Private Hidden Server is being crawled every night - how is it possible?

onion_knight · 2018-02-26 19:13:32 UTC

Strange thing happening.

I have a hidden (v2 onion) apache server running on a machine. Nothing of interest nor sensitive, just for learning and testing purpose.

I have NEVER disclosed its v2 onion address to anybody, nor did I post it, or broadcast it in any way. I am pretty sure the machine itself has not been compromised. It runs a ferm service wich enforces Tails-like iptables: the machine is only accessible from Tor and local network. It also runs a SSH hidden service with stealth authentication.

However, lately, while routinely checking the apache logs, I saw that the hidden website has been regularly crawled every night. The pattern is always the same: all webpages are visited in a few seconds. Headers show a Ubuntu machine, but headers can be forged and I think it’s more probably a bot using a curl script doing its job.

The question is HOW is it possible that the server is being crawled if the address has never been disclosed to anyone? I thought it was mathematically impossible to bruteforce onion addresses? Can a rogue entry node reveal my hidden server onion address? Or worse, its real public IP address? Would a v3 onion also be subject to this kind of behaviour?

Patrick · 2018-02-27 21:18:53 UTC

This question is better suited for the Tor support as per https://www.whonix.org/wiki/Free_Support_Principle.

onion_knight · 2018-02-27 22:02:16 UTC

All right, you can erase the topic, I’ll post it on tor.stackexchange (if I can create an account with Tor there )

Patrick · 2018-02-27 23:08:29 UTC

Not sure that will be the best place either. I suggest tor-talk.

HulaHoop · 2018-02-28 19:07:49 UTC

I assume there’s some confusion here. v2 onion services are the ones with the shorter addresses. These are not private by default unless you configure authenticated access. Only v3 are. If you mean v3 then I would report this to the Tor mail list because that would be a big deal. I doubt they would design something with such a obvious flaw going unnoticed.

onion_knight · 2018-02-28 19:15:14 UTC

Thanks HulaHoop, yes I am talking about a v2 onion, not v3!

So you mean that by “not private”, they are some kinds of lists of running onion services publicly available? I thought that by design if you didn’t disclose an onion v2 service it could not be automatically indexed and crawled, as long as nobody knew the address (because onion addresses, even v2, are generated unpredictably)? Is it really not the case? If it really is like this, how come there are no “google-like” services indexing all v2 onion servers?

HulaHoop · 2018-02-28 19:35:51 UTC

Yes. In v2 Hidden Service directories could track this information and access the onion addresses they see. This was a drawback of th old design and was improved with v3.

onion_knight · 2018-02-28 19:38:11 UTC

I see. So it is more a vulnerability than a feature? I assume this is not encouraged behaviors and some rogue directory leaked my onion address? Does it also affect anonymity of my onion service (public IP leak)?

HulaHoop · 2018-02-28 19:43:03 UTC

Yes

Also yes.

No

onion_knight · 2018-02-28 20:03:22 UTC

That’s crazy. I didn’t know that. So I can assume the rogue directory could be owned by/leaking info to LE or criminal entities?

Does this vulnerability also apply to stealth services (for example stealth ssh services)?

Thanks a lot for your help

HulaHoop · 2018-02-28 23:17:27 UTC

Yes

No

Segalla · 2018-03-04 09:39:34 UTC

Even the tor bugtracker uses the very anti-tor recaptcha from google

HulaHoop · 2018-03-10 23:57:24 UTC

Not anymore in my experience