Strange TOR Traffic To Get IP

Posted: 2013-08-05 15:34:36

Is this evidence of another TOR and Firefox exploit to get your IP address, or something completely mundane?

I just checked the logs of a service that I provide that returns your IP address –

http://myip.wampdeveloper.com/

It was put up to be used under WampDeveloper Pro (to let the user know the server’s public IP address; usually the router’s IP) so as to not depend on any external services, and for anyone else that wanted to use it for whatever reason (no restrictions).

The logs had a large amount (relatively speaking to WampDeveloper’s use) of requests that started in May, different IPs, all with the same user-agent string (the string that identifies the make and build of the Browser you are using).
 
From doing a “resolveip” (attempts to turn the IP address into a potentially readable host name containing useful information) on some of the IPs, a lot of them are being reported as coming from –

  1. TOR exit nodes and routers
  2. Freedom and Privacy type hosting servers
  3. Some residential/home addresses (not WampDeveloper Pro related, it uses it’s own user-agent string)

 
Google returns no external results for query “myip.wampdeveloper.com”, except for the few times I mentioned it on HackerNews.

If these requests are coming from users of the Tor Bundle, the usage of myip.wampdeveloper.com appears to be under-the-radar, probably being used from within the Browser, like in a JS file that attempts to get your IP address (via a de-anonymized / local request).
 
The reason I say that (under-the-radar), is because the “reported” user-agent string of these requests is Chrome, not Firefox (Browser of the Tor Bundle). But the JS can set whatever user-agent string it wants, and those requests also don’t hit the favicon.ico URL (standard procedure for most browsers on first request to a website) – so it’s definitely not coming from the users going to (or being redirected to) the myip page, but rather coming from a script.
 
This is kind of really strange and unexpected, but hopefully is not related to all this –
Attackers wield Firefox exploit to uncloak anonymous Tor users
Tor security advisory: Old Tor Browser Bundles vulnerable
Torsploit takedown: analysis, reverse engineering, forensic

…But is rather just some other TOR based product/service using myip.wampdeveloper.com as part of a list of URLs it rotates through – a list of whats-my-ip services; or someone using this for their own needs.
 
The benefit of the above myip service is that it returns nothing but the IP, no HTML, no XML, etc. Just a few bytes of data via TCP/IP. Probably all within 1 packet.