TOR Browser Favicon.ico IP leak
Attached are logs for TOR Browser sessions during the logging into Buffalo Terastation TS-XEL with firmware version 1.55. The logs are from Terastation lighttpd.webui.access.log.
Version of TOR Browser was likely 4.5, it was the version which updated itself automatically from TOR Browser. It was certainly below 4.5.1, because an access occured before May 13.
TOR client IP address is XXX.XXX.XXX.XXX.
Target IP address is YYY.YYY.YYY.YYY.
Real IP address is ZZZ.ZZZ.ZZZ.ZZZ, it was checked and confirmed with ISP. Based on access circumstances, it is unthinkable that a target was "accidentally" accessed via a standard browser at that time, which was IE11.
What is strange for real User-Agent is that it is listed as Windows NT 6.2. But real version of Windows was NT 6.3.
Below is a small fragment of the logs: XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY - [Date:19:15:53 +0900] "POST /dynamic.pl HTTP/1.1" 200 192 "http://YYY.YYY.YYY.YYY/static/root.html" "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0" XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY - [Date:19:15:53 +0900] "GET /static/ext/resources/images/default/grid/grid3-hrow.gif HTTP/1.1" 200 836 "http://YYY.YYY.YYY.YYY/static/ext/resources/css/ext-all.css" "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0" XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY - [Date:19:15:53 +0900] "GET /static/ext/resources/images/default/s.gif HTTP/1.1" 200 43 "http://YYY.YYY.YYY.YYY/static/root.html" "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0" XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY - [Date:19:16:08 +0900] "GET /static/ext/resources/images/default/grid/row-over.gif HTTP/1.1" 200 823 "http://YYY.YYY.YYY.YYY/static/ext/resources/css/ext-all.css" "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0" XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY - [Date:19:16:08 +0900] "GET /static/ext/resources/images/default/grid/grid3-hrow-over.gif HTTP/1.1" 200 823 "http://YYY.YYY.YYY.YYY/static/ext/resources/css/ext-all.css" "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0" ZZZ.ZZZ.ZZZ.ZZZ YYY.YYY.YYY.YYY - [Date:19:17:20 +0900] "GET /favicon.ico HTTP/1.1" 200 97 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)" XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY - [Date:19:17:51 +0900] "POST /dynamic.pl HTTP/1.1" 200 289 "http://YYY.YYY.YYY.YYY/static/root.html" "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0" XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY - [Date:19:17:53 +0900] "GET /dynamic.pl?_dc=1431339247835&bufaction=getRootSettings2 HTTP/1.1" 200 551 "http://YYY.YYY.YYY.YYY/static/root.html" "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0" XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY - [Date:19:17:54 +0900] "GET /dynamic.pl?_dc=1431339247838&bufaction=validateSession HTTP/1.1" 200 77 "http://YYY.YYY.YYY.YYY/static/root.html" "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0"
Trac:
Username: torleak