1

After initializing the tor network service I have seen that there was a connection established to the IP 131.188.40.188 to port 11180. I did a scan with nmap and the result was as follows:

There was an openssh service on that port, and I was connected to it.

After seeing that I proceeded to format the computer

After formatting the computer and reinstalling the tor services, I had the following connections open:

open tor ports after formatting computer

If I stop the tor service, all connections are closed.

The question is: Is ssh connection to IP 131.188.40.188 normal in tor or should I be worried about possible infection?

Thank you very much to all !

EDIT: I just checked that nmap currently shows that the current port status is unknown. The state at the time I had an established connection was an Ubuntu openssh. I can't upload a screenshot of that since, after suspecting a possible infection, I formatted the computer.

Ioritz
  • 21
  • 4

1 Answers1

1

131.188.40.188 is a Tor relay and port 11180 is their chosen "OR port" (the port Tor listens on for incoming connections).

There isn't an openssh service listening this port. Nmap shows it open as an unknown service.

This appears to have been a "normal" Tor connection from your machine to this relay for using the Tor network.

drew010
  • 68,777
  • 11
  • 134
  • 162
  • Hello drew010, first of all, thank you for your answer. I just checked that nmap currently shows that the current port status is unknown. The state at the time I had an established connection was an Ubuntu openssh. I can't upload a screenshot of that since, after suspecting a possible infection, I formatted the computer. Is that something normal? – Ioritz Sep 02 '22 at 07:49
  • That seems abnormal but maybe a firewall or IDS in place sent back a false positive when a scan was detected. nmap identifies services based on known responses. For SSH it reads the "OpenSSH" banner sent by the openssh server upon connection. The Tor onion relay port doesn't send anything without the client sending something first, so for it to report openssh for that seems very unlikely. Did your first nmap scan check a list of default ports and maybe you were seeing openssh on another port? – drew010 Sep 02 '22 at 17:31
  • I just checked the port and sure enough it doesn't show an SSH service right now. That was different at the time of publication. I'm sure there was an openSSH service on that port with an established connection. – Ioritz Sep 03 '22 at 22:16