Honeypot [noun] – a container for honey

Honeypot [noun] – a trap set to detect, deflect, or in some manner counteract attempts to access a computer system, generally consisting of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to visitors.

Note: I tried to keep technical details in their own sections. See “Tech Background” sections if you are interested in setting up a Tor honeypot. Don’t hesitate to shoot me an email if you have any questions.

Preface

The answer to the question on your mind

Before discoursing the lengthy analysis of the Dark Web honeypots (there were three), let’s answer the question that is surely on everyone’s mind – did the honeypot allow me to reveal the true identity of the person visiting the Tor site? In many cases enough evidence was gathered to provide a pretty good guess or at least a good launching point for identification of the person that visited the site. Surprisingly, in some cases, the identity of the person was undeniably revealed and included the person’s name, unique personal computer footprint, and true external IP address (see partial data example above). And to answer the second question, “no”, this did not require the placement of malicious malware. Read on…

A potentially unhealthy hatred of pedophiles?

Although this project was initially intended to secretly track the activities and behavior of three types of Tor users – those interested in or seeking counterfeiting services, illegal drug products, and pedophiles – the faux-pedophile Tor hidden service struck a particularly disheartening chord with me. First, the pedo site saw magnitudes more traffic than the counterfeiting or drugs websites – in the order of 100 times more traffic than the other two combined. Secondly, I have a deep-rooted personal (and admittedly unhealthy) disdain for pedophiles. Contrary to what you might initially assume, I have never been sexually abused. However, I have adopted a beautiful daughter who was abused in the most unimaginable ways (physically and sexually beginning at age 5). Her abuse was doled out via multiple pedophiles as she shuffled in and out of the child protective services system (which repeatedly failed to protect her) while legal cases against the perpetrators were left hanging in a void.

Given my circumstances, I have seen first-hand, the psychological damage a pedophile’s actions cause. The damage done to these children is permanent and no matter how much counseling and assistance they seek – the experience is forever embedded into their self, shaping (and sometimes limiting) what they become as adults.

The immorality of a pedophile honeypot?

All honeypots beg this question: are they fair to the user who stumbled across it? Pedophilia exists on both the Clearnet (i.e. the Internet) and the Dark Web (i.e. Darknet or Tor). I have been deeply involved with website engineering and software development since the early days of the Internet and am familiar with every nook and cranny on these networks. Regardless, not once have I run across child pornography. Oh, I’ve seen the links of course, but never blundered across one, polluting my mind with images that can never be un-seen. Point being, pedophiles actively solicit, seek, and choose to find and view pedophilia material. It is never by accident that they run across illegal, pornographic material featuring children – and it was surely not by chance that they ran across my Dark Web honeypot.

First step: the Dark Web spider and lessons learned

The idea for the honeypot project began with a Dark Web spider, a computer software application which, using the Tor protocol, crawls the blackest recesses of the Dark Web cataloging links and websites (hidden services) while attempting to categorize the content it discovers. My Dark Web spider is a 1,400 line PHP program which uses Curl to jump from Tor to HTTP and back. It kicks off at midnight each night and runs for eight hours before gracefully shutting itself down. Upon termination, it generates a series of HTML reports listing crawl statistics, URLs that were found, and information on the Dark Web sites it has discovered. The reports are published nightly on a hacker-related Dark Web site that I am involved with.

From the spider, I gleaned two surprising bits of information. Firstly, the hidden darknet is not nearly as large as legend claims. Of the 1 million+ URLs discovered, only about 4,000-5,000 hidden services are running at any given time. Secondly, the content served by these sites is almost universally illegal or immoral (by my definition anyway). A conservative estimate would be maybe 1 out of 200 or so hidden service websites contain content I would deem worthy of the protection an anonymous network provides. Sites featuring free speech proxies or libraries of hard-to-find underground literature are few and far between on the Dark Web.

At first I was shocked, then disheartened at the depravity of my fellow man (to the point of shutting down the crawler and .onion hidden service). Then I became angry (sort of the reverse order of the normal five stages of loss and recovery, I guess). Anger lead to action after I wondered: Could I determine the identity of the Dark Web users who chose to use the anonymous Tor service for illicit purposes?

TECH BACKGROUND: The Dark Web spider

The PHP web crawler consists of five stages: (1) quick site connectivity test, (2) crawl a limited number of uncrawled websites, (3) attempt to re-crawl sites that have recently errored, (4) attempt to re-crawl sites that errored in the last 24 hours, (5) attempt to re-crawl sites that errored during the past week.

The crawl job pulls URLs from a MySQL database which began with a single seed site URL. As new URLs are found, they are added to the database which records the date/time of the connection attempt, ticks error counters, and derives a few parsed data fields related to categorization of the content discovered.

SIGINT signals are caught so that the job can gracefully perform shut down processing when a termination is requested. New URLs are validated and cleaned. Non-onion related sites are kicked out. For legal reasons, I specifically reject links to images and take care not to pull down binaries during the crawl.

Curl is used to proxy between Tor and HTTP. User Agent and Referrer strings are forged and passed to the target in an attempt to avoid being detected as an automated spider.

The Dark Web honeypots

How Tor works

Before delving too deeply into the honeypot configurations, a quick rehash of Tor is needed. Tor, or The Onion Router, is a network consisting of tens of thousands of volunteer computers which together, provide a distributed anonymous network. Data packets on the Tor network take a pseudo-random pathway through several “relays” that serve to cover your tracks by ensuring that no observer at any single point in the circuit can tell where the data came from or where it is going.

To create a private network pathway with Tor, the user’s client software incrementally builds a “circuit” of encrypted connections through the relays on the network. The circuit is extended, one hop at a time, and each relay along the way knows only which relay gave it the data packet and which relay it is to hand the data packet off to. With this architecture, no single relay ever knows the complete path that a data packet has taken.

In addition, the client negotiates a separate set of encryption keys for each hop along the circuit to ensure that no single hop can view (and trace) these connections as they pass through. Thus, all data passing through the network is wrapped in an encrypted packet with multiple layers of encryption added incrementally, like layers in an onion, as the packet passes through a Tor node.

As a part of the Tor protocol, anonymous websites can be configured which are offered the same anonymity the Tor network provides its users. These anonymous websites are called “hidden services”.

Three honeypots: counterfeiting, drugs, and pedophilia

Three Tor hidden service honeypots were created, each strongly hinting that illegal content lie behind a secure “locked door”. The three websites (drugs, counterfeiting, and pedophilia) were then seeded in the Dark Web spider report described above and flagged so they would never be marked as “offline” or “inactive” in the nightly Dark Web crawl. The faux-websites were then seeded on two additional Dark Web sites (each on a different site, typically in the comments area of the site’s forum).

None of the honeypot websites contained any illegal content. Since I am not a legal authority (nor an expert in the law), I had to scale back the content. No illegal pictures nor files existed on any of the sites. In fact, each site contained exactly one image – a decorative background image to give the site a bit of flair (hidden service sites are notoriously lean and “ugly”). None of the honeypot sites explicitly *offered* to provide illegal content and instead, served to lure the user in by a vague promise of what may be found behind the locked door. Admittedly, lack of genuine content was a huge disadvantage over a FBI-driven honeypot and likely the reason why some visitors did not apply for membership and quickly moved on after landing on the site’s home page.

The basics of a Tor hidden service honeypot (semi-technical explanation)

Here, in a nutshell, is how the honeypot was built. Techies: I give much more detail on the configuration and setup at the end of the article.

Hidden services running on a portable, virtual machine

The honeypot websites (hidden services) were hosted on a single Linux virtual machine masquerading (somewhat) as a firewalled Windows Server. This virtual configuration allowed for easy takedown and backup of the “machine”.

Use a supplemental Clearnet server

An external Clearnet (Internet) server (angelroar.com) was used to capture Clearnet data. Although accessing the Clearnet through a Tor connection does not reveal the user’s true IP address, it does remove one disadvantage of a Tor hidden service – the exit node IP address is not hidden from the web server. With this setup, if you can trick the user into visiting the Clearnet Internet site, you can use the Clearnet site’s log files to reveal the exit node IP address of the user’s Tor circuit.

Capture raw network packets

Network packets were captured and recorded upon arrival at the Tor server. This provides another means to determine the specific exit node IP address used in the circuit by matching the raw network packets (which contain the user’s exit node IP address) to the website’s activity log.

Proxies everywhere

Proxies come in many varieties and serve many different purposes. In essence, on a hidden services server, Tor itself is a type of proxy which sits between the end user and the web server. For the honeypot machine, I used proxy services placed both before and after the Tor service (in the network chain) in order to provide additional security (for the hidden service website), additional logging sources, and to provide the ability to manipulate the network data packets both before and after they travel through the Tor service.

Database, reporting interfaces, and custom reports

All log files, network packet captures, etc. were stored in a database via a product called Elasticsearch. Using a common data store provides categorization and query facilities for the captured data. This makes reporting and aggregation of data from various sources much easier to report off of.

Can you catch a pedophile on Tor?

The hidden service websites posed as new hidden service sites that were in the process of “coming online”. There was no direct mention of illegal content but it was strongly hinted that what they sought lie behind the curtain. For instance, counterfeit documents were simply referred to as documents, drugs as “product”, and pedophile content as “files”. Using suggestive site names and promoting a sense of secrecy was all it took to convince users that the content that was locked away behind the authentication system was what they were seeking. Thus, users were encouraged to register in order to see what lie behind the authorization system.

The websites were promoted with the promise of a safe, highly secure professional service operating under an tightly-controlled, selective membership process. One site’s tagline read:

“The objective is simple – provide a safe, friendly environment for like-minded people. Membership is selective – and strictly controlled.”

Attention to security is a somewhat different sell from other Dark Web sites which often seem chaotic and uncontrolled. Giving the site a polished look and feel while maintaining a lightweight footprint also hinted at a professionally designed service.

Tor inherently provides anonymity and secrecy – important attributes to the point of fanaticism for Tor users. Emphasizing a “new site” that focuses on security proved to be a great draw. The mention of a “friendly environment for like-minded people” struck a particularly strong chord with the pedophiles.

Potential “members” were told that they must register to access the product (files, chat forums, merchandise, etc.) and that membership was based on five levels. Higher level members were granted more access but to reach those levels, the potential member must complete more and more stringent “tests” to be granted access to the higher membership level and related website content.

All registered users were automatically started at a level 1 “membership level” and were provided more access than a user that had not logged into the site. For instance, content on the website changed after the user logged in and revealed more information about the service as their membership level rose. Also, registered users were given more detailed status updates and security notices than non-registered members.

The various methods used to capture the user’s identifying information were ratcheted up over time. As the days rolled on, more intrusive methods were introduced in an attempt to secure more information about the user while dangling the carrot of “exclusive membership” before them. This period of time allowed a sense of trust to be built between me and the site’s visitors. While they may not have liked the more intrusive methods introduced in order to secure the site, they seemed to appreciate that someone was taking the time to build a solution that took great care to guarantee their anonymity on the Dark Web.

At first, only login data and network packet captures were used to deduce the user’s identity. Later, link traps were introduced before finally introducing a “security scanner” as a requirement to gain the highest level of membership. Of course, in order to validate the client’s machine was secure, the security scanner took a snapshot of their personal computer system (minus 1 point for choosing to run the security scanner in the first place).

Admittedly, after introducing the security scanner, traffic patterns changed. Scans on the server dropped and some of the users who opted to run the software appeared to be government or private researchers. Most visitors were reluctant to run the security scanner but for those that did, their anonymity completely dropped. Around 4-7% of the daily registered users chose to run the scanner and thus, stepped outside of the Tor network and unequivocally revealed their true identity.

Lessons learned from the Tor Hidden Service honeypots

Traffic patterns

Pedophile traffic was shockingly high – magnitudes higher than traffic on the counterfeiting and drug honeypot sites. For instance, after the first five days, the counterfeiting site had two registrations while the faux-drug sales site saw six registrations. Both sites saw hundreds of visitors. The pedophile site however, saw several *thousand* visitors in just five days and brought in over 200 member registrations during its first few days of operation. In addition, the counterfeiting and drug websites saw no additional registrations after five days while the pedophile site continued serving content to over 1,000 visitors each day. By the end of the 14 day test, nearly 600 pedophiles had registered on the honeypot website.

Information the pedophiles freely supplied

Usernames and email addresses

The sites required an email address be used as the username. The reason for this requirement was not disclosed to the visitor leaving them to wonder if an email verification link was going to be used to validate their registration. Out of hundreds of registrations, only a single user complained about having to use their email address to register.

Given the sense of trust within the tight-knit pedophile community, and the site’s emphasis on “community”, “friendship”, and a high level of security, a surprising number of pedophiles freely provided their Clearnet email addresses as their username. The number of legit email addresses was astounding and in many cases, the registered users attempted to communicate with me through these email addresses (despite the fact that one of the conditions that I clearly stated throughout the websites were that I would never communicate with them via email). Note: in order to avoid communication via email, the honeypot sites contained internal messaging systems which provided a permanent record of all conversations – see details below.

On the other hand, a significant number of people provided anonymous email accounts and some obviously made up an email address just to get through the username validation.

Pedophile passwords

No validation requirements were placed on the password field leaving the user to pretty much enter whatever they wanted. Thus, in many cases the passwords were quite disturbing and often sexually suggestive (see samples at end of article). It was obvious that many used legit passwords, likely the same password they would use on other websites. Still, quite a few seemed to use “throwaway” passwords hinting that the user intended to review the site quickly and then move on or change their password to a more permanent password once they were convinced the site was legit.

Comments and suggestions

A “comments, suggestions, and preferences” field was included on the registration form. As with the email addresses and passwords collected, the comments were disturbing (see detailed discussion below). Many freely told me what type of content (i.e. victim) they preferred. Their crass and frank attitudes, as if all of this were perfectly normal, were deeply unsettling.

Information that the pedophiles leaked

Exit node IP address

The exit node IP address does not uniquely identify a visitor but rather, provides the endpoint used in the tor circuit. Regardless, I did find it was surprisingly difficult to determine the user’s exit node IP address from a hidden service web server.

The exit node IP address of the tor circuit was obtained using the two different methods discussed briefly above. The “link trap” method required an active click by the user. A link trap links the user to a Clearnet website where the exit node IP address of the particular circuit becomes easily visible and allows for capture of other information as well (browser version, operating system – all the typical data a Clearnet website can capture). Ironically, the link trap clearly linked to web services on another website that I own and operate – angelroar.com, a website for victims of child abuse.

The honeypot application programmatically created an exclusive custom link for each user that visited the page in order to provide the means to uniquely identify the visitor. This custom link was passed to the page hosted on the Clearnet Internet website in order to isolate the user that clicked through. The Clearnet site subsequently displayed a stock HTTP error on a plain white page in order to encourage the user to quickly “back arrow” through their browser history to take them back to the Tor site (hopefully, before noticing the URL was a Clearnet site). Normal traffic on the Clearnet site did not increase allowing me to deduce that most visitors did not recognize that they had been redirected to an off-Tor Internet website.

Network packet captures also provide the exit node IP address but since the packets are encrypted, there is no easy way to tie them to the website user once the packet reaches the webserver. The Tor network packets can be recognized however, particularly the SSL negotiation that occurs at the beginning of the Tor hidden service connection. Since traffic on a Tor website is low, the packets can be recorded and timing used to determine which packet corresponds to the HTTP web server traffic. A simple query against the Elasticsearch database that was filtered on time (to the millisecond) would tie the exit node IP address for the Tor circuit to the user’s browsing session.

Of course, the problem with exit nodes is that a substantial number are professionally hosted. Many hosts contribute hundreds of exit nodes to the Tor network. Often these hosts provide other anonymous services hinting that no logs are kept of the Tor exit node traffic and thus, guaranteeing anonymity for the user whose circuit is directed through their exit node. This scenario differs from a normal Tor-user who could expect a visit from legal authorities if illegal content passes through their exit node.

The pedophile’s true IP address

A “security scanner” was offered to registered users and described as a Tor security test to ensure the client’s configuration was secure and correctly configured (a requirement placed on the user before being granted a higher membership level). The premise behind this requirement was pitched as this:

“Nobody is granted higher level access to the site until they have proven that their client configuration is safe, secure, with no leaks. A weak client puts everyone at risk.”

The scanner is a simple Windows program which grabs network configuration information from the client machine along with the login username, running processes, software installed, and a sample of filenames from the user’s My Pictures folder. Indeed, analysis of these items could be used to determine whether a user’s machine configuration were secure and worthy of elevated access to the website (in one instance I saw signs of malware running on the user’s computer and in another instance, picture file names suggesting a professional researcher). Not only is the collected information related to client security measurement, but it reveals without question, the true identity of the user including their PC footprint, Windows username, real name, true IP address, internal network IP address (if on a home or business network), and much more.

Since site visitors were already providing their Clearnet email addresses, real names, and clicking through the Clearnet link trap, I shouldn’t have been surprised that they would also choose to execute the security scanner. During each of the last five days, about 4-7 percent of the daily registered users opted to run the security scan leaking their real name and true external IP address. Had I been the FBI, they would have been caught.

The disturbing details pedophiles revealed

Pedophiles operate within their own tight online communities

In just two weeks, I discovered much that I had not known about pedophile behavior. For instance, pedophiles form their own tight-knit communities and within those communities, a deep sense of trust is developed. Despite visitors knowing nothing about my new website, I managed to invoke this sense of trust in many of the visitors. One user mentioned not hearing about the website in “the usual forums”, my first clue that they operated within their own trusted online communities on the Dark Web.

jetspizza@sigaint.org: Looking for a new community, others are stale.

Humphreez@mail2tor.com: I am interested in a place where I can share some of my uploads and communicate with other like minded people with similar interests.

Pedophiles have their own slang

In more than one instance, the pedophiles slang caught me off-guard and left me puzzled. Some of their slang was easy to figure out. Other terms were just bizarre. Below are several of the slang terms used by the pedophiles when communicating with me.

CP – child pornography – was easy enough to figure out

amy1234567@fuck.com: give me cp

PTHC – Preteen hardcore.

beso**esta@hotmail.com: i found a good pthc streaming site the other nite and want MORE

TK – Toddler/Kindergarten

anonymous@anonymous.com: [like] tk, lolitas.

Lolita – 6-10 year olds

jon_doe60@yahoo.com: adore lolitas elen***son.ar@gmail.com: I love lolita

Nu or nubile – older sexually mature teenager

jones***@gmail.com: I prefer young but developed nubile girls 14 and up

Hebe – “hebe” was the ancient Greek god of youth. It means “youth” or “prime of life”. It also refers to hebephilia, the sexual preference to girls of ages 11 through 13 (pre-teen ages).

awesome**@gmail.com: Happy Hebe!

taken2@nothere.com: hebe girls are good

PT – In pedophile slang, “pt” refers to pre-teens or early “hebe’s”.

JB – “jb” refers to “just budding”, a reference to a female body in the early stages of puberty, or “jailbait”.

In this particularly disturbing case, a father of three hints that he is willing to share pictures of his children.

npt@hotmail.com: hi im a married dad of 3, i prefer girls from pt to jb. I’m looking forward to joining in and sharing in the community

Pedophiles have clearly defined sexual preferences

I also found that pedophiles have clearly defined sexual preferences, particularly with regards to the age range of the victims – and they were quite eager to share these preferences with me.

noo**man@hotmail.ru: [I like] girls 11-14

jchall321**@hotmail.com: 10 – 12 yo girls penetration

gio@gmail.cn: Girls 10 yo

ybdiqrgq@guerrillamailblock.com: I like girls age 8-13

ronjeremy@safe-mail.net: 5-10 yo

svendros**t@gmail.com: girls, 6-12

ghsfgyb@sfh.nlt: girls 6 -14

drey**@net.com: 3-10 age

taikhoanmu**@yahoo.com: love young girls

biguccel**@outlook.com: like baby pussy

Many visitors to the site appeared to be active pedophile predators

Several visitors to the pedophile honeypot did more than look at pictures – many actively abuse children. Apparently some pedophile sites offer means for pedos to “date”, “sell”, or “trade” children with each other as evidence by visitors who asked for a “dating service” to lure children in.

ukkinky@safe-mail.net : Will you offer dating??

Many visitors offered photos from their “private collection” as a means to bribe me for entrance to the website. They took care to note that the material they were offering me was original. One pedophile even sent me a link to a picture of a “young New York girl” that he took (I did not click through).

mcloll**@gmail.com: Have original mat approve me 🙂

whinceypuffi**@gmail.com: Let me in please .i have original mat

andreiovi**@gmx.com: Want to look around to see what I can offer you.

The results were surprising, and alarming (I guess I secretly hoped that pedophiles sought pictures and nothing more). Unfortunately, I later researched and found a Mayo study (further supported by a later federal prison study) which found that more than 3/4 of persons convicted of possessing child pornography admitted to actively molesting children. Thus my dream of a slightly less-evil world was shattered.

The end of the experiment (what a relief – it’s over)

Rather than alert the hidden service visitors to the true purpose of the site, after 14 days, the honeypot sites were shutdown with no notice and no explanation. No matter how much I wanted to act on my anger and scare the holy shit out of those who had been identified, I decided to depart quietly and leave the playing field open for authorities and other security researchers.

Note: Stepping on the toes of legal authorities or impeding ongoing investigations should always be a concern for honeypot operators. On two different occasions I contacted legal authorities about the project and offered to provide full sets of data that had been collected. The first contact was before the hidden services went online (at which time I reported a few pedophiles sites that the Dark Web spider had uncovered), the second contact a few days before the hidden services were shut down (at which time I notified them that I was about to take the Dark Web pedophile honeypot offline with the intent to hand over the VM and/or data collected during the project if they were interested).

Retrospection

To date I have not brought the honeypots back online. The Tor host file and private key were deleted just in case the hidden services accidentally went online when I started the VM and thus, the website addresses are gone forever. In retrospect, here are items I would have done differently or will do differently if I ever decide to kick the project back off again.

Add an additional “legit” hidden services site

In retrospect, I should have added a fourth “legit” website against which I could have measured non-criminal Tor traffic. Many Tor supporters of course, disliked this project (and told me so), believing it intended to blacken Tor’s eye (it did not). A more balanced array of hidden services would have lent credence to my claim that the Tor network is widely abused.

Monitor a pool of Tor nodes

This one’s tricky since I’m not familiar enough with Tor’s traffic patterns. Still, having a variety of host machines available, it would be interesting to implement and monitor a pool of Tor nodes and attempt to coordinate traffic across the nodes (packet counting, timing, etc.). I’m just not sure how many nodes it would take, how beneficial owning both entry and exit nodes would be, and/or how long they’d have to run to produce results.

Put up a functioning chat board with uploads disabled

Given more time, a functioning (but moderated) chat board could have provided additional information without drawing too much suspicion. Uploads of course, would have been disabled and promoted as a feature of a higher membership level.

TECH BACKGROUND: Honeypot configuration

Linux on a VMWare virtual machine

The server ran a secure Linux variant (Debian) on a VMWare virtual machine. The server included a copy of a “hacking installation” chock full of hacking and penetration testing tools that I could quickly invoke if needed.

Firewalled (lightly)

Although the server was hardened, I wanted to allow some hack attempts through. Thus the firewall was left loosely configured with the understanding that I would rely on the IDS systems to capture and report malicious network traffic.

Bro, Snort, and OSSEC IDS systems

Three different IDS systems were used. Bro provides good, configurable alerts and programmatic access. All Bro alerts were sent to the Elasticsearch database.

Snort was run in promiscuous mode, capturing low level detail from the network packets. Barnyard was used to parse Snort’s binary packets and to insert the results into the Elasticsearch database.

Finally, OSSEC IDS was used to alert me to any true malicious traffic.

A fourth pseudo-IDS, a custom programmed alert system, was operated at the application level. The applications within the honeypot website watched for certain events and user actions (including CSRF attacks, of which I saw a few) and used this custom IDS to inject messages into a log file which was also fed into the Elasticsearch database.

Squid proxy

A squid proxy placed before Tor allowed the examination and manipulation of packets before they entered Tor. I had originally intended to inject the exit node IP address into the header using Squid.

Tor hidden services

Tor was configured to point to three different virtual web servers. Initially Scallion was used to generate a custom vanity URL for the Tor hidden service but in the interest of portability (users were told that for security reasons, the onion address of the website would be rotated every 90 days), I decided to use Tor’s generated hidden service key and address instead.

Tor, acting as a proxy, passes its traffic to the web server service. Since traffic arriving at the web service comes from the Tor proxy, the IP address is lost. In other words, the only way the web server can communicate to the Tor client is via the Tor proxy. This provides great anonymity for the client but makes analysis on the server side more difficult.

Pound proxy

Pound, a security-focused proxy service, was placed after Tor to allow examination and manipulation of the packets after they exited Tor (just before they were delivered to the web service).

Web server

Four virtual web servers were run through a single web service – three fake hidden service websites and one Clearnet admin interface for reporting and monitoring.

Two other web servers (Apache and nginx, aka Engine X) were installed and used for services such as Elasticsearch, Kibana, and Graylog2 web reporting interfaces.

Elasticsearch

All logs were sent to Elasticsearch, either directly from the logging application or via a intermediate utility such as Barnyard (for conversion and insertion of Snort binary logs). In many instances, raw versions of the logged events and/or network packet captures were also stored (redundantly) in a MySQL database.

Graylog2 and Kibana for reporting and dashboards

Most proxy services (e.g. Bro, Snort, Barnyard) had to be configured to parse their traffic into discrete fields that could be stored in the Elasticsearch database. Then Graylog2 and Kibana web interfaces were used to further parse, query, sort, and filter the data elements sent from the various proxy services.

Misc. services

Firewall status, website log, and server resources (CPU, memory, and network traffic) were actively monitored in real-time throughout the project.

Since the machine (a VM) was shutdown (briefly) quite often (primarily for frequent backups although the website users were told I was conducting security tests), startup scripts were used and each service scheduled to start on bootup.

Custom code framework

All three of the hidden service websites used a common code framework. The site’s colors, headers, and frequently used information (e.g. site name, description) were easily changeable via configuration parameters in order to give each site a somewhat unique appearance. All custom code (e.g. messaging, logging, registration and login, etc.) was shared between the sites and each site given a unique identifier. Each record inserted into the database was tagged with this unique identifier in order to delineate which site the recorded activity occurred on.

TECH BACKGROUND: the honeypot traps and supporting software

Custom IDS log

A custom IDS log was used to record each time a visitor hit the site, when they log in, and to capture data from any malicious hacking attempts. Attempts to hack the site were much less common that I had anticipated. A few CSRF attacks were attempted and of course there were a few port scans. On at least one occasion, I suspected a light DOS attack was attempted. From user comments, I could tell that a handful of visitors were noble hackers looking to take down a pedophile site.

As with the other IDS system, all alerts were sent to the Elasticsearch database where Graylog2 and Kibana made it easy to categorize and view results.

Login information

Login information captured the visitors username (email address), password (saved in cleartext for research purposes), name (on occasion it appears as if they supplied their real name), and opportunity to pass along comments, suggestions and preferences.

A custom report was created to allow easy monitoring of new registrations and user logins.

Messaging

Each hidden service website emphasized that I would not communicate via email – not even anonymous email. A custom messaging system was used on each website. Messages sent through the “contact me” form were tagged with user login information. Responses to these messages were entered through an administrative interface and delivered to the end user via a “messaging” panel located on the sidebar of each page. With a design such as this, I had an easy means to record and save each conversation as well as providing an intermediary interface to isolate me from outside attacks or potential leaks.

IDS systems and network packet captures

Bro, Snort, and OSSEC IDS (intrusion detection systems) were installed. Snort ran in promiscuous mode to capture detailed packet information. Barnyard was used to parse the packets and insert into the Elasticsearch database.

Bro proved most useful for this project. It is easy to configure and flexible, allowing me to dictate which types of alerts were included in the service’s compilation and what type of data should be captured.

Link traps

The link traps captured just under 1,000 Tor exit node IP addresses gleaned from an active user click on a link on the site’s FAQ page (e.g. “Click here for samples”). When the FAQ page loaded, the link was generated with a unique identifiers. Each time the page that included the link trap was loaded, the identifier was generated and inserted into a MySQL database on the Tor machine.

The link pointed to a Clearnet website which recorded all browser and network traffic information into another MySQL database on the Clearnet machine. Each record recorded in the Clearnet database was keyed with the unique identifier passed from the Tor site.

An hourly Cron job ran to reconcile and consolidate the results. The job, a PHP application (I’m a C# programmer by trade so this project provided much needed PHP practice), used a web service on the Clearnet machine to retrieve the database results, match the record from the Clearnet host to the corresponding Tor host record. If the link was never clicked (leaving an “empty” record in the Tor host database), it was purged automatically after a couple of hours.

A custom report was written to allow easy viewing of link trap results.

Offsite web services

Offsite web services were used to communicate with the Clearnet host. The link trap mentioned above and the security scanner discussed below utilized these web services.

The Security Scanner

After 12 days of operation, the final and most intrusive attempt to trap user information was introduced. A small Windows program was written to pop as a small window which displayed “scan progress and results”. A long intro was displayed when the program started up. This intro explained what the scanner would do and noted that the user had the option to cancel out of the scan at any time. What was not mentioned however, was that the scan ran while they were reading the intro. The option to cancel merely flagged the scan results as “cancelled” and would have purged them from the database had anyone actually attempted to cancel the scanner program. During its operation, only a single person cancelled out of the scanner (and they quickly returned to run it again to completion).

The security scanner provided a security snapshot and unique footprint of the machine. All of the information from the scan was delivered to a remote Clearnet server via a web service where it was recorded in a database on the Clearnet host. Another web service was used by a scheduled job on the Tor host to retrieve the results, parse the data, and store the results in a database on the Tor server where they could be manually reviewed.

A report was created to allow easy viewing of the data. Items recorded included the machine’s true external IP address and host name, the internal IP address (e.g. 192.168.*.*), the OS and version, number of CPUs, user domain, all local networking interfaces and their IP addresses, the Windows username of the logged in user, a list of drive devices and their status, the path to the browser’s cookie file, all installed software on the machine, all running processes on the machine, and a sample of filenames from their My Pictures directory.

It should be pointed out that this was *not* malware. It did not retrieve passwords or a list of Windows users, did not replicate, and in fact, was run voluntarily by the user. The user was informed that a “security scan” was going to be run on their machine and in an effort to gain access to the secured content, they freely chose to run the scan. Also, nothing secret or permanent was installed on the machine during the execution of the scanner application.

Updates

Update (7/9/15): I have received comments from Tor supporters and project leaders expressing concern over the headline of this post. Before assuming the headline says it all, please read the entire article. The headline *does* reflect my underlying feelings, disappointment that the anonymity provided by the Tor network is being widely abused, but does not imply I feel the network is without purpose. I run Tor myself, operate a hidden service (legit), run a private VPN on several machines, and use encryption all over the place. Tor provides a beneficial, possibly even crucial, service – but I firmly believe that if we continue to hide our heads in the sand, we may well lose the right to utilize it.

Update (12/7/15): And so it begins… According to French newspaper Le Monde, authorities in Paris are considering banning the use of TOR. It would be one of a range of measures passed in response to last month’s terror attacks. As I stated months before, if we allow the abuse of tor, we could lose it.

Update (1/23/16): When news broke this week that the FBI had been running a confiscated dark web pedophile site in 2015, I noticed that their means differed only slightly from mine – they planted malware (they refer to it as not-so-evil NIT) on the user’s machine without their knowledge while my honeypot explained exactly what the software was going to do (scan their machine). Still, I was a bit disappointed with the FBI’s results. The numbers they released seemed a bit bogus to me, especially given the web site’s preexisting user base.

I cannot say I was surprised that the FBI was running a honeypot around the same time as I was. When I brought down the pedophile honeypot last year, I did not reveal all of the story. Firstly, as I mentioned in the article, I had contacted the FBI twice during my two-week run and each contact was ignored. I figured either they did not want to draw attention to the issue or they simply didn’t care. In retrospect, I now see that they would not have wanted to promote the news that dark web users can be tracked.

Secondly, shortly after running this article, I was contacted by the editor of a major news organization. In their initial contact, the indicated they were interested in running a piece on the pedophile honeypot. A few days after the initial contact, we spoke on the phone and I was told they had decided to not run the story. The editor explained that they had talked to their “consultant” who had personal contacts within a major nation-wide law enforcement agency. The consultant “suggested” to the media outlet, that unless my honeypot resulted in arrests, they should not run the story. As quickly as the media organization expressed keen interest in the story, they killed it. I had the feeling at the time that something was going on – either an INTERPOL or FBI operation. The news released this week reveals it was both.

Supporting technical information

Sample of link traps (exit node IP addresses used in the Tor circuit)

176.10.99.205 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 176.10.99.205 2015/06/24 14:06:56 5.175.221.164 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 started.namedhumanoid.com 2015/06/24 17:58:25 142.4.213.25 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 heaven.tor.ninja 2015/06/24 18:06:24 37.130.227.133 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 torland1-this.is.a.tor.exit.server.torland.is 2015/06/24 18:44:48 91.51.190.145 Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko p5B33BE91.dip0.t-ipconnect.de 2015/06/24 18:46:50 77.109.141.138 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor1e1.privacyfoundation.ch 2015/06/24 18:48:47 77.109.141.138 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor1e1.privacyfoundation.ch 2015/06/24 18:48:59 178.62.80.124 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor2.aurka.com 2015/06/24 19:23:26 171.25.193.77 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit1-readme.dfri.se 2015/06/24 19:30:10 171.25.193.77 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit1-readme.dfri.se 2015/06/24 19:48:08 77.109.138.42 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor4e1.privacyfoundation.ch 2015/06/24 19:57:16 166.70.181.109 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 166-70-181-109.xmission.com 2015/06/24 20:54:57 94.242.246.24 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 orion.enn.lu 2015/06/24 22:06:30 91.109.247.173 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit2-readme.puckey.org 2015/06/24 22:06:54 109.163.234.8 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 edwardsnowden1.torservers.net 2015/06/24 22:21:30 77.109.141.138 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor1e1.privacyfoundation.ch 2015/06/24 22:23:09 217.23.7.229 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 customer.worldstream.nl 2015/06/24 22:28:26 217.23.7.229 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 customer.worldstream.nl 2015/06/24 22:28:47 78.108.63.46 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 assk.torservers.net 2015/06/24 22:30:00 50.7.138.125 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 50.7.138.125 2015/06/24 22:52:50 89.105.194.82 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-readme.as24875.net 2015/06/24 22:57:49 185.77.129.110 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 hosted-by.securefastserver.com 2015/06/24 23:00:40 178.20.55.16 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 marcuse-1.nos-oignons.net 2015/06/24 23:16:27 99.174.193.112 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36 99-174-193-112.lightspeed.ftwotx.sbcglobal.net 2015/06/24 23:32:26 37.187.129.166 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node.privacyrepublic.org 2015/06/24 23:34:12 176.10.104.240 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor1e1.privacyfoundation.ch 2015/06/24 23:40:50 78.46.51.124 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit1.arbitrary.ch 2015/06/24 23:54:41 5.135.158.101 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 cloud.tor.ninja 2015/06/25 00:21:42 5.135.158.101 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 cloud.tor.ninja 2015/06/25 00:22:08 178.63.97.34 Mozilla/5.0 (Linux; Android 4.4.2; BLOOM Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36 tor-exit-01.thehappy3.com 2015/06/25 00:21:56 178.63.97.34 Mozilla/5.0 (Linux; Android 4.4.2; BLOOM Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36 tor-exit-01.thehappy3.com 2015/06/25 00:25:10 85.25.103.119 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 static-ip-85-25-103-119.inaddr.ip-pool.com 2015/06/25 00:27:30 77.109.141.138 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor1e1.privacyfoundation.ch 2015/06/25 00:39:02 91.109.247.173 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit2-readme.puckey.org 2015/06/25 00:53:36 176.10.99.204 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 176.10.99.204 2015/06/25 00:56:37 212.47.245.34 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 exit-node.tor.tpbt.ch 2015/06/25 01:14:47 85.17.24.66 Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; SM-T110 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 85.17.24.66 2015/06/25 01:23:35 92.28.91.255 Mozilla/5.0 (PLAYSTATION 3 4.70) AppleWebKit/531.22.8 (KHTML, like Gecko) 92.28.91.255 2015/06/25 01:23:52 92.28.91.255 Mozilla/5.0 (PLAYSTATION 3 4.70) AppleWebKit/531.22.8 (KHTML, like Gecko) 92.28.91.255 2015/06/25 01:24:02 85.9.20.145 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 85.9.20.145 2015/06/25 01:40:54 85.9.20.145 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 85.9.20.145 2015/06/25 01:41:35 85.10.210.199 Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0 r2.geoca.st 2015/06/25 01:45:47 192.42.116.16 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit.hartvoorinternetvrijheid.nl 2015/06/25 02:04:36 85.10.210.199 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 r2.geoca.st 2015/06/25 02:22:46 162.247.72.217 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 perry.fellwock.tor-exit.calyxinstitute.org 2015/06/25 03:06:12 81.89.96.89 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 luxemburg.gtor.org 2015/06/25 03:09:36 37.130.227.133 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 torland1-this.is.a.tor.exit.server.torland.is 2015/06/25 04:12:15 37.130.227.133 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 torland1-this.is.a.tor.exit.server.torland.is 2015/06/25 04:12:28 37.130.227.133 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 torland1-this.is.a.tor.exit.server.torland.is 2015/06/25 04:13:09 176.10.104.240 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor1e1.privacyfoundation.ch 2015/06/25 04:18:02 178.217.187.39 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit.xshells.net 2015/06/25 04:23:18 176.10.99.208 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 176.10.99.208 2015/06/25 04:44:41 176.10.99.208 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 176.10.99.208 2015/06/25 04:44:48 37.187.129.166 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node.privacyrepublic.org 2015/06/25 04:51:28 94.242.246.23 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 destiny.enn.lu 2015/06/25 04:59:26 149.91.82.139 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 clicariom.com 2015/06/25 05:08:49 149.91.82.139 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 clicariom.com 2015/06/25 05:08:58 176.10.104.240 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor1e1.privacyfoundation.ch 2015/06/25 05:09:49 185.36.100.145 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-proxy-readme.cloudexit.eu 2015/06/25 05:33:07 37.187.129.166 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node.privacyrepublic.org 2015/06/25 05:49:43 85.10.210.199 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 r2.geoca.st 2015/06/25 06:01:15 85.10.210.199 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 r2.geoca.st 2015/06/25 06:01:25 188.138.1.229 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ncc-1701-a.tor-exit.network 2015/06/25 06:28:11 96.47.226.20 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 bolobolo1.torservers.net 2015/06/25 07:10:34 209.126.110.113 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ncc-1701-d.tor-exit.network 2015/06/25 07:44:34 188.138.1.229 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ncc-1701-a.tor-exit.network 2015/06/25 07:45:27 209.126.110.113 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ncc-1701-d.tor-exit.network 2015/06/25 07:44:49 108.166.168.158 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 puffy.keystretch.com 2015/06/25 07:47:26 62.210.237.85 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor.gansta93.com 2015/06/25 08:24:26 188.138.1.229 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ncc-1701-a.tor-exit.network 2015/06/25 08:37:31 89.31.57.5 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 dreamatorium.badexample.net 2015/06/25 09:21:32 77.109.141.138 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor1e1.privacyfoundation.ch 2015/06/25 09:27:34 176.10.99.209 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 176.10.99.209 2015/06/25 11:28:18 50.7.159.178 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 50.7.159.178 2015/06/25 11:41:43 91.109.247.173 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit2-readme.puckey.org 2015/06/25 12:13:39 109.163.234.8 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 edwardsnowden1.torservers.net 2015/06/25 13:12:48 109.163.234.8 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 edwardsnowden1.torservers.net 2015/06/25 13:14:31 37.187.129.166 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node.privacyrepublic.org 2015/06/25 13:25:56 89.31.57.5 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 dreamatorium.badexample.net 2015/06/25 13:51:46 37.187.129.166 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node.privacyrepublic.org 2015/06/25 14:44:28 188.138.17.15 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 nx-01.tor-exit.network 2015/06/25 14:48:19 162.247.72.216 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 phoolandevi.tor-exit.calyxinstitute.org 2015/06/25 14:56:10 128.52.128.105 Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; SGH-T769 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 tor-exit.csail.mit.edu 2015/06/25 15:12:20 91.213.8.43 Mozilla/5.0 (Linux; Android 4.4.2; Nexus 4 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36 s43.justhost.in.ua 2015/06/25 15:17:54 91.109.247.173 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit2-readme.puckey.org 2015/06/25 15:28:22 96.44.189.101 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 manning2.torservers.net 2015/06/25 15:28:53 209.222.8.196 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 madiba.guilhem.org 2015/06/25 15:41:30 209.222.8.196 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 madiba.guilhem.org 2015/06/25 15:42:22 209.222.8.196 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 madiba.guilhem.org 2015/06/25 15:42:30 89.105.194.88 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-readme.as24875.net 2015/06/25 15:46:46 78.46.51.124 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit1.arbitrary.ch 2015/06/25 16:01:31 95.211.229.158 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node.dnslab.nl 2015/06/25 16:08:39 89.105.194.75 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-readme.as24875.net 2015/06/25 16:29:37 188.138.1.229 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ncc-1701-a.tor-exit.network 2015/06/25 16:43:45 188.138.1.229 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ncc-1701-a.tor-exit.network 2015/06/25 16:52:35 89.105.194.75 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-readme.as24875.net 2015/06/25 17:21:44 171.25.193.77 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit1-readme.dfri.se 2015/06/25 17:32:22 84.53.203.38 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 84.53.203.38 2015/06/25 17:45:56 77.109.141.138 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor1e1.privacyfoundation.ch 2015/06/25 18:01:59 78.108.63.46 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 assk.torservers.net 2015/06/25 18:09:22 199.87.154.251 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 199.87.154.251 2015/06/25 18:10:33 62.210.105.116 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 62-210-105-116.rev.poneytelecom.eu 2015/06/25 18:30:03 94.242.251.112 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 balo.jager.io 2015/06/25 18:48:11 176.10.99.205 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 176.10.99.205 2015/06/25 19:07:21 91.109.247.173 Mozilla/5.0 (Linux; Android 4.4.2; LG-D100 Build/KOT49I.A1405960633) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36 tor-exit2-readme.puckey.org 2015/06/25 19:22:19 79.98.107.90 Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53 79.98.107.90 2015/06/25 19:30:52 185.77.129.110 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 hosted-by.securefastserver.com 2015/06/25 19:39:57 31.172.30.2 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor19.anonymizer.ccc.de 2015/06/25 20:40:05 188.138.17.15 Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0 nx-01.tor-exit.network 2015/06/25 20:44:57 188.138.17.15 Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0 nx-01.tor-exit.network 2015/06/25 20:45:12 77.109.141.138 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor1e1.privacyfoundation.ch 2015/06/25 20:47:18 5.135.158.101 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 cloud.tor.ninja 2015/06/25 20:50:44 78.46.51.124 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit1.arbitrary.ch 2015/06/25 20:54:57 194.150.168.79 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 194.150.168.79 2015/06/25 21:10:40 188.138.1.229 Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0 ncc-1701-a.tor-exit.network 2015/06/25 21:29:45 188.138.1.229 Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0 ncc-1701-a.tor-exit.network 2015/06/25 21:29:59 93.174.93.63 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node.nip.su 2015/06/25 21:42:08 85.25.103.119 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 static-ip-85-25-103-119.inaddr.ip-pool.com 2015/06/25 21:47:04 89.105.194.81 Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-readme.as24875.net 2015/06/25 22:04:21 89.105.194.81 Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-readme.as24875.net 2015/06/25 22:04:32 213.61.149.100 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 h-213.61.149.100.host.de.colt.net 2015/06/25 22:49:18 213.61.149.100 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 h-213.61.149.100.host.de.colt.net 2015/06/25 22:49:22 37.187.129.166 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node.privacyrepublic.org 2015/06/25 23:22:41 188.138.17.15 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 nx-01.tor-exit.network 2015/06/25 23:31:00 96.44.189.100 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 manning1.torservers.net 2015/06/25 23:37:12 37.130.227.133 Mozilla/5.0 (Linux; Android 4.4.2; LG-D100 Build/KOT49I.A1405960633) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36 torland1-this.is.a.tor.exit.server.torland.is 2015/06/25 23:39:17 91.230.121.131 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 energeticactivities.com 2015/06/26 01:04:15 37.187.107.210 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 fenix.nullbyte.me 2015/06/26 01:49:32 94.142.245.231 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-1.zenger.nl 2015/06/26 02:08:33 67.202.109.194 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ip194.67-202-109.static.steadfastdns.net 2015/06/26 02:56:30 91.230.121.131 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 energeticactivities.com 2015/06/26 03:02:46 62.210.37.82 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 62-210-37-82.rev.poneytelecom.eu 2015/06/26 04:20:50 207.201.223.195 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 aokemail.aokc.net 2015/06/26 05:16:26 176.10.99.208 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 176.10.99.208 2015/06/26 05:32:24 209.126.110.112 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 nx-74205.tor-exit.network 2015/06/26 05:32:23 62.210.105.116 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 62-210-105-116.rev.poneytelecom.eu 2015/06/26 05:37:14 37.187.129.166 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node.privacyrepublic.org 2015/06/26 06:54:00 37.187.129.166 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node.privacyrepublic.org 2015/06/26 06:56:36 37.187.125.24 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 choucoco.webhop.me 2015/06/26 07:35:50 35.0.127.52 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit.eecs.umich.edu 2015/06/26 07:36:45 209.126.110.112 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 nx-74205.tor-exit.network 2015/06/26 07:55:27 209.126.110.112 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 nx-74205.tor-exit.network 2015/06/26 07:59:19 209.126.110.112 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 nx-74205.tor-exit.network 2015/06/26 07:59:50 109.163.234.9 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 edwardsnowden2.torservers.net 2015/06/26 10:11:27 81.89.96.88 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 enjolras.gtor.org 2015/06/26 12:11:48 94.242.246.24 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 orion.enn.lu 2015/06/26 12:15:32 35.0.127.52 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit.eecs.umich.edu 2015/06/26 12:17:42 188.138.17.15 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 nx-01.tor-exit.network 2015/06/26 12:19:16 212.227.38.247 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-proxy.de.siekmann.net 2015/06/26 12:45:28 46.36.36.127 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 127-36.hukot.net 2015/06/26 12:45:47 212.227.38.247 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-proxy.de.siekmann.net 2015/06/26 12:47:57 46.36.36.127 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 127-36.hukot.net 2015/06/26 12:49:28 96.44.189.101 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 manning2.torservers.net 2015/06/26 13:24:44 62.212.89.117 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 vps.zetservers.com 2015/06/26 13:26:20 91.213.8.43 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 s43.justhost.in.ua 2015/06/26 13:27:16 162.247.72.199 Mozilla/5.0 (Linux; U; Android 4.0.4; en-us; Kogan-Agora Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 jaffer.tor-exit.calyxinstitute.org 2015/06/26 13:31:55 176.106.54.54 Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0 host-176-106-54-54.icom.lv 2015/06/26 14:10:41 209.126.110.112 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 nx-74205.tor-exit.network 2015/06/26 14:19:14 91.109.247.173 Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0 tor-exit2-readme.puckey.org 2015/06/26 14:19:18 37.187.129.166 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node.privacyrepublic.org 2015/06/26 14:20:33 79.136.42.226 Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0 h-42-226.a357.priv.bahnhof.se 2015/06/26 14:26:59 96.47.226.22 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 wannabe.torservers.net 2015/06/26 14:49:58 96.47.226.21 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 bolobolo2.torservers.net 2015/06/26 15:00:41 37.187.129.166 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node.privacyrepublic.org 2015/06/26 15:17:32 89.234.157.254 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 marylou.nos-oignons.net 2015/06/26 15:18:22 91.213.8.235 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 91.213.8.235 2015/06/26 15:47:19 149.202.98.160 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 2.tor.exit.babylon.network 2015/06/26 16:01:04 173.254.216.69 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 exit-01d.noisetor.net 2015/06/26 16:01:55 192.42.116.16 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit.hartvoorinternetvrijheid.nl 2015/06/26 17:13:06 192.42.116.16 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit.hartvoorinternetvrijheid.nl 2015/06/26 17:13:14 50.7.138.125 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 50.7.138.125 2015/06/26 17:45:40 109.163.234.9 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 edwardsnowden2.torservers.net 2015/06/26 17:51:46 31.172.30.2 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor19.anonymizer.ccc.de 2015/06/26 18:05:51 109.163.234.9 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 edwardsnowden2.torservers.net 2015/06/26 18:20:41 109.163.234.9 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 edwardsnowden2.torservers.net 2015/06/26 18:24:54 188.138.17.15 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 nx-01.tor-exit.network 2015/06/26 18:34:55 85.25.103.119 Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53 static-ip-85-25-103-119.inaddr.ip-pool.com 2015/06/26 18:34:45 188.138.1.229 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ncc-1701-a.tor-exit.network 2015/06/26 19:16:00 77.109.139.27 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor5e2.privacyfoundation.ch 2015/06/26 19:26:21 72.52.91.30 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node.7by7.de 2015/06/26 19:30:58 91.109.247.173 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit2-readme.puckey.org 2015/06/26 20:22:09 109.163.234.5 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 hessel3.torservers.net 2015/06/26 20:23:27 95.215.47.34 Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69 tor-exit-node1 2015/06/26 20:35:31 95.215.47.34 Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69 tor-exit-node1 2015/06/26 20:35:50 176.10.99.208 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 176.10.99.208 2015/06/26 20:41:34 173.254.216.66 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 exit-01a.noisetor.net 2015/06/26 20:58:56 50.7.138.125 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 50.7.138.125 2015/06/26 21:04:30 50.7.143.20 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 50.7.143.20 2015/06/26 21:40:25 35.0.127.52 Mozilla/5.0 (Linux; Android 5.1.1; One Build/LRX22C.H3) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/39.0.0.0 Mobile Safari/537.36 tor-exit.eecs.umich.edu 2015/06/26 21:50:22 35.0.127.52 Mozilla/5.0 (Linux; Android 5.1.1; One Build/LRX22C.H3) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/39.0.0.0 Mobile Safari/537.36 tor-exit.eecs.umich.edu 2015/06/26 21:51:05 77.109.139.87 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 load-me-in-a-browser-if-this-tor-node-is-causing-you-grief.riseup.net 2015/06/26 22:08:59 188.138.1.229 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ncc-1701-a.tor-exit.network 2015/06/26 22:26:09 188.138.1.229 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ncc-1701-a.tor-exit.network 2015/06/26 22:28:58 89.234.157.254 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 marylou.nos-oignons.net 2015/06/26 23:51:13 193.11.137.126 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 c-137-126-vas-l3.cust.mdfnet.se 2015/06/26 23:56:59 89.105.194.78 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-readme.as24875.net 2015/06/27 00:13:12 193.11.137.126 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 c-137-126-vas-l3.cust.mdfnet.se 2015/06/27 00:18:43 193.11.137.126 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 c-137-126-vas-l3.cust.mdfnet.se 2015/06/27 00:19:07 188.138.17.15 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 nx-01.tor-exit.network 2015/06/27 00:42:30 77.109.141.138 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor1e1.privacyfoundation.ch 2015/06/27 00:48:21 96.47.226.21 Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0 bolobolo2.torservers.net 2015/06/27 01:17:01 81.193.140.220 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 bl4-140-220.dsl.telepac.pt 2015/06/27 02:19:18 78.108.63.46 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 assk.torservers.net 2015/06/27 02:26:21 178.175.128.50 Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0 178-175-128-50.ip.as43289.net 2015/06/27 02:25:55 37.46.122.69 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 swe-net-ip.as51430.net 2015/06/27 02:44:07 93.126.101.223 Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0 ip-65df.proline.net.ua 2015/06/27 03:16:34 96.47.226.21 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 bolobolo2.torservers.net 2015/06/27 04:08:41 188.138.17.15 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 nx-01.tor-exit.network 2015/06/27 05:32:57 192.42.116.16 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit.hartvoorinternetvrijheid.nl 2015/06/27 05:47:04 77.109.141.138 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor1e1.privacyfoundation.ch 2015/06/27 06:32:24 171.25.193.78 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit4-readme.dfri.se 2015/06/27 06:34:53 78.61.12.99 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 78-61-12-99.static.zebra.lt 2015/06/27 06:45:20 78.61.12.99 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 78-61-12-99.static.zebra.lt 2015/06/27 06:52:12 178.20.55.16 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 marcuse-1.nos-oignons.net 2015/06/27 06:56:14 178.20.55.16 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 marcuse-1.nos-oignons.net 2015/06/27 06:56:58 85.17.24.66 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 85.17.24.66 2015/06/27 07:13:51 81.89.96.89 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 luxemburg.gtor.org 2015/06/27 07:18:30 37.130.227.133 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 torland1-this.is.a.tor.exit.server.torland.is 2015/06/27 07:30:04 91.229.77.64 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 64-77-229-91.deltahost.com.ua 2015/06/27 08:09:46 209.126.110.113 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ncc-1701-d.tor-exit.network 2015/06/27 08:16:28 37.187.129.166 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node.privacyrepublic.org 2015/06/27 09:30:49 141.138.141.208 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-141-138-141-208.colo.transip.net 2015/06/27 10:16:32 141.138.141.208 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-141-138-141-208.colo.transip.net 2015/06/27 10:16:38 109.163.234.4 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 hessel2.torservers.net 2015/06/27 10:49:53 185.17.184.228 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node.xzyqvk.co.uk 2015/06/27 11:12:59 81.7.8.101 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 e4-10.rana.at 2015/06/27 11:20:30 77.109.141.138 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor1e1.privacyfoundation.ch 2015/06/27 12:20:38 35.0.127.52 Mozilla/5.0 (Linux; Android 5.1.1; Nexus 7 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.121 Safari/537.36 tor-exit.eecs.umich.edu 2015/06/27 12:52:56 193.138.216.101 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-proxy.vm.31173.se 2015/06/27 13:03:47 166.70.207.2 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 this.is.a.tor.node.xmission.com 2015/06/27 13:21:05 166.70.207.2 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 this.is.a.tor.node.xmission.com 2015/06/27 13:21:47 178.248.111.5 Mozilla/5.0 (Android; Mobile; rv:38.0) Gecko/38.0 Firefox/38.0 178.248.111.5 2015/06/27 13:26:42 89.105.194.87 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-readme.as24875.net 2015/06/27 13:28:34 96.44.189.100 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 manning1.torservers.net 2015/06/27 14:01:17 94.242.251.112 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 balo.jager.io 2015/06/27 14:02:10 109.163.234.4 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 hessel2.torservers.net 2015/06/27 14:05:52 81.89.96.88 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 enjolras.gtor.org 2015/06/27 15:06:50 176.10.99.202 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 176.10.99.202 2015/06/27 15:24:47 176.10.104.243 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor2e1.privacyfoundation.ch 2015/06/27 15:31:48 94.242.246.23 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 destiny.enn.lu 2015/06/27 15:45:27 91.219.236.218 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 none.0.azar-a.net 2015/06/27 16:01:32 192.43.244.42 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 torrouter.ucar.edu 2015/06/27 18:06:37 205.197.242.183 Mozilla/5.0 (Android; Mobile; rv:25.0) Gecko/25.0 Firefox/25.0 205.197.242.183 2015/06/27 19:19:46 89.187.142.208 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 exit1.torproxy.org 2015/06/27 19:47:50 77.109.139.27 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor5e2.privacyfoundation.ch 2015/06/27 19:51:56 46.227.69.242 Mozilla/5.0 (Android; Mobile; rv:38.0) Gecko/38.0 Firefox/38.0 cli261.ovpn.se 2015/06/27 20:07:26 91.213.8.84 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 torsrvn.snydernet.net 2015/06/27 20:22:29 217.115.10.131 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor31.anonymizer.ccc.de 2015/06/27 20:38:03 198.100.144.75 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ns503427.ip-198-100-144.net 2015/06/27 21:07:41 198.100.144.75 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ns503427.ip-198-100-144.net 2015/06/27 21:07:54 188.138.1.229 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ncc-1701-a.tor-exit.network 2015/06/27 21:15:50 188.138.1.229 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ncc-1701-a.tor-exit.network 2015/06/27 21:16:00 89.105.194.71 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-readme.as24875.net 2015/06/27 21:29:06 212.83.167.175 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit.nmte.ch 2015/06/27 21:40:17 85.159.237.199 Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0 85.159.237.199 2015/06/27 21:38:35 31.172.30.2 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor19.anonymizer.ccc.de 2015/06/27 21:47:39 89.105.194.73 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-readme.as24875.net 2015/06/27 22:30:49 89.105.194.79 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-readme.as24875.net 2015/06/27 22:37:00 109.163.234.7 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 edwardsnowden0.torservers.net 2015/06/27 23:05:16 77.109.141.138 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor1e1.privacyfoundation.ch 2015/06/27 23:17:04 46.28.68.158 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 exit2.tor-proxy.net.ua 2015/06/27 23:39:28 46.28.68.158 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 exit2.tor-proxy.net.ua 2015/06/27 23:46:07 46.28.68.158 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 exit2.tor-proxy.net.ua 2015/06/27 23:46:23 46.28.68.158 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 exit2.tor-proxy.net.ua 2015/06/27 23:47:50 176.10.99.206 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 176.10.99.206 2015/06/28 00:03:00 83.84.2.146 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 53540292.cm-6-5a.dynamic.ziggo.nl 2015/06/28 00:25:52 89.105.194.73 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-readme.as24875.net 2015/06/28 00:27:05 96.47.226.20 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 bolobolo1.torservers.net 2015/06/28 00:39:07 142.4.213.25 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 heaven.tor.ninja 2015/06/28 00:45:07 50.199.138.65 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 50-199-138-65-static.hfc.comcastbusiness.net 2015/06/28 01:18:03 50.7.227.27 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 50.7.227.27 2015/06/28 02:09:19 74.208.220.222 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-readme.leagueofavatars.com 2015/06/28 02:48:09 78.108.63.46 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 assk.torservers.net 2015/06/28 02:48:42 89.105.194.90 Mozilla/5.0 (Linux; U; Android 4.3; en-gb; C5303 Build/12.1.A.1.205) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 tor-exit-readme.as24875.net 2015/06/28 03:20:04 78.46.51.124 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit1.arbitrary.ch 2015/06/28 03:28:10 188.138.1.229 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ncc-1701-a.tor-exit.network 2015/06/28 03:31:13 94.242.246.23 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 destiny.enn.lu 2015/06/28 04:19:45 217.115.10.131 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor31.anonymizer.ccc.de 2015/06/28 04:28:24 89.105.194.85 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-readme.as24875.net 2015/06/28 04:28:26 188.138.9.49 Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0 atlantic480.us.unmetered.com 2015/06/28 05:50:45 94.242.246.23 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 destiny.enn.lu 2015/06/28 05:51:27 176.10.104.240 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor1e1.privacyfoundation.ch 2015/06/28 06:37:37 176.10.104.240 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor1e1.privacyfoundation.ch 2015/06/28 06:37:54 188.138.9.49 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 atlantic480.us.unmetered.com 2015/06/28 06:51:41 192.99.2.137 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 kbtr2ce.tor-relay.me 2015/06/28 07:10:12 171.25.193.77 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit1-readme.dfri.se 2015/06/28 07:19:04 91.213.8.236 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 torsrvs.snydernet.net 2015/06/28 07:23:53 62.210.237.85 Mozilla/5.0 (Linux; Android 4.4.2; SM-T237P Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 tor.gansta93.com 2015/06/28 08:00:43 91.216.133.128 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36 OPR/29.0.1795.54600 host128-133-216-91.foboss.net 2015/06/28 08:10:01 141.255.167.101 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 mta02.rauhost.info 2015/06/28 08:55:20 85.10.210.199 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 r2.geoca.st 2015/06/28 08:59:04 89.105.194.87 Mozilla/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A405 Safari/600.1.4 tor-exit-readme.as24875.net 2015/06/28 09:37:58 109.163.235.228 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 lh27212.voxility.net 2015/06/28 09:42:07 176.10.104.243 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor2e1.privacyfoundation.ch 2015/06/28 09:53:38 124.197.27.166 Mozilla/5.0 (Linux; U; Android 2.3.6; en-nz; HUAWEI Y210-0100 Build/HuaweiY210-0100) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 124-197-27-166.callplus.net.nz 2015/06/28 10:01:30 77.109.141.138 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor1e1.privacyfoundation.ch 2015/06/28 10:04:14 77.109.141.138 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor1e1.privacyfoundation.ch 2015/06/28 10:21:21 94.242.251.112 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 balo.jager.io 2015/06/28 10:25:43 96.47.226.20 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 bolobolo1.torservers.net 2015/06/28 10:45:16 176.9.99.134 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 exit01.brasshorncommunications.uk 2015/06/28 13:06:32 204.124.83.130 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit0.conformal.com 2015/06/28 13:32:12 111.168.134.241 Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Firefox/38.0 FL1-111-168-134-241.oit.mesh.ad.jp 2015/06/28 13:45:04 69.5.113.57 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 Watson.GIGBBIB.exit 2015/06/28 14:24:24 204.8.156.142 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 cs-tor.bu.edu 2015/06/28 14:31:36 176.9.25.72 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 r1.geoca.st 2015/06/28 14:36:26 85.10.210.199 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 r2.geoca.st 2015/06/28 14:36:36 176.9.25.72 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 r1.geoca.st 2015/06/28 14:36:37 176.9.25.72 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 r1.geoca.st 2015/06/28 14:36:49 78.61.12.99 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 78-61-12-99.static.zebra.lt 2015/06/28 14:39:11 176.9.25.72 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 r1.geoca.st 2015/06/28 14:39:44 94.242.246.23 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 destiny.enn.lu 2015/06/28 14:40:53 176.9.25.72 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 r1.geoca.st 2015/06/28 14:41:33 178.217.187.39 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit.xshells.net 2015/06/28 14:43:45 84.26.87.131 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36 541A5783.cm-5-3b.dynamic.ziggo.nl 2015/06/28 15:53:30 199.87.154.251 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 199.87.154.251 2015/06/28 16:06:38 188.138.1.229 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ncc-1701-a.tor-exit.network 2015/06/28 16:14:20 185.17.184.228 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node.xzyqvk.co.uk 2015/06/28 17:08:12 185.17.184.228 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node.xzyqvk.co.uk 2015/06/28 17:08:26 178.217.187.39 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit.xshells.net 2015/06/28 17:15:56 192.42.116.16 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit.hartvoorinternetvrijheid.nl 2015/06/28 17:57:10 62.210.37.82 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 62-210-37-82.rev.poneytelecom.eu 2015/06/28 18:04:18 209.222.8.196 Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53 madiba.guilhem.org 2015/06/28 18:15:34 188.138.1.229 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ncc-1701-a.tor-exit.network 2015/06/28 18:18:58 204.85.191.30 Mozilla/5.0 (Android; Mobile; rv:38.0) Gecko/38.0 Firefox/38.0 tor00.telenet.unc.edu 2015/06/28 18:21:18 204.85.191.30 Mozilla/5.0 (Android; Mobile; rv:38.0) Gecko/38.0 Firefox/38.0 tor00.telenet.unc.edu 2015/06/28 18:21:54 89.105.194.83 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-readme.as24875.net 2015/06/28 18:37:26 91.219.236.218 Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0 none.0.azar-a.net 2015/06/28 18:41:33 31.172.30.2 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor19.anonymizer.ccc.de 2015/06/28 19:00:33 171.25.193.78 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit4-readme.dfri.se 2015/06/28 19:13:23 5.199.130.188 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor.piratenpartei-nrw.de 2015/06/28 19:14:50 96.47.226.22 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 wannabe.torservers.net 2015/06/28 19:21:51 85.10.210.199 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 r2.geoca.st 2015/06/28 19:28:14 109.230.60.164 Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 109-230-60-164.dynamic.orange.sk 2015/06/28 19:28:36 209.126.110.112 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 nx-74205.tor-exit.network 2015/06/28 19:44:22 188.138.1.229 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ncc-1701-a.tor-exit.network 2015/06/28 20:10:52 37.187.129.166 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node.privacyrepublic.org 2015/06/28 21:45:37 37.187.129.166 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node.privacyrepublic.org 2015/06/28 21:46:13 202.83.109.205 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 fnet205-f109-access.vqbn.com.sg 2015/06/28 22:48:17 94.23.6.131 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ns365892.ip-94-23-6.eu 2015/06/28 23:07:39 5.196.1.129 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor.thd.ninja 2015/06/28 23:36:27 96.47.226.22 Mozilla/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A405 Safari/600.1.4 wannabe.torservers.net 2015/06/28 23:49:40 79.136.42.226 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 h-42-226.a357.priv.bahnhof.se 2015/06/28 23:56:28 94.242.251.112 Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F70 balo.jager.io 2015/06/29 00:13:06 94.242.251.112 Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F70 balo.jager.io 2015/06/29 00:13:16 95.130.11.147 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-readme.manalyzer.org 2015/06/29 00:54:16 91.109.247.173 Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0 tor-exit2-readme.puckey.org 2015/06/29 01:02:27 109.163.234.5 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 hessel3.torservers.net 2015/06/29 02:07:07 192.42.116.16 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit.hartvoorinternetvrijheid.nl 2015/06/29 02:20:30 193.37.152.241 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor.myops.de 2015/06/29 02:32:31 50.7.159.178 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 50.7.159.178 2015/06/29 02:46:39 93.174.90.30 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 2.shulgin.nl.torexit.haema.co.uk 2015/06/29 03:27:45 23.91.124.124 Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53 amjohn.arvixecloud.com 2015/06/29 03:45:22 23.91.124.124 Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53 amjohn.arvixecloud.com 2015/06/29 03:45:29 23.91.124.124 Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53 amjohn.arvixecloud.com 2015/06/29 03:48:04 89.105.194.82 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-readme.as24875.net 2015/06/29 06:28:27 46.28.110.136 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 normalcitizen.spirosandreou.com 2015/06/29 06:37:47 46.28.110.136 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 normalcitizen.spirosandreou.com 2015/06/29 06:38:14 109.74.151.149 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 torsrvu.snydernet.net 2015/06/29 06:39:10 192.42.116.16 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit.hartvoorinternetvrijheid.nl 2015/06/29 06:45:47 176.10.104.240 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor1e1.privacyfoundation.ch 2015/06/29 07:50:40 176.10.104.240 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor1e1.privacyfoundation.ch 2015/06/29 07:54:02 77.109.139.87 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 load-me-in-a-browser-if-this-tor-node-is-causing-you-grief.riseup.net 2015/06/29 08:20:31 77.109.139.87 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 load-me-in-a-browser-if-this-tor-node-is-causing-you-grief.riseup.net 2015/06/29 08:20:57 162.247.72.217 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 perry.fellwock.tor-exit.calyxinstitute.org 2015/06/29 08:29:23 176.9.25.72 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 r1.geoca.st 2015/06/29 10:48:28 87.98.178.61 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node–proxy.scalaire.com 2015/06/29 11:50:30 77.109.141.138 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor1e1.privacyfoundation.ch 2015/06/29 12:23:19 85.24.215.117 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor4.deklomp.se 2015/06/29 13:02:58 188.138.1.229 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ncc-1701-a.tor-exit.network 2015/06/29 13:10:35 77.109.141.138 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor1e1.privacyfoundation.ch 2015/06/29 14:40:26 77.109.141.138 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor1e1.privacyfoundation.ch 2015/06/29 14:40:38 77.109.141.138 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor1e1.privacyfoundation.ch 2015/06/29 14:42:57 77.109.141.138 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor1e1.privacyfoundation.ch 2015/06/29 14:46:19 198.100.155.194 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 charb.tor-relay.exit.mtl.canada.themanderson.com 2015/06/29 15:52:53 85.10.210.199 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 r2.geoca.st 2015/06/29 15:55:07 96.44.189.100 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 manning1.torservers.net 2015/06/29 16:51:06 213.61.149.100 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 h-213.61.149.100.host.de.colt.net 2015/06/29 17:04:24 89.234.157.254 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 marylou.nos-oignons.net 2015/06/29 17:15:58 31.172.30.2 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor19.anonymizer.ccc.de 2015/06/29 17:19:17 50.7.143.20 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 50.7.143.20 2015/06/29 17:38:26 5.199.130.188 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor.piratenpartei-nrw.de 2015/06/29 17:53:36 176.9.25.72 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 r1.geoca.st 2015/06/29 18:02:55 91.230.121.131 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 energeticactivities.com 2015/06/29 18:05:48 93.184.66.227 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 torsrva.snydernet.net 2015/06/29 18:41:29 37.187.129.166 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node.privacyrepublic.org 2015/06/29 18:51:23 37.130.227.133 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 torland1-this.is.a.tor.exit.server.torland.is 2015/06/29 19:16:51 91.109.247.173 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit2-readme.puckey.org 2015/06/29 19:18:03 37.130.227.133 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 torland1-this.is.a.tor.exit.server.torland.is 2015/06/29 19:20:06 149.202.98.160 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 2.tor.exit.babylon.network 2015/06/29 19:35:29 5.135.158.101 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 cloud.tor.ninja 2015/06/29 19:43:01 62.210.37.82 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 62-210-37-82.rev.poneytelecom.eu 2015/06/29 19:43:00 62.210.37.82 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 62-210-37-82.rev.poneytelecom.eu 2015/06/29 19:43:15 107.181.174.84 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 us.tor-exit.neelc.org 2015/06/29 20:00:24 96.47.226.21 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 bolobolo2.torservers.net 2015/06/29 20:12:42 188.138.1.229 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ncc-1701-a.tor-exit.network 2015/06/29 20:21:42 188.138.1.229 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ncc-1701-a.tor-exit.network 2015/06/29 20:21:48 128.199.87.155 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit.katzen.me 2015/06/29 20:40:26 5.39.94.152 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ns394459.ip-5-39-94.eu 2015/06/29 20:54:11 176.10.104.240 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor1e1.privacyfoundation.ch 2015/06/29 21:25:35 129.123.7.7 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node-2.cs.usu.edu 2015/06/29 21:37:12 209.126.110.112 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 nx-74205.tor-exit.network 2015/06/29 21:56:43 77.109.141.138 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor1e1.privacyfoundation.ch 2015/06/29 22:15:19 91.213.8.235 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 91.213.8.235 2015/06/29 22:21:06 91.213.8.235 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 91.213.8.235 2015/06/29 22:25:22 176.10.104.240 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor1e1.privacyfoundation.ch 2015/06/29 22:53:07 176.10.104.240 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor1e1.privacyfoundation.ch 2015/06/29 22:53:15 81.89.96.88 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 enjolras.gtor.org 2015/06/29 22:54:35 171.25.193.20 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit0-readme.dfri.se 2015/06/29 23:14:22 171.25.193.20 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit0-readme.dfri.se 2015/06/29 23:15:28 37.130.227.133 Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0 torland1-this.is.a.tor.exit.server.torland.is 2015/06/29 23:23:18 171.25.193.20 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit0-readme.dfri.se 2015/06/29 23:28:46 77.109.141.138 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 spftor1e1.privacyfoundation.ch 2015/06/29 23:46:15 212.21.66.6 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-4.all.de 2015/06/30 00:06:49 31.172.30.2 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor19.anonymizer.ccc.de 2015/06/30 00:53:08 31.172.30.2 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor19.anonymizer.ccc.de 2015/06/30 00:53:29 192.42.116.16 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit.hartvoorinternetvrijheid.nl 2015/06/30 00:54:41 77.244.254.229 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor29.anonymizer.ccc.de 2015/06/30 01:46:14 171.25.193.20 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit0-readme.dfri.se 2015/06/30 02:18:44 194.150.168.95 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 kaputte.li 2015/06/30 02:19:10 176.10.99.206 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 176.10.99.206 2015/06/30 02:23:35 2.111.64.26 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 x1-6-28-c6-8e-70-f5-a4.cpe.webspeed.dk 2015/06/30 02:38:54 185.36.100.145 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-proxy-readme.cloudexit.eu 2015/06/30 02:43:17 94.242.251.112 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 balo.jager.io 2015/06/30 04:06:25 94.242.251.112 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 balo.jager.io 2015/06/30 04:11:03 178.217.187.39 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit.xshells.net 2015/06/30 04:45:05 37.187.129.166 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-node.privacyrepublic.org 2015/06/30 05:32:27 94.142.241.240 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-2.zenger.nl 2015/06/30 06:34:27 94.142.241.240 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 tor-exit-2.zenger.nl 2015/06/30 06:34:37 209.126.110.113 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 ncc-1701-d.tor-exit.network 2015/06/30 07:08:37 176.9.25.72 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 r1.geoca.st 2015/06/30 07:34:27 176.9.25.72 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 r1.geoca.st 2015/06/30 07:34:33 85.25.103.119 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 static-ip-85-25-103-119.inaddr.ip-pool.com 2015/06/30 07:47:28 77.247.181.165 Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 politkovskaja.torserver