My Blog Is Used for Malware C&C! (Good?!)

I looked on VirusTotal recently and noticed something interesting when I entered my own domain and IP address...

Since I run a Tor Relay node, I'm passing approximately 20Mbits of traffic between other Tor nodes at any given time. However, this server is also a 'Guard Node' which means it can act as an entry point to the Tor network itself; sometimes known as the 'first hop' or bridge (an explanation of these terms is here). Since my IP is static and doesn't shift about due to me tweaking anything, some interesting results popped up on VirusTotal.


A variety of Malware must have my IP hard-coded within them since VirusTotal was able to match my IP string. No doubt it's alongside many other IPs that are also on public lists as Tor entry/guard nodes.

A reasonable conclusion would be that these malware strains are actually using my system as a direct jump into the Tor network and likely reaching their Command and Control servers, probably resulting in a successful infection and callback for a host somewhere (now bot). On the one hand that is a little disappointing, but on the other, it means my relay is stable and has lived long enough to be included (woo). It also means that lots of good material passes through as well. Bsides, this box is just a drop in the ocean of potential entry points to the Tor network.