Strange TOR Traffic To Get IP

Is this evidence of another TOR and Firefox exploit to get your IP address, or something completely mundane?

I just checked the logs of a service that I provide that returns your IP address –

http://myip.wampdeveloper.com/

It was put up to be used under WampDeveloper Pro (to let the user know the server’s public IP address; usually the router’s IP) so as to not depend on any external services, and for anyone else that wanted to use it for whatever reason (no restrictions).

The logs had a large amount (relatively speaking to WampDeveloper’s use) of requests that started in May, different IPs, all with the same user-agent string (the string that identifies the make and build of the Browser you are using).
 
From doing a “resolveip” (attempts to turn the IP address into a potentially readable host name containing useful information) on some of the IPs, a lot of them are being reported as coming from –

  1. TOR exit nodes and routers
  2. Freedom and Privacy type hosting servers
  3. Some residential/home addresses (not WampDeveloper Pro related, it uses it’s own user-agent string)

 
Google returns no external results for query “myip.wampdeveloper.com”, except for the few times I mentioned it on HackerNews.

If these requests are coming from users of the Tor Bundle, the usage of myip.wampdeveloper.com appears to be under-the-radar, probably being used from within the Browser, like in a JS file that attempts to get your IP address (via a de-anonymized / local request).
 
The reason I say that (under-the-radar), is because the “reported” user-agent string of these requests is Chrome, not Firefox (Browser of the Tor Bundle). But the JS can set whatever user-agent string it wants, and those requests also don’t hit the favicon.ico URL (standard procedure for most browsers on first request to a website) – so it’s definitely not coming from the users going to (or being redirected to) the myip page, but rather coming from a script.
 
This is kind of really strange and unexpected, but hopefully is not related to all this –
Attackers wield Firefox exploit to uncloak anonymous Tor users
Tor security advisory: Old Tor Browser Bundles vulnerable
Torsploit takedown: analysis, reverse engineering, forensic

…But is rather just some other TOR based product/service using myip.wampdeveloper.com as part of a list of URLs it rotates through – a list of whats-my-ip services; or someone using this for their own needs.
 
The benefit of the above myip service is that it returns nothing but the IP, no HTML, no XML, etc. Just a few bytes of data via TCP/IP. Probably all within 1 packet.

2 thoughts on “Strange TOR Traffic To Get IP”

  1. A couple of things left to mention –

    1. The script that outputs the IP will attempt to honor any proper forwarded-for type Headers it finds… Meaning it can return an IP other than the requesting IP.

    2. I don’t log what’s returned.

    Reply

  2. Any chance it’s coming from someone possibly using tor to DDoS or crawl? I can see someone setting up a python script that would check against a simple IP checking website. That would explain why favicon.ico never gets hit, and the user-agent would be whatever it wanted because the HTTP packet would be fully customizable.

    Reply

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>