[OTR-dev] OTR homepage DNS poisoned?
Dionysis Zindros
dionyziz at gmail.com
Tue Dec 8 17:54:11 EST 2015
Hello,
The OTR homepage at http://otr.cypherpunks.ca/ seems to be
man-in-the-middled in certain networks. I have checked through various
different networks with various results.
>From the following connections to the Internet, it redirects to
zeroredirect, which then redirects to casino or adware (mackeeper)
website:
1. Through the Greek OTE provider via the hot spot network Fon
2. Through the regular Greek OTE network (the major country
telecommunications provider) from two different endpoints
In the man-in-the-middled OTE connection I can see this trace:
dionyziz at erdos ~ % nc -vvv otr.cypherpunks.ca 80
found 0 associations
found 1 connections:
1: flags=82<CONNECTED,PREFERRED>
outif en0
src 172.17.2.16 port 63144
dst 195.22.126.213 port 80
rank info not available
TCP aux info available
Connection to otr.cypherpunks.ca port 80 [tcp/http] succeeded!
GET / HTTP/1.1
Host: otr.cypherpunks.ca
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.6.3
Date: Tue, 08 Dec 2015 22:24:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.16
Location: http://www.zeroredirect1.com/otr.cypherpunks.ca?rpm=1&domainerId=18f6e5d1-1b47-11e5-ae0f-0edec89589c7&keywords=otr.cypherpunks.ca&fallbackUrl=http%3A%2F%2Finvestdollar.net%3FsubID%3Dotr.cypherpunks.ca%26fb%3Dhttp%3A%2F%2Fww9.otr.cypherpunks.ca
However, the site works fine in these providers:
1. Through the Greek Forthnet ISP from two different endpoints
2. Through the linode network
3. Through the UPC provider in Switzerland
4. Through the NYC Cuny Graduate Center network
5. Through the OTE 3G mobile network from two different endpoints
6. Through a different OTE network endpoint from those indicated previously
7. Through UK broadband networks
We suspect there is selective hijacking of this site going on. Of
course, the man-in-the-middle happens only when an HTTP connection is
used. When HTTPS is enforced, for example through HTTPS Everywhere,
the connection is not possible in the man-in-the-middled networks and
the connection is refused:
dionyziz at erdos ~ % nc -vvv otr.cypherpunks.ca 443
nc: connectx to otr.cypherpunks.ca port 443 (tcp) failed: Connection refused
However, these networks work fine as far as other Internet traffic is
concerned. As OTR is security-related software, this could lead to a
serious issue (especially if the redirect is sent to a fake OTR
download instead of simply adware).
The issue can be pin-pointed to an incorrectly resolving IP. Perhaps
your DNS record has expired and only a few hosts have updated? Or
someone has hijacked the DNS or done some DNS poisoning?
The incorrect IP seems to be 195.22.126.213, as provided in the OTE
networks and through Google DNS. The correct IP seems to be
198.96.155.5, which is reported by the rest of the networks.
Here is the incorrect DNS response:
; <<>> DiG 9.10.3 <<>> otr.cypherpunks.ca
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32155
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;otr.cypherpunks.ca. IN A
;; ANSWER SECTION:
otr.cypherpunks.ca. 494398 IN A 195.22.126.213
;; Query time: 7 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Dec 09 00:47:10 EET 2015
;; MSG SIZE rcvd: 52
And a traceroute to this IP from the OTE fon connection:
dionyziz at erdos ~ % traceroute otr.cypherpunks.ca
traceroute to otr.cypherpunks.ca (195.22.126.213), 64 hops max, 52 byte packets
1 172.17.2.1 (172.17.2.1) 5.689 ms 2.728 ms 4.305 ms
2 62.103.3.254 (62.103.3.254) 21.585 ms 23.708 ms 21.159 ms
3 79.128.248.133 (79.128.248.133) 22.082 ms 23.362 ms 20.860 ms
4 nyma-crsb-nyma7609a-1.backbone.otenet.net (79.128.226.53) 22.331
ms 23.132 ms 24.259 ms
5 ten0-0-0-0-atht1602.ath.oteglobe.gr (62.75.3.81) 25.275 ms
pgig0-1.47-ir02-lamdahelixa.ath.oteglobe.gr (62.75.3.109) 22.114
ms 22.480 ms
6 62.75.5.177 (62.75.5.177) 68.650 ms
62.75.5.197 (62.75.5.197) 77.701 ms
62.75.5.222 (62.75.5.222) 72.796 ms
7 frankfurt-de-cix.atman.pl (80.81.192.227) 89.017 ms 85.180 ms 84.517 ms
8 ae2-3989.r7.glo-r5-glo.atman.pl (212.91.9.74) 86.274 ms 84.626
ms 89.521 ms
9 rev-212918-50.atman.pl (212.91.8.50) 96.057 ms 83.332 ms 82.818 ms
10 * * *
11 * * *
12 92-55-195-149.net.hawetelekom.pl (92.55.195.149) 113.889 ms
92.649 ms 96.981 ms
13 sdc-n003rtp01.net.hawetelekom.pl (77.242.225.94) 96.141 ms
128.385 ms 101.874 ms
14 n16h14.sprintdatacenter.net (46.29.16.14) 92.022 ms 91.969 ms 92.004 ms
15 195.22.126.213 (195.22.126.213) 91.272 ms 92.733 ms 95.707 ms
The correct DNS resolution response is shown here, from the working
OTE connection:
; <<>> DiG 9.8.3-P1 <<>> otr.cypherpunks.ca
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38259
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;otr.cypherpunks.ca. IN A
;; ANSWER SECTION:
otr.cypherpunks.ca. 2904 IN A 198.96.155.5
;; Query time: 3 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Dec 9 00:48:55 2015
;; MSG SIZE rcvd: 52
Do you have ideas as to what could be happening?
Thank you,
Dionysis Zindros.
More information about the OTR-dev
mailing list