[OTR-dev] OTR homepage DNS poisoned?

Dionysis Zindros dionyziz at gmail.com
Mon Dec 21 05:55:57 EST 2015


Hi Paul,

Thanks for your info and your concern. I suspect that the zeroredirect
virus is a different issue, as plugging the same machine to a
different network produces different DNS results – one is legit and
one isn't. Furthermore, none of the documented viral behaviors such as
a misconfigured DNS server or a proxy server occur in my machine. It's
not unlikely that zeroredirect employs various mechanisms to achieve
redirects to their website, of which client machine infection is only
one.

I also hope my operational security for this machine is quite
diligent, as I do not run software which is not securely verified from
a trusted source, either using HTTPS with a trusted domain, or a GPG
signature with a trust path from my key. While I could have made a
mistake, I think DNS poisoning at the network level beyond my machine
is most likely the case.

Dionysis.

On Mon, Dec 21, 2015 at 3:38 AM, Paul Wouters <paul at cypherpunks.ca> wrote:
> On Wed, 9 Dec 2015, Dionysis Zindros wrote:
>
>> The OTR homepage at http://otr.cypherpunks.ca/ seems to be
>> man-in-the-middled in certain networks. I have checked through various
>> different networks with various results.
>
>
>> In the man-in-the-middled OTE connection I can see this trace:
>
>
>> HTTP/1.1 302 Moved Temporarily
>
>
>> Location:
>> http://www.zeroredirect1.com/otr.cypherpunks.ca?rpm=1&domainerId=18f6e5d1-1b47-11e5-ae0f-0edec89589c7&keywords=otr.cypherpunks.ca&fallbackUrl=http%3A%2F%2Finvestdollar.net%3FsubID%3Dotr.cypherpunks.ca%26fb%3Dhttp%3A%2F%2Fww9.otr.cypherpunks.ca
>
>
> Googling for zeroredirect gives me a lot of links about the "google
> redirect" virus. I'd throw away that machine and build a new one.
>
> If you want to avoid DNS redirects I can recommend installing
> "dnssec-trigger" from NLnetlabs.
>
> Paul


More information about the OTR-dev mailing list