[OTR-dev] OTR homepage DNS poisoned?

Jurre van Bergen drwhax at 2600nl.net
Tue Dec 8 18:57:44 EST 2015 

Hi,

I don't see the same thing happening no can I resolve that IP via the
dns lookup for otr.cypherpunks.ca. Must be something weird on your
network, might be interesting to run: ooni.torproject.org and see what
is going on.

I checked all the DNS servers which are set:

cypherpunks.ca.         3600    IN      NS      ns2.paip.net.
cypherpunks.ca.         3600    IN      NS      ns.emufarm.org.
cypherpunks.ca.         3600    IN      NS      iweb.nikita.ca.
cypherpunks.ca.         3600    IN      NS      ns2.cypherpunks.ca.
cypherpunks.ca.         3600    IN      NS      ns3.cypherpunks.ca.
cypherpunks.ca.         3600    IN      NS      ns1.paip.net.
cypherpunks.ca.         3600    IN      NS      ns1.cypherpunks.ca.
cypherpunks.ca.         3600    IN      NS      ns3.paip.net.


They all seem to resolve otr.cypherpunks.ca to be: 198.96.155.5

So I think something messy is going on the ISP level or maybe your
machine is compromised with adware?

Best of luck,
jurre

On 12/08/2015 11:54 PM, Dionysis Zindros wrote:
> Hello,
>
> The OTR homepage at http://otr.cypherpunks.ca/ seems to be
> man-in-the-middled in certain networks. I have checked through various
> different networks with various results.
>
> From the following connections to the Internet, it redirects to
> zeroredirect, which then redirects to casino or adware (mackeeper)
> website:
>
> 1. Through the Greek OTE provider via the hot spot network Fon
> 2. Through the regular Greek OTE network (the major country
> telecommunications provider) from two different endpoints
>
> In the man-in-the-middled OTE connection I can see this trace:
>
> dionyziz at erdos ~ % nc -vvv otr.cypherpunks.ca 80
> found 0 associations
> found 1 connections:
>      1: flags=82<CONNECTED,PREFERRED>
> outif en0
> src 172.17.2.16 port 63144
> dst 195.22.126.213 port 80
> rank info not available
> TCP aux info available
>
> Connection to otr.cypherpunks.ca port 80 [tcp/http] succeeded!
> GET / HTTP/1.1
> Host: otr.cypherpunks.ca
>
> HTTP/1.1 302 Moved Temporarily
> Server: nginx/1.6.3
> Date: Tue, 08 Dec 2015 22:24:20 GMT
> Content-Type: text/html
> Transfer-Encoding: chunked
> Connection: keep-alive
> X-Powered-By: PHP/5.4.16
> Location: http://www.zeroredirect1.com/otr.cypherpunks.ca?rpm=1&domainerId=18f6e5d1-1b47-11e5-ae0f-0edec89589c7&keywords=otr.cypherpunks.ca&fallbackUrl=http%3A%2F%2Finvestdollar.net%3FsubID%3Dotr.cypherpunks.ca%26fb%3Dhttp%3A%2F%2Fww9.otr.cypherpunks.ca
>
> However, the site works fine in these providers:
>
> 1. Through the Greek Forthnet ISP from two different endpoints
> 2. Through the linode network
> 3. Through the UPC provider in Switzerland
> 4. Through the NYC Cuny Graduate Center network
> 5. Through the OTE 3G mobile network from two different endpoints
> 6. Through a different OTE network endpoint from those indicated previously
> 7. Through UK broadband networks
>
> We suspect there is selective hijacking of this site going on. Of
> course, the man-in-the-middle happens only when an HTTP connection is
> used. When HTTPS is enforced, for example through HTTPS Everywhere,
> the connection is not possible in the man-in-the-middled networks and
> the connection is refused:
>
> dionyziz at erdos ~ % nc -vvv otr.cypherpunks.ca 443
> nc: connectx to otr.cypherpunks.ca port 443 (tcp) failed: Connection refused
>
> However, these networks work fine as far as other Internet traffic is
> concerned. As OTR is security-related software, this could lead to a
> serious issue (especially if the redirect is sent to a fake OTR
> download instead of simply adware).
>
> The issue can be pin-pointed to an incorrectly resolving IP. Perhaps
> your DNS record has expired and only a few hosts have updated? Or
> someone has hijacked the DNS or done some DNS poisoning?
>
> The incorrect IP seems to be 195.22.126.213, as provided in the OTE
> networks and through Google DNS. The correct IP seems to be
> 198.96.155.5, which is reported by the rest of the networks.
>
> Here is the incorrect DNS response:
>
> ; <<>> DiG 9.10.3 <<>> otr.cypherpunks.ca
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32155
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;otr.cypherpunks.ca. IN A
>
> ;; ANSWER SECTION:
> otr.cypherpunks.ca. 494398 IN A 195.22.126.213
>
> ;; Query time: 7 msec
> ;; SERVER: 192.168.1.1#53(192.168.1.1)
> ;; WHEN: Wed Dec 09 00:47:10 EET 2015
> ;; MSG SIZE  rcvd: 52
>
> And a traceroute to this IP from the OTE fon connection:
>
> dionyziz at erdos ~ % traceroute otr.cypherpunks.ca
> traceroute to otr.cypherpunks.ca (195.22.126.213), 64 hops max, 52 byte packets
>  1  172.17.2.1 (172.17.2.1)  5.689 ms  2.728 ms  4.305 ms
>  2  62.103.3.254 (62.103.3.254)  21.585 ms  23.708 ms  21.159 ms
>  3  79.128.248.133 (79.128.248.133)  22.082 ms  23.362 ms  20.860 ms
>  4  nyma-crsb-nyma7609a-1.backbone.otenet.net (79.128.226.53)  22.331
> ms  23.132 ms  24.259 ms
>  5  ten0-0-0-0-atht1602.ath.oteglobe.gr (62.75.3.81)  25.275 ms
>     pgig0-1.47-ir02-lamdahelixa.ath.oteglobe.gr (62.75.3.109)  22.114
> ms  22.480 ms
>  6  62.75.5.177 (62.75.5.177)  68.650 ms
>     62.75.5.197 (62.75.5.197)  77.701 ms
>     62.75.5.222 (62.75.5.222)  72.796 ms
>  7  frankfurt-de-cix.atman.pl (80.81.192.227)  89.017 ms  85.180 ms  84.517 ms
>  8  ae2-3989.r7.glo-r5-glo.atman.pl (212.91.9.74)  86.274 ms  84.626
> ms  89.521 ms
>  9  rev-212918-50.atman.pl (212.91.8.50)  96.057 ms  83.332 ms  82.818 ms
> 10  * * *
> 11  * * *
> 12  92-55-195-149.net.hawetelekom.pl (92.55.195.149)  113.889 ms
> 92.649 ms  96.981 ms
> 13  sdc-n003rtp01.net.hawetelekom.pl (77.242.225.94)  96.141 ms
> 128.385 ms  101.874 ms
> 14  n16h14.sprintdatacenter.net (46.29.16.14)  92.022 ms  91.969 ms  92.004 ms
> 15  195.22.126.213 (195.22.126.213)  91.272 ms  92.733 ms  95.707 ms
>
> The correct DNS resolution response is shown here, from the working
> OTE connection:
>
> ; <<>> DiG 9.8.3-P1 <<>> otr.cypherpunks.ca
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38259
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;otr.cypherpunks.ca. IN A
>
> ;; ANSWER SECTION:
> otr.cypherpunks.ca. 2904 IN A 198.96.155.5
>
> ;; Query time: 3 msec
> ;; SERVER: 192.168.1.1#53(192.168.1.1)
> ;; WHEN: Wed Dec 9 00:48:55 2015
> ;; MSG SIZE rcvd: 52
>
> Do you have ideas as to what could be happening?
>
> Thank you,
> Dionysis Zindros.
> _______________________________________________
> OTR-dev mailing list
> OTR-dev at lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-dev

More information about the OTR-dev mailing list