Is this evidence of another TOR and Firefox exploit to get your IP address, or something completely mundane?
I just checked the logs of a service that I provide that returns your IP address –
http://myip.wampdeveloper.com/
It was put up to be used under WampDeveloper Pro (to let the user know the server’s public IP address; usually the router’s IP) so as to not depend on any external services, and for anyone else that wanted to use it for whatever reason (no restrictions).
The logs had a large amount (relatively speaking to WampDeveloper’s use) of requests that started in May, different IPs, all with the same user-agent string (the string that identifies the make and build of the Browser you are using).
From doing a “resolveip” (attempts to turn the IP address into a potentially readable host name containing useful information) on some of the IPs, a lot of them are being reported as coming from –
- TOR exit nodes and routers
- Freedom and Privacy type hosting servers
- Some residential/home addresses (not WampDeveloper Pro related, it uses it’s own user-agent string)
Google returns no external results for query “myip.wampdeveloper.com”, except for the few times I mentioned it on HackerNews.
If these requests are coming from users of the Tor Bundle, the usage of myip.wampdeveloper.com appears to be under-the-radar, probably being used from within the Browser, like in a JS file that attempts to get your IP address (via a de-anonymized / local request).
The reason I say that (under-the-radar), is because the “reported” user-agent string of these requests is Chrome, not Firefox (Browser of the Tor Bundle). But the JS can set whatever user-agent string it wants, and those requests also don’t hit the favicon.ico URL (standard procedure for most browsers on first request to a website) – so it’s definitely not coming from the users going to (or being redirected to) the myip page, but rather coming from a script.
This is kind of really strange and unexpected, but hopefully is not related to all this –
Attackers wield Firefox exploit to uncloak anonymous Tor users
Tor security advisory: Old Tor Browser Bundles vulnerable
Torsploit takedown: analysis, reverse engineering, forensic
…But is rather just some other TOR based product/service using myip.wampdeveloper.com as part of a list of URLs it rotates through – a list of whats-my-ip services; or someone using this for their own needs.
The benefit of the above myip service is that it returns nothing but the IP, no HTML, no XML, etc. Just a few bytes of data via TCP/IP. Probably all within 1 packet.
A couple of things left to mention –
1. The script that outputs the IP will attempt to honor any proper forwarded-for type Headers it finds… Meaning it can return an IP other than the requesting IP.
2. I don’t log what’s returned.
Any chance it’s coming from someone possibly using tor to DDoS or crawl? I can see someone setting up a python script that would check against a simple IP checking website. That would explain why favicon.ico never gets hit, and the user-agent would be whatever it wanted because the HTTP packet would be fully customizable.