Carding 4 Carders
Professional
- Messages
- 2,724
- Reaction score
- 1,583
- Points
- 113
To maintain anonymity, administrators should configure servers to only listen on localhost (127.0.0.1).
RiskIQ security researcher Yonathan Klijnsma has discovered a way to quickly identify the public IP addresses of misconfigured dark web servers.
The main reason for creating a Tor-only site on the darknet is the desire of its owner to hide his identity. However, to maintain anonymity, the administrator must configure the server to listen only to localhost (127.0.0.1), and not to the public IP address accessible via the Internet.
However, Cleinsma discovered many SSL-based sites and misconfigured hidden services on the Tor network that were accessible over the Internet. Since RiskIQ “scours” the Web and finds matches between any SSL certificate and IP address, the researcher had no difficulty in finding incorrectly configured Tor hidden services with corresponding public IP addresses.
As Cleinsma explained, the problem is that site admins have configured their local Apache or Nginx servers to listen on any (* or 0.0.0.0) IP addresses. Of course, the connection via Tor will be established, but it will also be established via the external Internet, especially if no firewalls are used.
"These servers should only be configured to listen on 127.0.0.1," the researcher told Bleeping Comuter.
When site operators use SSL certificates, they associate the .onion domain with the certificate. If the server is not configured correctly and listens to public IP addresses, then the certificate containing the .onion domain will also be used for these addresses.
