[OTR-dev] OTR homepage DNS poisoned?

2015-12-08 Thread Dionysis Zindros
Hello,

The OTR homepage at http://otr.cypherpunks.ca/ seems to be
man-in-the-middled in certain networks. I have checked through various
different networks with various results.

From the following connections to the Internet, it redirects to
zeroredirect, which then redirects to casino or adware (mackeeper)
website:

1. Through the Greek OTE provider via the hot spot network Fon
2. Through the regular Greek OTE network (the major country
telecommunications provider) from two different endpoints

In the man-in-the-middled OTE connection I can see this trace:

dionyziz@erdos ~ % nc -vvv otr.cypherpunks.ca 80
found 0 associations
found 1 connections:
 1: flags=82
outif en0
src 172.17.2.16 port 63144
dst 195.22.126.213 port 80
rank info not available
TCP aux info available

Connection to otr.cypherpunks.ca port 80 [tcp/http] succeeded!
GET / HTTP/1.1
Host: otr.cypherpunks.ca

HTTP/1.1 302 Moved Temporarily
Server: nginx/1.6.3
Date: Tue, 08 Dec 2015 22:24:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.16
Location: 
http://www.zeroredirect1.com/otr.cypherpunks.ca?rpm=1&domainerId=18f6e5d1-1b47-11e5-ae0f-0edec89589c7&keywords=otr.cypherpunks.ca&fallbackUrl=http%3A%2F%2Finvestdollar.net%3FsubID%3Dotr.cypherpunks.ca%26fb%3Dhttp%3A%2F%2Fww9.otr.cypherpunks.ca

However, the site works fine in these providers:

1. Through the Greek Forthnet ISP from two different endpoints
2. Through the linode network
3. Through the UPC provider in Switzerland
4. Through the NYC Cuny Graduate Center network
5. Through the OTE 3G mobile network from two different endpoints
6. Through a different OTE network endpoint from those indicated previously
7. Through UK broadband networks

We suspect there is selective hijacking of this site going on. Of
course, the man-in-the-middle happens only when an HTTP connection is
used. When HTTPS is enforced, for example through HTTPS Everywhere,
the connection is not possible in the man-in-the-middled networks and
the connection is refused:

dionyziz@erdos ~ % nc -vvv otr.cypherpunks.ca 443
nc: connectx to otr.cypherpunks.ca port 443 (tcp) failed: Connection refused

However, these networks work fine as far as other Internet traffic is
concerned. As OTR is security-related software, this could lead to a
serious issue (especially if the redirect is sent to a fake OTR
download instead of simply adware).

The issue can be pin-pointed to an incorrectly resolving IP. Perhaps
your DNS record has expired and only a few hosts have updated? Or
someone has hijacked the DNS or done some DNS poisoning?

The incorrect IP seems to be 195.22.126.213, as provided in the OTE
networks and through Google DNS. The correct IP seems to be
198.96.155.5, which is reported by the rest of the networks.

Here is the incorrect DNS response:

; <<>> DiG 9.10.3 <<>> otr.cypherpunks.ca
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32155
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;otr.cypherpunks.ca. IN A

;; ANSWER SECTION:
otr.cypherpunks.ca. 494398 IN A 195.22.126.213

;; Query time: 7 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Dec 09 00:47:10 EET 2015
;; MSG SIZE  rcvd: 52

And a traceroute to this IP from the OTE fon connection:

dionyziz@erdos ~ % traceroute otr.cypherpunks.ca
traceroute to otr.cypherpunks.ca (195.22.126.213), 64 hops max, 52 byte packets
 1  172.17.2.1 (172.17.2.1)  5.689 ms  2.728 ms  4.305 ms
 2  62.103.3.254 (62.103.3.254)  21.585 ms  23.708 ms  21.159 ms
 3  79.128.248.133 (79.128.248.133)  22.082 ms  23.362 ms  20.860 ms
 4  nyma-crsb-nyma7609a-1.backbone.otenet.net (79.128.226.53)  22.331
ms  23.132 ms  24.259 ms
 5  ten0-0-0-0-atht1602.ath.oteglobe.gr (62.75.3.81)  25.275 ms
pgig0-1.47-ir02-lamdahelixa.ath.oteglobe.gr (62.75.3.109)  22.114
ms  22.480 ms
 6  62.75.5.177 (62.75.5.177)  68.650 ms
62.75.5.197 (62.75.5.197)  77.701 ms
62.75.5.222 (62.75.5.222)  72.796 ms
 7  frankfurt-de-cix.atman.pl (80.81.192.227)  89.017 ms  85.180 ms  84.517 ms
 8  ae2-3989.r7.glo-r5-glo.atman.pl (212.91.9.74)  86.274 ms  84.626
ms  89.521 ms
 9  rev-212918-50.atman.pl (212.91.8.50)  96.057 ms  83.332 ms  82.818 ms
10  * * *
11  * * *
12  92-55-195-149.net.hawetelekom.pl (92.55.195.149)  113.889 ms
92.649 ms  96.981 ms
13  sdc-n003rtp01.net.hawetelekom.pl (77.242.225.94)  96.141 ms
128.385 ms  101.874 ms
14  n16h14.sprintdatacenter.net (46.29.16.14)  92.022 ms  91.969 ms  92.004 ms
15  195.22.126.213 (195.22.126.213)  91.272 ms  92.733 ms  95.707 ms

The correct DNS resolution response is shown here, from the working
OTE connection:

; <<>> DiG 9.8.3-P1 <<>> otr.cypherpunks.ca
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38259
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;otr.cypherpunks.ca. IN A

;; ANSWER SECTION:
otr.cypherpunks.ca. 2904 IN A 1

Re: [OTR-dev] OTR homepage DNS poisoned?

2015-12-08 Thread Jurre van Bergen
Hi,

I don't see the same thing happening no can I resolve that IP via the
dns lookup for otr.cypherpunks.ca. Must be something weird on your
network, might be interesting to run: ooni.torproject.org and see what
is going on.

I checked all the DNS servers which are set:

cypherpunks.ca. 3600IN  NS  ns2.paip.net.
cypherpunks.ca. 3600IN  NS  ns.emufarm.org.
cypherpunks.ca. 3600IN  NS  iweb.nikita.ca.
cypherpunks.ca. 3600IN  NS  ns2.cypherpunks.ca.
cypherpunks.ca. 3600IN  NS  ns3.cypherpunks.ca.
cypherpunks.ca. 3600IN  NS  ns1.paip.net.
cypherpunks.ca. 3600IN  NS  ns1.cypherpunks.ca.
cypherpunks.ca. 3600IN  NS  ns3.paip.net.


They all seem to resolve otr.cypherpunks.ca to be: 198.96.155.5

So I think something messy is going on the ISP level or maybe your
machine is compromised with adware?

Best of luck,
jurre

On 12/08/2015 11:54 PM, Dionysis Zindros wrote:
> Hello,
>
> The OTR homepage at http://otr.cypherpunks.ca/ seems to be
> man-in-the-middled in certain networks. I have checked through various
> different networks with various results.
>
> From the following connections to the Internet, it redirects to
> zeroredirect, which then redirects to casino or adware (mackeeper)
> website:
>
> 1. Through the Greek OTE provider via the hot spot network Fon
> 2. Through the regular Greek OTE network (the major country
> telecommunications provider) from two different endpoints
>
> In the man-in-the-middled OTE connection I can see this trace:
>
> dionyziz@erdos ~ % nc -vvv otr.cypherpunks.ca 80
> found 0 associations
> found 1 connections:
>  1: flags=82
> outif en0
> src 172.17.2.16 port 63144
> dst 195.22.126.213 port 80
> rank info not available
> TCP aux info available
>
> Connection to otr.cypherpunks.ca port 80 [tcp/http] succeeded!
> GET / HTTP/1.1
> Host: otr.cypherpunks.ca
>
> HTTP/1.1 302 Moved Temporarily
> Server: nginx/1.6.3
> Date: Tue, 08 Dec 2015 22:24:20 GMT
> Content-Type: text/html
> Transfer-Encoding: chunked
> Connection: keep-alive
> X-Powered-By: PHP/5.4.16
> Location: 
> http://www.zeroredirect1.com/otr.cypherpunks.ca?rpm=1&domainerId=18f6e5d1-1b47-11e5-ae0f-0edec89589c7&keywords=otr.cypherpunks.ca&fallbackUrl=http%3A%2F%2Finvestdollar.net%3FsubID%3Dotr.cypherpunks.ca%26fb%3Dhttp%3A%2F%2Fww9.otr.cypherpunks.ca
>
> However, the site works fine in these providers:
>
> 1. Through the Greek Forthnet ISP from two different endpoints
> 2. Through the linode network
> 3. Through the UPC provider in Switzerland
> 4. Through the NYC Cuny Graduate Center network
> 5. Through the OTE 3G mobile network from two different endpoints
> 6. Through a different OTE network endpoint from those indicated previously
> 7. Through UK broadband networks
>
> We suspect there is selective hijacking of this site going on. Of
> course, the man-in-the-middle happens only when an HTTP connection is
> used. When HTTPS is enforced, for example through HTTPS Everywhere,
> the connection is not possible in the man-in-the-middled networks and
> the connection is refused:
>
> dionyziz@erdos ~ % nc -vvv otr.cypherpunks.ca 443
> nc: connectx to otr.cypherpunks.ca port 443 (tcp) failed: Connection refused
>
> However, these networks work fine as far as other Internet traffic is
> concerned. As OTR is security-related software, this could lead to a
> serious issue (especially if the redirect is sent to a fake OTR
> download instead of simply adware).
>
> The issue can be pin-pointed to an incorrectly resolving IP. Perhaps
> your DNS record has expired and only a few hosts have updated? Or
> someone has hijacked the DNS or done some DNS poisoning?
>
> The incorrect IP seems to be 195.22.126.213, as provided in the OTE
> networks and through Google DNS. The correct IP seems to be
> 198.96.155.5, which is reported by the rest of the networks.
>
> Here is the incorrect DNS response:
>
> ; <<>> DiG 9.10.3 <<>> otr.cypherpunks.ca
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32155
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;otr.cypherpunks.ca. IN A
>
> ;; ANSWER SECTION:
> otr.cypherpunks.ca. 494398 IN A 195.22.126.213
>
> ;; Query time: 7 msec
> ;; SERVER: 192.168.1.1#53(192.168.1.1)
> ;; WHEN: Wed Dec 09 00:47:10 EET 2015
> ;; MSG SIZE  rcvd: 52
>
> And a traceroute to this IP from the OTE fon connection:
>
> dionyziz@erdos ~ % traceroute otr.cypherpunks.ca
> traceroute to otr.cypherpunks.ca (195.22.126.213), 64 hops max, 52 byte 
> packets
>  1  172.17.2.1 (172.17.2.1)  5.689 ms  2.728 ms  4.305 ms
>  2  62.103.3.254 (62.103.3.254)  21.585 ms  23.708 ms  21.159 ms
>  3  79.128.248.133 (79.128.248.133)  22.082 ms  23.362 ms  20.860 ms
>  4  nyma-crsb-nyma7609a-1.backbone.otenet.net (79.128.226.53)  22.331
> ms  23.132 ms  24.259 ms
>  5  ten0-0-0-0-atht1602.ath.

Re: [OTR-dev] OTR homepage DNS poisoned?

2015-12-08 Thread Alexandros
On 12/09/2015 12:54 AM, Dionysis Zindros wrote:
> Hello,
> 
> The OTR homepage at http://otr.cypherpunks.ca/ seems to be
> man-in-the-middled in certain networks. I have checked through various
> different networks with various results.
> 
> From the following connections to the Internet, it redirects to
> zeroredirect, which then redirects to casino or adware (mackeeper)
> website:
> 
> 1. Through the Greek OTE provider via the hot spot network Fon
> 2. Through the regular Greek OTE network (the major country
> telecommunications provider) from two different endpoints
> 
> 
> Do you have ideas as to what could be happening?
> 

Hello Dionysis,

I use a OTE aDSL connection at the moment and cannot reproduce what you
report.

Specifically,

> dig +short A otr.cypherpunks.ca @192.168.1.1 
> 198.96.155.5

> dig +short A otr.cypherpunks.ca @8.8.8.8
> 198.96.155.5

> curl -vvv otr.cypherpunks.ca
> * Rebuilt URL to: otr.cypherpunks.ca/
> * Hostname was NOT found in DNS cache
> *   Trying 198.96.155.5...
> * Connected to otr.cypherpunks.ca (198.96.155.5) port 80 (#0)
>> GET / HTTP/1.1
>> User-Agent: curl/7.38.0
>> Host: otr.cypherpunks.ca
>> Accept: */*
>> 
> < HTTP/1.1 302 Found
> < Date: Wed, 09 Dec 2015 00:10:08 GMT
> * Server Apache/2.4.7 (Ubuntu) is not blacklisted
> < Server: Apache/2.4.7 (Ubuntu)
> < Location: https://otr.cypherpunks.ca/

Perhaps you could check the resolvers which are set in the moder/router
used by the endpoints where you observe the problem.

I've witnessed DNS hijacking via "tweaking" the resolvers of these home
routers in the past.

Cheers,
Alex



signature.asc
Description: OpenPGP digital signature
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] OTR homepage DNS poisoned?

2015-12-08 Thread David Manouchehri
This looks like your usual ISP DNS hijacking. Their cache is likely
out of date or having some connectivity problems.

What's the actual DNS server's IP? Your dig only shows your router
(192.168.1.1) and not the server.

--
David Manouchehri
F0FE 0296 14EA 35BC 9E4FF  9768 A6EC FD0C 4083 9755
https://keybase.io/manouchehri/key.asc
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] OTR homepage DNS poisoned?

2015-12-08 Thread Dionysis Zindros
Thank you all for your responses.

Alexandre - this does not seem to be a local DNS server hijack. I
tried from two different OTE endpoints with similar results (although
a third one produces correct results, and your query also seems to
produce correct results, so we are inconclusive).

Google's DNS also reports a different IP for me queried from two
different locations; locally via OTE (erdos) it reports incorrect
information, while it reports correct information on the linode
(lovelace) network:

dionyziz@erdos ~ % dig @8.8.8.8 otr.cypherpunks.ca

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 otr.cypherpunks.ca
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15281
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;otr.cypherpunks.ca. IN A

;; ANSWER SECTION:
otr.cypherpunks.ca. 488311 IN A 195.22.126.213

;; Query time: 25 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Dec  9 02:30:05 2015
;; MSG SIZE  rcvd: 52

[0] dionyziz@lovelace ~ % dig @8.8.8.8 otr.cypherpunks.ca

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @8.8.8.8 otr.cypherpunks.ca
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2099
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;otr.cypherpunks.ca. IN A

;; ANSWER SECTION:
otr.cypherpunks.ca. 2314 IN A 198.96.155.5

;; Query time: 11 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Dec  9 02:31:02 2015
;; MSG SIZE  rcvd: 52

On Wed, Dec 9, 2015 at 2:16 AM, David Manouchehri
 wrote:
> This looks like your usual ISP DNS hijacking. Their cache is likely
> out of date or having some connectivity problems.
>
> What's the actual DNS server's IP? Your dig only shows your router
> (192.168.1.1) and not the server.
>
> --
> David Manouchehri
> F0FE 0296 14EA 35BC 9E4FF  9768 A6EC FD0C 4083 9755
> https://keybase.io/manouchehri/key.asc
> ___
> OTR-dev mailing list
> OTR-dev@lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] OTR homepage DNS poisoned?

2015-12-08 Thread Nick Guenther



From Bell Canada the link in the Location: header takes me through a
couple of steps of tracking sites and then away over to any of several
spam/attack sites:
http://www.mega-brokers.co/lp-millionaireclub-brown/?coc=156&subc=w1ATM3TVTC6OC04PG7B7IRCK¶mc=golf-axe-Tw049LVw¶mf=MS%20-%20New%20Publisher%20-%20INTL
http://alwaysnew.feelfree4update.com/?pcl=3LbSqxsHPv14PjCURUDXDEdm0CHvCe21dottyrEp5Qo.&subid=102855_4a8f8983d90d5aba83b274e59952f44e&v_id=JMns7DFxzqZv1_WCWflzXTSG2mj3zOFVuYw-XLU3wFE.
etc.., which seem to rotate every few minutes.

From Wind Mobile Canada, the landing page you're being given TCP RSTs
when I try to go to it, so good on Wind I guess.

It's strange that the DNS hijacking is only for some sites. Are you
sure it's targetting otr specifically? Can you maybe write a scapy
script to test thoroughly?


The landing site doesn't seem to be doing anything funny with
routing. My traceroute to from Bell:
[kousu@galleon ~]$ traceroute 195.22.126.213
traceroute to 195.22.126.213 (195.22.126.213), 30 hops max, 60 byte
packets 1  homeportal (192.168.2.1)  5.969 ms  7.243 ms  8.035 ms
 2  10.11.0.241 (10.11.0.241)  408.481 ms  408.536 ms  510.627 ms
 3  10.178.206.42 (10.178.206.42)  17.837 ms  19.829 ms  21.733 ms
 4  10.178.206.43 (10.178.206.43)  23.634 ms  23.901 ms  25.642 ms
 5  tcore3-kitchener06_bundle-ether4.net.bell.ca (64.230.113.68)
31.503 ms tcore4-kitchener06_Bundle-ether4.net.bell.ca (64.230.113.70)
36.814 ms  33.979 ms 6  tcore4-toronto21_hun1-1-0-0.net.bell.ca
(64.230.50.190)  45.551 ms  11.502 ms  24.040 ms 7
tcore4-torontoxn_HundredGigE0-12-0-0.net.bell.ca (64.230.50.19)  24.219
ms tcore3-torontoxn_HundredGigE0-12-0-0.net.bell.ca (64.230.50.11)
28.631 ms  28.861 ms 8  bx1-torontoxn_et1-0-0.net.bell.ca
(64.230.97.157)  31.141 ms  32.961 ms  33.136 ms 9
ix-5-0-1-0.tcore2.TNK-Toronto.as6453.net (63.243.172.25)  62.577 ms
62.790 ms  62.937 ms 10  if-2-2.tcore1.TNK-Toronto.as6453.net
(64.86.33.89)  36.800 ms  36.999 ms  38.806 ms 11
ae9.tor10.ip4.gtt.net (173.205.54.65)  38.981 ms  40.671 ms  42.366 ms
12  xe-0-1-0.waw11.ip4.gtt.net (141.136.109.10)  135.031 ms  128.720 ms
xe-0-0-0.waw11.ip4.gtt.net (89.149.182.38)  132.269 ms 13  ip4.gtt.net
(46.33.84.122)  138.020 ms  139.968 ms  140.194 ms 14  * * * 15  * * *
16  92-55-195-149.net.hawetelekom.pl (92.55.195.149)  159.489 ms
161.746 ms  163.115 ms 17  SDC-N003RTP01.net.hawetelekom.pl
(77.242.225.94)  161.568 ms  164.712 ms  173.525 ms 18
n16h14.sprintdatacenter.net (46.29.16.14)  137.273 ms  139.551 ms
140.869 ms 19  195.22.126.213 (195.22.126.213)  141.038 ms  145.883 ms
147.956 ms


and from Wind Mobile:

[kousu@galleon ~]$ traceroute 195.22.126.213
traceroute to 195.22.126.213 (195.22.126.213), 30 hops max, 443 byte
packets
 1  * gateway (192.168.43.1)  9.156 ms  11.419 ms
 2  * * *
 3  * * *
 4  199.7.156.196 (199.7.156.196)  1564.910 ms  1564.862 ms  1564.890 ms
 5  199.7.156.197 (199.7.156.197)  1564.881 ms  1564.871 ms  1564.861 ms
 6  199.7.158.107 (199.7.158.107)  1619.754 ms  1611.411 ms  1609.155 ms
 7  199.7.158.130 (199.7.158.130)  160.965 ms  172.696 ms  181.021 ms
 8  te0-0-1-2.nr12.b029131-1.yvr01.atlas.cogentco.com (38.88.6.177)
251.004 ms  253.353 ms  253.616 ms
 9  te0-0-1-3.rcr12.yvr01.atlas.cogentco.com (154.24.48.217)  207.164
ms  219.989 ms  264.788 ms
10  te0-0-0-14.ccr21.sea02.atlas.cogentco.com (154.54.83.225)  161.598
ms  151.673 ms  144.550 ms
11  be2083.ccr21.sea01.atlas.cogentco.com (154.54.0.249)  163.858 ms
be2084.ccr22.sea01.atlas.cogentco.com (154.54.0.253)  165.557 ms
177.474 ms
12  be2077.ccr22.sfo01.atlas.cogentco.com (154.54.0.241)  188.410 ms
be2075.ccr21.sfo01.atlas.cogentco.com (154.54.0.233)  175.955 ms
be2077.ccr22.sfo01.atlas.cogentco.com (154.54.0.241)  180.306 ms
13  be2165.ccr22.sjc01.atlas.cogentco.com (154.54.28.66)  188.078 ms
be2164.ccr21.sjc01.atlas.cogentco.com (154.54.28.34)  195.397 ms
be2165.ccr22.sjc01.atlas.cogentco.com (154.54.28.66)  194.008 ms
14  be2000.ccr21.sjc03.atlas.cogentco.com (154.54.6.106)  127.874 ms
130.911 ms  178.101 ms
15  gtt.sjc03.atlas.cogentco.com (154.54.9.14)  168.180 ms  179.834 ms
171.818 ms
16  xe-0-0-0.waw11.ip4.gtt.net (89.149.182.38)  284.123 ms  276.452 ms
279.398 ms
17  ip4.gtt.net (46.33.84.122)  307.631 ms  300.683 ms  291.059 ms
18  * * *
19  * * *
20  92-55-195-149.net.hawetelekom.pl (92.55.195.149)  293.195 ms
293.211 ms  292.000 ms
21  SDC-N003RTP01.net.hawetelekom.pl (77.242.225.94)  306.441 ms
335.056 ms  307.694 ms
22  n16h14.sprintdatacenter.net (46.29.16.14)  270.130 ms  285.611 ms
272.831 ms
23  * * *
24  195.22.126.213 (195.22.126.213)  317.531 ms  340.528 ms  364.764 ms


That landing site is in Poland:
[kousu@galleon ~]$ geoiplookup 46.29.16.14
GeoIP Country Edition: PL, Poland
GeoIP Organization Edition: Sprint Data Center Sprint S.A.

[kousu@galleon ~]$ geoiplookup 195.22.126.213
GeoIP Country Edition: PL, Poland
GeoIP Organization Edition: EuroNet s.c. Henryk Kuc, Jacek Majak

Now, ooni mentions that Greece is doing DNS hijacking t

Re: [OTR-dev] OTR homepage DNS poisoned?

2015-12-08 Thread David Manouchehri
namebench will check for DNS hijacking.

https://code.google.com/p/namebench/

--
David Manouchehri
F0FE 0296 14EA 35BC 9E4FF  9768 A6EC FD0C 4083 9755
https://keybase.io/manouchehri/key.asc
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] OTR homepage DNS poisoned?

2015-12-08 Thread John Menerick
I assume no recent changes to the domain's dns records?

Sent from my HTC Evo


> On Dec 8, 2015, at 4:40 PM, David Manouchehri  
> wrote:
> 
> namebench will check for DNS hijacking.
> 
> https://code.google.com/p/namebench/
> 
> --
> David Manouchehri
> F0FE 0296 14EA 35BC 9E4FF  9768 A6EC FD0C 4083 9755
> https://keybase.io/manouchehri/key.asc
> ___
> OTR-dev mailing list
> OTR-dev@lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] OTR homepage DNS poisoned?

2015-12-08 Thread David Manouchehri
DNS settings haven't been changed in months.

https://dnshistory.org/dns-records/cypherpunks.ca
http://viewdns.info/iphistory/?domain=cypherpunks.ca

--
David Manouchehri
F0FE 0296 14EA 35BC 9E4FF  9768 A6EC FD0C 4083 9755
https://keybase.io/manouchehri/key.asc
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] OTR homepage DNS poisoned?

2015-12-20 Thread Paul Wouters

On Wed, 9 Dec 2015, Dionysis Zindros wrote:


The OTR homepage at http://otr.cypherpunks.ca/ seems to be
man-in-the-middled in certain networks. I have checked through various
different networks with various results.



In the man-in-the-middled OTE connection I can see this trace:



HTTP/1.1 302 Moved Temporarily



Location: 
http://www.zeroredirect1.com/otr.cypherpunks.ca?rpm=1&domainerId=18f6e5d1-1b47-11e5-ae0f-0edec89589c7&keywords=otr.cypherpunks.ca&fallbackUrl=http%3A%2F%2Finvestdollar.net%3FsubID%3Dotr.cypherpunks.ca%26fb%3Dhttp%3A%2F%2Fww9.otr.cypherpunks.ca


Googling for zeroredirect gives me a lot of links about the "google
redirect" virus. I'd throw away that machine and build a new one.

If you want to avoid DNS redirects I can recommend installing
"dnssec-trigger" from NLnetlabs.

Paul
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] OTR homepage DNS poisoned?

2015-12-21 Thread Dionysis Zindros
Hi Paul,

Thanks for your info and your concern. I suspect that the zeroredirect
virus is a different issue, as plugging the same machine to a
different network produces different DNS results – one is legit and
one isn't. Furthermore, none of the documented viral behaviors such as
a misconfigured DNS server or a proxy server occur in my machine. It's
not unlikely that zeroredirect employs various mechanisms to achieve
redirects to their website, of which client machine infection is only
one.

I also hope my operational security for this machine is quite
diligent, as I do not run software which is not securely verified from
a trusted source, either using HTTPS with a trusted domain, or a GPG
signature with a trust path from my key. While I could have made a
mistake, I think DNS poisoning at the network level beyond my machine
is most likely the case.

Dionysis.

On Mon, Dec 21, 2015 at 3:38 AM, Paul Wouters  wrote:
> On Wed, 9 Dec 2015, Dionysis Zindros wrote:
>
>> The OTR homepage at http://otr.cypherpunks.ca/ seems to be
>> man-in-the-middled in certain networks. I have checked through various
>> different networks with various results.
>
>
>> In the man-in-the-middled OTE connection I can see this trace:
>
>
>> HTTP/1.1 302 Moved Temporarily
>
>
>> Location:
>> http://www.zeroredirect1.com/otr.cypherpunks.ca?rpm=1&domainerId=18f6e5d1-1b47-11e5-ae0f-0edec89589c7&keywords=otr.cypherpunks.ca&fallbackUrl=http%3A%2F%2Finvestdollar.net%3FsubID%3Dotr.cypherpunks.ca%26fb%3Dhttp%3A%2F%2Fww9.otr.cypherpunks.ca
>
>
> Googling for zeroredirect gives me a lot of links about the "google
> redirect" virus. I'd throw away that machine and build a new one.
>
> If you want to avoid DNS redirects I can recommend installing
> "dnssec-trigger" from NLnetlabs.
>
> Paul
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] OTR homepage DNS poisoned?

2015-12-21 Thread David Manouchehri
On a related topic, DNSSEC should be enabled for cypherpunks.ca.

http://dnssec-debugger.verisignlabs.com/cypherpunks.ca

--
David Manouchehri
F0FE 0296 14EA 35BC 9E4FF  9768 A6EC FD0C 4083 9755
https://keybase.io/manouchehri/key.asc
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev