[OTR-dev] OTR homepage DNS poisoned?
Hello, The OTR homepage at http://otr.cypherpunks.ca/ seems to be man-in-the-middled in certain networks. I have checked through various different networks with various results. From the following connections to the Internet, it redirects to zeroredirect, which then redirects to casino or adware (mackeeper) website: 1. Through the Greek OTE provider via the hot spot network Fon 2. Through the regular Greek OTE network (the major country telecommunications provider) from two different endpoints In the man-in-the-middled OTE connection I can see this trace: dionyziz@erdos ~ % nc -vvv otr.cypherpunks.ca 80 found 0 associations found 1 connections: 1: flags=82 outif en0 src 172.17.2.16 port 63144 dst 195.22.126.213 port 80 rank info not available TCP aux info available Connection to otr.cypherpunks.ca port 80 [tcp/http] succeeded! GET / HTTP/1.1 Host: otr.cypherpunks.ca HTTP/1.1 302 Moved Temporarily Server: nginx/1.6.3 Date: Tue, 08 Dec 2015 22:24:20 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.4.16 Location: http://www.zeroredirect1.com/otr.cypherpunks.ca?rpm=1&domainerId=18f6e5d1-1b47-11e5-ae0f-0edec89589c7&keywords=otr.cypherpunks.ca&fallbackUrl=http%3A%2F%2Finvestdollar.net%3FsubID%3Dotr.cypherpunks.ca%26fb%3Dhttp%3A%2F%2Fww9.otr.cypherpunks.ca However, the site works fine in these providers: 1. Through the Greek Forthnet ISP from two different endpoints 2. Through the linode network 3. Through the UPC provider in Switzerland 4. Through the NYC Cuny Graduate Center network 5. Through the OTE 3G mobile network from two different endpoints 6. Through a different OTE network endpoint from those indicated previously 7. Through UK broadband networks We suspect there is selective hijacking of this site going on. Of course, the man-in-the-middle happens only when an HTTP connection is used. When HTTPS is enforced, for example through HTTPS Everywhere, the connection is not possible in the man-in-the-middled networks and the connection is refused: dionyziz@erdos ~ % nc -vvv otr.cypherpunks.ca 443 nc: connectx to otr.cypherpunks.ca port 443 (tcp) failed: Connection refused However, these networks work fine as far as other Internet traffic is concerned. As OTR is security-related software, this could lead to a serious issue (especially if the redirect is sent to a fake OTR download instead of simply adware). The issue can be pin-pointed to an incorrectly resolving IP. Perhaps your DNS record has expired and only a few hosts have updated? Or someone has hijacked the DNS or done some DNS poisoning? The incorrect IP seems to be 195.22.126.213, as provided in the OTE networks and through Google DNS. The correct IP seems to be 198.96.155.5, which is reported by the rest of the networks. Here is the incorrect DNS response: ; <<>> DiG 9.10.3 <<>> otr.cypherpunks.ca ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32155 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;otr.cypherpunks.ca. IN A ;; ANSWER SECTION: otr.cypherpunks.ca. 494398 IN A 195.22.126.213 ;; Query time: 7 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Wed Dec 09 00:47:10 EET 2015 ;; MSG SIZE rcvd: 52 And a traceroute to this IP from the OTE fon connection: dionyziz@erdos ~ % traceroute otr.cypherpunks.ca traceroute to otr.cypherpunks.ca (195.22.126.213), 64 hops max, 52 byte packets 1 172.17.2.1 (172.17.2.1) 5.689 ms 2.728 ms 4.305 ms 2 62.103.3.254 (62.103.3.254) 21.585 ms 23.708 ms 21.159 ms 3 79.128.248.133 (79.128.248.133) 22.082 ms 23.362 ms 20.860 ms 4 nyma-crsb-nyma7609a-1.backbone.otenet.net (79.128.226.53) 22.331 ms 23.132 ms 24.259 ms 5 ten0-0-0-0-atht1602.ath.oteglobe.gr (62.75.3.81) 25.275 ms pgig0-1.47-ir02-lamdahelixa.ath.oteglobe.gr (62.75.3.109) 22.114 ms 22.480 ms 6 62.75.5.177 (62.75.5.177) 68.650 ms 62.75.5.197 (62.75.5.197) 77.701 ms 62.75.5.222 (62.75.5.222) 72.796 ms 7 frankfurt-de-cix.atman.pl (80.81.192.227) 89.017 ms 85.180 ms 84.517 ms 8 ae2-3989.r7.glo-r5-glo.atman.pl (212.91.9.74) 86.274 ms 84.626 ms 89.521 ms 9 rev-212918-50.atman.pl (212.91.8.50) 96.057 ms 83.332 ms 82.818 ms 10 * * * 11 * * * 12 92-55-195-149.net.hawetelekom.pl (92.55.195.149) 113.889 ms 92.649 ms 96.981 ms 13 sdc-n003rtp01.net.hawetelekom.pl (77.242.225.94) 96.141 ms 128.385 ms 101.874 ms 14 n16h14.sprintdatacenter.net (46.29.16.14) 92.022 ms 91.969 ms 92.004 ms 15 195.22.126.213 (195.22.126.213) 91.272 ms 92.733 ms 95.707 ms The correct DNS resolution response is shown here, from the working OTE connection: ; <<>> DiG 9.8.3-P1 <<>> otr.cypherpunks.ca ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38259 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;otr.cypherpunks.ca. IN A ;; ANSWER SECTION: otr.cypherpunks.ca. 2904 IN A 1
Re: [OTR-dev] OTR homepage DNS poisoned?
Hi, I don't see the same thing happening no can I resolve that IP via the dns lookup for otr.cypherpunks.ca. Must be something weird on your network, might be interesting to run: ooni.torproject.org and see what is going on. I checked all the DNS servers which are set: cypherpunks.ca. 3600IN NS ns2.paip.net. cypherpunks.ca. 3600IN NS ns.emufarm.org. cypherpunks.ca. 3600IN NS iweb.nikita.ca. cypherpunks.ca. 3600IN NS ns2.cypherpunks.ca. cypherpunks.ca. 3600IN NS ns3.cypherpunks.ca. cypherpunks.ca. 3600IN NS ns1.paip.net. cypherpunks.ca. 3600IN NS ns1.cypherpunks.ca. cypherpunks.ca. 3600IN NS ns3.paip.net. They all seem to resolve otr.cypherpunks.ca to be: 198.96.155.5 So I think something messy is going on the ISP level or maybe your machine is compromised with adware? Best of luck, jurre On 12/08/2015 11:54 PM, Dionysis Zindros wrote: > Hello, > > The OTR homepage at http://otr.cypherpunks.ca/ seems to be > man-in-the-middled in certain networks. I have checked through various > different networks with various results. > > From the following connections to the Internet, it redirects to > zeroredirect, which then redirects to casino or adware (mackeeper) > website: > > 1. Through the Greek OTE provider via the hot spot network Fon > 2. Through the regular Greek OTE network (the major country > telecommunications provider) from two different endpoints > > In the man-in-the-middled OTE connection I can see this trace: > > dionyziz@erdos ~ % nc -vvv otr.cypherpunks.ca 80 > found 0 associations > found 1 connections: > 1: flags=82 > outif en0 > src 172.17.2.16 port 63144 > dst 195.22.126.213 port 80 > rank info not available > TCP aux info available > > Connection to otr.cypherpunks.ca port 80 [tcp/http] succeeded! > GET / HTTP/1.1 > Host: otr.cypherpunks.ca > > HTTP/1.1 302 Moved Temporarily > Server: nginx/1.6.3 > Date: Tue, 08 Dec 2015 22:24:20 GMT > Content-Type: text/html > Transfer-Encoding: chunked > Connection: keep-alive > X-Powered-By: PHP/5.4.16 > Location: > http://www.zeroredirect1.com/otr.cypherpunks.ca?rpm=1&domainerId=18f6e5d1-1b47-11e5-ae0f-0edec89589c7&keywords=otr.cypherpunks.ca&fallbackUrl=http%3A%2F%2Finvestdollar.net%3FsubID%3Dotr.cypherpunks.ca%26fb%3Dhttp%3A%2F%2Fww9.otr.cypherpunks.ca > > However, the site works fine in these providers: > > 1. Through the Greek Forthnet ISP from two different endpoints > 2. Through the linode network > 3. Through the UPC provider in Switzerland > 4. Through the NYC Cuny Graduate Center network > 5. Through the OTE 3G mobile network from two different endpoints > 6. Through a different OTE network endpoint from those indicated previously > 7. Through UK broadband networks > > We suspect there is selective hijacking of this site going on. Of > course, the man-in-the-middle happens only when an HTTP connection is > used. When HTTPS is enforced, for example through HTTPS Everywhere, > the connection is not possible in the man-in-the-middled networks and > the connection is refused: > > dionyziz@erdos ~ % nc -vvv otr.cypherpunks.ca 443 > nc: connectx to otr.cypherpunks.ca port 443 (tcp) failed: Connection refused > > However, these networks work fine as far as other Internet traffic is > concerned. As OTR is security-related software, this could lead to a > serious issue (especially if the redirect is sent to a fake OTR > download instead of simply adware). > > The issue can be pin-pointed to an incorrectly resolving IP. Perhaps > your DNS record has expired and only a few hosts have updated? Or > someone has hijacked the DNS or done some DNS poisoning? > > The incorrect IP seems to be 195.22.126.213, as provided in the OTE > networks and through Google DNS. The correct IP seems to be > 198.96.155.5, which is reported by the rest of the networks. > > Here is the incorrect DNS response: > > ; <<>> DiG 9.10.3 <<>> otr.cypherpunks.ca > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32155 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;otr.cypherpunks.ca. IN A > > ;; ANSWER SECTION: > otr.cypherpunks.ca. 494398 IN A 195.22.126.213 > > ;; Query time: 7 msec > ;; SERVER: 192.168.1.1#53(192.168.1.1) > ;; WHEN: Wed Dec 09 00:47:10 EET 2015 > ;; MSG SIZE rcvd: 52 > > And a traceroute to this IP from the OTE fon connection: > > dionyziz@erdos ~ % traceroute otr.cypherpunks.ca > traceroute to otr.cypherpunks.ca (195.22.126.213), 64 hops max, 52 byte > packets > 1 172.17.2.1 (172.17.2.1) 5.689 ms 2.728 ms 4.305 ms > 2 62.103.3.254 (62.103.3.254) 21.585 ms 23.708 ms 21.159 ms > 3 79.128.248.133 (79.128.248.133) 22.082 ms 23.362 ms 20.860 ms > 4 nyma-crsb-nyma7609a-1.backbone.otenet.net (79.128.226.53) 22.331 > ms 23.132 ms 24.259 ms > 5 ten0-0-0-0-atht1602.ath.
Re: [OTR-dev] OTR homepage DNS poisoned?
On 12/09/2015 12:54 AM, Dionysis Zindros wrote: > Hello, > > The OTR homepage at http://otr.cypherpunks.ca/ seems to be > man-in-the-middled in certain networks. I have checked through various > different networks with various results. > > From the following connections to the Internet, it redirects to > zeroredirect, which then redirects to casino or adware (mackeeper) > website: > > 1. Through the Greek OTE provider via the hot spot network Fon > 2. Through the regular Greek OTE network (the major country > telecommunications provider) from two different endpoints > > > Do you have ideas as to what could be happening? > Hello Dionysis, I use a OTE aDSL connection at the moment and cannot reproduce what you report. Specifically, > dig +short A otr.cypherpunks.ca @192.168.1.1 > 198.96.155.5 > dig +short A otr.cypherpunks.ca @8.8.8.8 > 198.96.155.5 > curl -vvv otr.cypherpunks.ca > * Rebuilt URL to: otr.cypherpunks.ca/ > * Hostname was NOT found in DNS cache > * Trying 198.96.155.5... > * Connected to otr.cypherpunks.ca (198.96.155.5) port 80 (#0) >> GET / HTTP/1.1 >> User-Agent: curl/7.38.0 >> Host: otr.cypherpunks.ca >> Accept: */* >> > < HTTP/1.1 302 Found > < Date: Wed, 09 Dec 2015 00:10:08 GMT > * Server Apache/2.4.7 (Ubuntu) is not blacklisted > < Server: Apache/2.4.7 (Ubuntu) > < Location: https://otr.cypherpunks.ca/ Perhaps you could check the resolvers which are set in the moder/router used by the endpoints where you observe the problem. I've witnessed DNS hijacking via "tweaking" the resolvers of these home routers in the past. Cheers, Alex signature.asc Description: OpenPGP digital signature ___ OTR-dev mailing list OTR-dev@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
Re: [OTR-dev] OTR homepage DNS poisoned?
This looks like your usual ISP DNS hijacking. Their cache is likely out of date or having some connectivity problems. What's the actual DNS server's IP? Your dig only shows your router (192.168.1.1) and not the server. -- David Manouchehri F0FE 0296 14EA 35BC 9E4FF 9768 A6EC FD0C 4083 9755 https://keybase.io/manouchehri/key.asc ___ OTR-dev mailing list OTR-dev@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
Re: [OTR-dev] OTR homepage DNS poisoned?
Thank you all for your responses. Alexandre - this does not seem to be a local DNS server hijack. I tried from two different OTE endpoints with similar results (although a third one produces correct results, and your query also seems to produce correct results, so we are inconclusive). Google's DNS also reports a different IP for me queried from two different locations; locally via OTE (erdos) it reports incorrect information, while it reports correct information on the linode (lovelace) network: dionyziz@erdos ~ % dig @8.8.8.8 otr.cypherpunks.ca ; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 otr.cypherpunks.ca ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15281 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;otr.cypherpunks.ca. IN A ;; ANSWER SECTION: otr.cypherpunks.ca. 488311 IN A 195.22.126.213 ;; Query time: 25 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Dec 9 02:30:05 2015 ;; MSG SIZE rcvd: 52 [0] dionyziz@lovelace ~ % dig @8.8.8.8 otr.cypherpunks.ca ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @8.8.8.8 otr.cypherpunks.ca ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2099 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;otr.cypherpunks.ca. IN A ;; ANSWER SECTION: otr.cypherpunks.ca. 2314 IN A 198.96.155.5 ;; Query time: 11 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Dec 9 02:31:02 2015 ;; MSG SIZE rcvd: 52 On Wed, Dec 9, 2015 at 2:16 AM, David Manouchehri wrote: > This looks like your usual ISP DNS hijacking. Their cache is likely > out of date or having some connectivity problems. > > What's the actual DNS server's IP? Your dig only shows your router > (192.168.1.1) and not the server. > > -- > David Manouchehri > F0FE 0296 14EA 35BC 9E4FF 9768 A6EC FD0C 4083 9755 > https://keybase.io/manouchehri/key.asc > ___ > OTR-dev mailing list > OTR-dev@lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-dev ___ OTR-dev mailing list OTR-dev@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
Re: [OTR-dev] OTR homepage DNS poisoned?
From Bell Canada the link in the Location: header takes me through a couple of steps of tracking sites and then away over to any of several spam/attack sites: http://www.mega-brokers.co/lp-millionaireclub-brown/?coc=156&subc=w1ATM3TVTC6OC04PG7B7IRCK¶mc=golf-axe-Tw049LVw¶mf=MS%20-%20New%20Publisher%20-%20INTL http://alwaysnew.feelfree4update.com/?pcl=3LbSqxsHPv14PjCURUDXDEdm0CHvCe21dottyrEp5Qo.&subid=102855_4a8f8983d90d5aba83b274e59952f44e&v_id=JMns7DFxzqZv1_WCWflzXTSG2mj3zOFVuYw-XLU3wFE. etc.., which seem to rotate every few minutes. From Wind Mobile Canada, the landing page you're being given TCP RSTs when I try to go to it, so good on Wind I guess. It's strange that the DNS hijacking is only for some sites. Are you sure it's targetting otr specifically? Can you maybe write a scapy script to test thoroughly? The landing site doesn't seem to be doing anything funny with routing. My traceroute to from Bell: [kousu@galleon ~]$ traceroute 195.22.126.213 traceroute to 195.22.126.213 (195.22.126.213), 30 hops max, 60 byte packets 1 homeportal (192.168.2.1) 5.969 ms 7.243 ms 8.035 ms 2 10.11.0.241 (10.11.0.241) 408.481 ms 408.536 ms 510.627 ms 3 10.178.206.42 (10.178.206.42) 17.837 ms 19.829 ms 21.733 ms 4 10.178.206.43 (10.178.206.43) 23.634 ms 23.901 ms 25.642 ms 5 tcore3-kitchener06_bundle-ether4.net.bell.ca (64.230.113.68) 31.503 ms tcore4-kitchener06_Bundle-ether4.net.bell.ca (64.230.113.70) 36.814 ms 33.979 ms 6 tcore4-toronto21_hun1-1-0-0.net.bell.ca (64.230.50.190) 45.551 ms 11.502 ms 24.040 ms 7 tcore4-torontoxn_HundredGigE0-12-0-0.net.bell.ca (64.230.50.19) 24.219 ms tcore3-torontoxn_HundredGigE0-12-0-0.net.bell.ca (64.230.50.11) 28.631 ms 28.861 ms 8 bx1-torontoxn_et1-0-0.net.bell.ca (64.230.97.157) 31.141 ms 32.961 ms 33.136 ms 9 ix-5-0-1-0.tcore2.TNK-Toronto.as6453.net (63.243.172.25) 62.577 ms 62.790 ms 62.937 ms 10 if-2-2.tcore1.TNK-Toronto.as6453.net (64.86.33.89) 36.800 ms 36.999 ms 38.806 ms 11 ae9.tor10.ip4.gtt.net (173.205.54.65) 38.981 ms 40.671 ms 42.366 ms 12 xe-0-1-0.waw11.ip4.gtt.net (141.136.109.10) 135.031 ms 128.720 ms xe-0-0-0.waw11.ip4.gtt.net (89.149.182.38) 132.269 ms 13 ip4.gtt.net (46.33.84.122) 138.020 ms 139.968 ms 140.194 ms 14 * * * 15 * * * 16 92-55-195-149.net.hawetelekom.pl (92.55.195.149) 159.489 ms 161.746 ms 163.115 ms 17 SDC-N003RTP01.net.hawetelekom.pl (77.242.225.94) 161.568 ms 164.712 ms 173.525 ms 18 n16h14.sprintdatacenter.net (46.29.16.14) 137.273 ms 139.551 ms 140.869 ms 19 195.22.126.213 (195.22.126.213) 141.038 ms 145.883 ms 147.956 ms and from Wind Mobile: [kousu@galleon ~]$ traceroute 195.22.126.213 traceroute to 195.22.126.213 (195.22.126.213), 30 hops max, 443 byte packets 1 * gateway (192.168.43.1) 9.156 ms 11.419 ms 2 * * * 3 * * * 4 199.7.156.196 (199.7.156.196) 1564.910 ms 1564.862 ms 1564.890 ms 5 199.7.156.197 (199.7.156.197) 1564.881 ms 1564.871 ms 1564.861 ms 6 199.7.158.107 (199.7.158.107) 1619.754 ms 1611.411 ms 1609.155 ms 7 199.7.158.130 (199.7.158.130) 160.965 ms 172.696 ms 181.021 ms 8 te0-0-1-2.nr12.b029131-1.yvr01.atlas.cogentco.com (38.88.6.177) 251.004 ms 253.353 ms 253.616 ms 9 te0-0-1-3.rcr12.yvr01.atlas.cogentco.com (154.24.48.217) 207.164 ms 219.989 ms 264.788 ms 10 te0-0-0-14.ccr21.sea02.atlas.cogentco.com (154.54.83.225) 161.598 ms 151.673 ms 144.550 ms 11 be2083.ccr21.sea01.atlas.cogentco.com (154.54.0.249) 163.858 ms be2084.ccr22.sea01.atlas.cogentco.com (154.54.0.253) 165.557 ms 177.474 ms 12 be2077.ccr22.sfo01.atlas.cogentco.com (154.54.0.241) 188.410 ms be2075.ccr21.sfo01.atlas.cogentco.com (154.54.0.233) 175.955 ms be2077.ccr22.sfo01.atlas.cogentco.com (154.54.0.241) 180.306 ms 13 be2165.ccr22.sjc01.atlas.cogentco.com (154.54.28.66) 188.078 ms be2164.ccr21.sjc01.atlas.cogentco.com (154.54.28.34) 195.397 ms be2165.ccr22.sjc01.atlas.cogentco.com (154.54.28.66) 194.008 ms 14 be2000.ccr21.sjc03.atlas.cogentco.com (154.54.6.106) 127.874 ms 130.911 ms 178.101 ms 15 gtt.sjc03.atlas.cogentco.com (154.54.9.14) 168.180 ms 179.834 ms 171.818 ms 16 xe-0-0-0.waw11.ip4.gtt.net (89.149.182.38) 284.123 ms 276.452 ms 279.398 ms 17 ip4.gtt.net (46.33.84.122) 307.631 ms 300.683 ms 291.059 ms 18 * * * 19 * * * 20 92-55-195-149.net.hawetelekom.pl (92.55.195.149) 293.195 ms 293.211 ms 292.000 ms 21 SDC-N003RTP01.net.hawetelekom.pl (77.242.225.94) 306.441 ms 335.056 ms 307.694 ms 22 n16h14.sprintdatacenter.net (46.29.16.14) 270.130 ms 285.611 ms 272.831 ms 23 * * * 24 195.22.126.213 (195.22.126.213) 317.531 ms 340.528 ms 364.764 ms That landing site is in Poland: [kousu@galleon ~]$ geoiplookup 46.29.16.14 GeoIP Country Edition: PL, Poland GeoIP Organization Edition: Sprint Data Center Sprint S.A. [kousu@galleon ~]$ geoiplookup 195.22.126.213 GeoIP Country Edition: PL, Poland GeoIP Organization Edition: EuroNet s.c. Henryk Kuc, Jacek Majak Now, ooni mentions that Greece is doing DNS hijacking t
Re: [OTR-dev] OTR homepage DNS poisoned?
namebench will check for DNS hijacking. https://code.google.com/p/namebench/ -- David Manouchehri F0FE 0296 14EA 35BC 9E4FF 9768 A6EC FD0C 4083 9755 https://keybase.io/manouchehri/key.asc ___ OTR-dev mailing list OTR-dev@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
Re: [OTR-dev] OTR homepage DNS poisoned?
I assume no recent changes to the domain's dns records? Sent from my HTC Evo > On Dec 8, 2015, at 4:40 PM, David Manouchehri > wrote: > > namebench will check for DNS hijacking. > > https://code.google.com/p/namebench/ > > -- > David Manouchehri > F0FE 0296 14EA 35BC 9E4FF 9768 A6EC FD0C 4083 9755 > https://keybase.io/manouchehri/key.asc > ___ > OTR-dev mailing list > OTR-dev@lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-dev ___ OTR-dev mailing list OTR-dev@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
Re: [OTR-dev] OTR homepage DNS poisoned?
DNS settings haven't been changed in months. https://dnshistory.org/dns-records/cypherpunks.ca http://viewdns.info/iphistory/?domain=cypherpunks.ca -- David Manouchehri F0FE 0296 14EA 35BC 9E4FF 9768 A6EC FD0C 4083 9755 https://keybase.io/manouchehri/key.asc ___ OTR-dev mailing list OTR-dev@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
Re: [OTR-dev] OTR homepage DNS poisoned?
On Wed, 9 Dec 2015, Dionysis Zindros wrote: The OTR homepage at http://otr.cypherpunks.ca/ seems to be man-in-the-middled in certain networks. I have checked through various different networks with various results. In the man-in-the-middled OTE connection I can see this trace: HTTP/1.1 302 Moved Temporarily Location: http://www.zeroredirect1.com/otr.cypherpunks.ca?rpm=1&domainerId=18f6e5d1-1b47-11e5-ae0f-0edec89589c7&keywords=otr.cypherpunks.ca&fallbackUrl=http%3A%2F%2Finvestdollar.net%3FsubID%3Dotr.cypherpunks.ca%26fb%3Dhttp%3A%2F%2Fww9.otr.cypherpunks.ca Googling for zeroredirect gives me a lot of links about the "google redirect" virus. I'd throw away that machine and build a new one. If you want to avoid DNS redirects I can recommend installing "dnssec-trigger" from NLnetlabs. Paul ___ OTR-dev mailing list OTR-dev@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
Re: [OTR-dev] OTR homepage DNS poisoned?
Hi Paul, Thanks for your info and your concern. I suspect that the zeroredirect virus is a different issue, as plugging the same machine to a different network produces different DNS results – one is legit and one isn't. Furthermore, none of the documented viral behaviors such as a misconfigured DNS server or a proxy server occur in my machine. It's not unlikely that zeroredirect employs various mechanisms to achieve redirects to their website, of which client machine infection is only one. I also hope my operational security for this machine is quite diligent, as I do not run software which is not securely verified from a trusted source, either using HTTPS with a trusted domain, or a GPG signature with a trust path from my key. While I could have made a mistake, I think DNS poisoning at the network level beyond my machine is most likely the case. Dionysis. On Mon, Dec 21, 2015 at 3:38 AM, Paul Wouters wrote: > On Wed, 9 Dec 2015, Dionysis Zindros wrote: > >> The OTR homepage at http://otr.cypherpunks.ca/ seems to be >> man-in-the-middled in certain networks. I have checked through various >> different networks with various results. > > >> In the man-in-the-middled OTE connection I can see this trace: > > >> HTTP/1.1 302 Moved Temporarily > > >> Location: >> http://www.zeroredirect1.com/otr.cypherpunks.ca?rpm=1&domainerId=18f6e5d1-1b47-11e5-ae0f-0edec89589c7&keywords=otr.cypherpunks.ca&fallbackUrl=http%3A%2F%2Finvestdollar.net%3FsubID%3Dotr.cypherpunks.ca%26fb%3Dhttp%3A%2F%2Fww9.otr.cypherpunks.ca > > > Googling for zeroredirect gives me a lot of links about the "google > redirect" virus. I'd throw away that machine and build a new one. > > If you want to avoid DNS redirects I can recommend installing > "dnssec-trigger" from NLnetlabs. > > Paul ___ OTR-dev mailing list OTR-dev@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
Re: [OTR-dev] OTR homepage DNS poisoned?
On a related topic, DNSSEC should be enabled for cypherpunks.ca. http://dnssec-debugger.verisignlabs.com/cypherpunks.ca -- David Manouchehri F0FE 0296 14EA 35BC 9E4FF 9768 A6EC FD0C 4083 9755 https://keybase.io/manouchehri/key.asc ___ OTR-dev mailing list OTR-dev@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-dev