Suspicious access from Tor Exit/Probably intercepting traffic.
Short summary;
- I have mywebsiteexample.com as clearnet site.
- I monitor access log.
- A few days ago I visited
httpS://mywebsiteexample.com/adminpage/
(example) which is created recently & never shared with others & only I know about it & my firefox is blocking all communications to *.mozilla domains - over Tor. - At that time, 185.220.100.x (I forgot x part) was used for Exit traffic.
- Now when I look the log,
185.220.100.254
clearly tried to access my /adminpage/ when I clearly did not.
The attacker IP has small website which displaying statistics: http://185.220.100.254/
The whole range is 185.220.100.0/24, name is "Network for Tor-Exit traffic. " I suggest you block them as bad exit because it is clearly intercepting traffic.
To build defense. To ooni devs:
- Own some clearnet site (& never advertise)
- Connect it from Tor exit, with different URI path per exit - TorExitA connect to /blog/apple.html, TorExitB connect to /book/keeping.php and so on.
- Stop connection and wait 48 hours.
- Observe the log whether some Tor exits reconnect to above site while ooni is not connected.