.bahnhof.se - - [30/Apr/2012:03:29:18 +0200] chomsky.torservers.net - - [30/Apr/2012:03:29:19 +0200] 84-55-117-251.customers.ownit.se - - [30/Apr/2012:03:29:37 +0200] ns2.kharlamov.co - - [30/Apr/2012:03:29:38 +0200] tor-exit-router36-readme.formlessnetworking.net - - [30/Apr/2012:03:29:40 +0200] tor11.anonymizer.ccc.de - - [30/Apr/2012:03:29:40 +0200] torexit.pl1.william.ir - - [30/Apr/2012:03:29:41 +0200] lumumba.torservers.net - - [30/Apr/2012:03:29:47 +0200] rainbowwarrior.torservers.net - - [30/Apr/2012:03:29:48 +0200] politkovskaja.torservers.net - - [30/Apr/2012:03:29:50 +0200] exit2.ipredator.se - - [30/Apr/2012:03:29:51 +0200] torland1-this.is.a.tor.exit.server.torland.me

This is the fourth broadside of the Tor-related kind in as many days.

Anyone else picking these up?



 10:50 am on Apr 30, 2012 (gmt 0)

Thanks for the heads up, two ranges are new to me


 4:33 pm on Apr 30, 2012 (gmt 0)

New one for me as well. And not coincidental that I added one of these ranges last night when it caught one of my traps.


 6:52 pm on Apr 30, 2012 (gmt 0)

Already got 'em all, he said smugly. :)

Although I had the range that includes as broadband (which I still think it may be). Blocked it anyway, though.

I may be getting that kind of access attempt but I would need to backtrack in my logs to find out. Unless an IP hits several dozen times in a few seconds I ignore pre-blocked IPs.


 9:03 pm on Apr 30, 2012 (gmt 0)

@dstiles: Even a cursory Wikipedia-ward glance will inform. Anyone can configure their connection as a Tor exit node. Broadband freetards, mostly. It's the nature of the onion. Then they get hijacked or similar.
Already got 'em all, he said smugly. :)

Hmm. I wish you good luck with that.


 8:27 pm on May 1, 2012 (gmt 0)

My comment referred to the list of IPs. Apart from those, I think I can catch that class of "attack" without too much bother, be it from servers or broadband.


 8:39 pm on May 1, 2012 (gmt 0)

I have a cron job which refreshes a list of Tor exit nodes hourly, and blocks those automatically. When I find something like this thread, where others list IPs, if I find a server/host IP range I add it to my permanent block list. :)


 2:15 am on May 2, 2012 (gmt 0)

RewriteCond %{REMOTE_ADDR} ^66\.193\.(17[45]|23[01])\. [OR]
RewriteCond %{REMOTE_ADDR} ^66\.194\.(15[23]|4[01])\. [OR]
RewriteCond %{REMOTE_ADDR} ^66\.194\.2(3[89]|4[0-9]|5[0-5])\. [OR]
RewriteCond %{REMOTE_ADDR} ^66\.195\.(1[6-9]|12[4-7]|24[0-3]|25[23])\. [OR]
RewriteCond %{REMOTE_ADDR} ^64\.132\.144\. [OR]

The 66.7. and the 72.29's I had denied previously.

Thanks for the 66.7 heads up or I wouldn't have checked and updated.


 6:57 pm on May 3, 2012 (gmt 0)

I wonder if the sudden hits for tor is related to the post at


"The developers at the Tor Project are warning users about a serious flaw in Firefox that's included the latest version of the Tor Browser Bundle that could enable an attacker to gather information about the servers a victim is using, poking a hole in the privacy and anonymity that Tor is designed to provide."

Could the hits shown in the OP result from a firefox/tor exposure?

Global Options:
 top home search open messages active posts  

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved