[OTR-dev] OTR homepage DNS poisoned?

Dionysis Zindros dionyziz at gmail.com
Tue Dec 8 17:54:11 EST 2015 

Hello,

The OTR homepage at http://otr.cypherpunks.ca/ seems to be
man-in-the-middled in certain networks. I have checked through various
different networks with various results.

>From the following connections to the Internet, it redirects to
zeroredirect, which then redirects to casino or adware (mackeeper)
website:

1. Through the Greek OTE provider via the hot spot network Fon
2. Through the regular Greek OTE network (the major country
telecommunications provider) from two different endpoints

In the man-in-the-middled OTE connection I can see this trace:

dionyziz at erdos ~ % nc -vvv otr.cypherpunks.ca 80
found 0 associations
found 1 connections:
     1: flags=82<CONNECTED,PREFERRED>
outif en0
src 172.17.2.16 port 63144
dst 195.22.126.213 port 80
rank info not available
TCP aux info available

Connection to otr.cypherpunks.ca port 80 [tcp/http] succeeded!
GET / HTTP/1.1
Host: otr.cypherpunks.ca

HTTP/1.1 302 Moved Temporarily
Server: nginx/1.6.3
Date: Tue, 08 Dec 2015 22:24:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.16
Location: http://www.zeroredirect1.com/otr.cypherpunks.ca?rpm=1&domainerId=18f6e5d1-1b47-11e5-ae0f-0edec89589c7&keywords=otr.cypherpunks.ca&fallbackUrl=http%3A%2F%2Finvestdollar.net%3FsubID%3Dotr.cypherpunks.ca%26fb%3Dhttp%3A%2F%2Fww9.otr.cypherpunks.ca

However, the site works fine in these providers:

1. Through the Greek Forthnet ISP from two different endpoints
2. Through the linode network
3. Through the UPC provider in Switzerland
4. Through the NYC Cuny Graduate Center network
5. Through the OTE 3G mobile network from two different endpoints
6. Through a different OTE network endpoint from those indicated previously
7. Through UK broadband networks

We suspect there is selective hijacking of this site going on. Of
course, the man-in-the-middle happens only when an HTTP connection is
used. When HTTPS is enforced, for example through HTTPS Everywhere,
the connection is not possible in the man-in-the-middled networks and
the connection is refused:

dionyziz at erdos ~ % nc -vvv otr.cypherpunks.ca 443
nc: connectx to otr.cypherpunks.ca port 443 (tcp) failed: Connection refused

However, these networks work fine as far as other Internet traffic is
concerned. As OTR is security-related software, this could lead to a
serious issue (especially if the redirect is sent to a fake OTR
download instead of simply adware).

The issue can be pin-pointed to an incorrectly resolving IP. Perhaps
your DNS record has expired and only a few hosts have updated? Or
someone has hijacked the DNS or done some DNS poisoning?

The incorrect IP seems to be 195.22.126.213, as provided in the OTE
networks and through Google DNS. The correct IP seems to be
198.96.155.5, which is reported by the rest of the networks.

Here is the incorrect DNS response:

; <<>> DiG 9.10.3 <<>> otr.cypherpunks.ca
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32155
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;otr.cypherpunks.ca. IN A

;; ANSWER SECTION:
otr.cypherpunks.ca. 494398 IN A 195.22.126.213

;; Query time: 7 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Dec 09 00:47:10 EET 2015
;; MSG SIZE  rcvd: 52

And a traceroute to this IP from the OTE fon connection:

dionyziz at erdos ~ % traceroute otr.cypherpunks.ca
traceroute to otr.cypherpunks.ca (195.22.126.213), 64 hops max, 52 byte packets
 1  172.17.2.1 (172.17.2.1)  5.689 ms  2.728 ms  4.305 ms
 2  62.103.3.254 (62.103.3.254)  21.585 ms  23.708 ms  21.159 ms
 3  79.128.248.133 (79.128.248.133)  22.082 ms  23.362 ms  20.860 ms
 4  nyma-crsb-nyma7609a-1.backbone.otenet.net (79.128.226.53)  22.331
ms  23.132 ms  24.259 ms
 5  ten0-0-0-0-atht1602.ath.oteglobe.gr (62.75.3.81)  25.275 ms
    pgig0-1.47-ir02-lamdahelixa.ath.oteglobe.gr (62.75.3.109)  22.114
ms  22.480 ms
 6  62.75.5.177 (62.75.5.177)  68.650 ms
    62.75.5.197 (62.75.5.197)  77.701 ms
    62.75.5.222 (62.75.5.222)  72.796 ms
 7  frankfurt-de-cix.atman.pl (80.81.192.227)  89.017 ms  85.180 ms  84.517 ms
 8  ae2-3989.r7.glo-r5-glo.atman.pl (212.91.9.74)  86.274 ms  84.626
ms  89.521 ms
 9  rev-212918-50.atman.pl (212.91.8.50)  96.057 ms  83.332 ms  82.818 ms
10  * * *
11  * * *
12  92-55-195-149.net.hawetelekom.pl (92.55.195.149)  113.889 ms
92.649 ms  96.981 ms
13  sdc-n003rtp01.net.hawetelekom.pl (77.242.225.94)  96.141 ms
128.385 ms  101.874 ms
14  n16h14.sprintdatacenter.net (46.29.16.14)  92.022 ms  91.969 ms  92.004 ms
15  195.22.126.213 (195.22.126.213)  91.272 ms  92.733 ms  95.707 ms

The correct DNS resolution response is shown here, from the working
OTE connection:

; <<>> DiG 9.8.3-P1 <<>> otr.cypherpunks.ca
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38259
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;otr.cypherpunks.ca. IN A

;; ANSWER SECTION:
otr.cypherpunks.ca. 2904 IN A 198.96.155.5

;; Query time: 3 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Dec 9 00:48:55 2015
;; MSG SIZE rcvd: 52

Do you have ideas as to what could be happening?

Thank you,
Dionysis Zindros.

More information about the OTR-dev mailing list