Discuss mailing list

[Lennart Seitz <mail AT lseitz.de>]

Fusl confirmed the problem and the fix is on the way. This was due to a
corrupted cachedb on the Node and not intended DNS-Poisoning.



On 02.09.2021 04:04, mail wrote:
> Sorry the Spam tag was my rspamd.
>
> So, after some more debugging and VPN hopping i managed to get the
> same anycast server that serves your requests:
>
> dig whoami.akamai.net @185.121.177.177  +short
> 104.156.252.143
>
> And now i can confirm that i see phishy records as well, for example this:
>
> dig duckduckgo.com @185.121.177.177 +short
> 69.171.244.11
> which belongs to dropbox?
>
> or this:
>
> dig example.com @185.121.177.177 +short
> 61.244.67.111
>
> I also checked multiple other anycast instances that are running on
> 185.121.177.177, which all seem fine expect 104.156.252.143 which
> indeed seems to resolve wrong records.
>
> I would highly suggest to get in contact with fusl, she is in the
> community for quite a while and i cant imangine that she is doing this
> on porpuse. Perhaps some system got infected.
>
>
>
> Am Donnerstag, September 02, 2021 03:26 CEST, schrieb Se7en
> <se7en AT cock.email>:
>  
>> On 21-09-02 03:21:00, Lennart Seitz wrote:
>> > I dont think thats the problem here since Duckduckgo.com resolves to
>> > facebook IPs for him and also shows https certificates that are related
>> > to facebook.com when visiting duckduckgo.com
>> >
>> > Can you please check what
>> > dig whoami.akamai.net
>> > gives you when you use opennic and quad9 (for example).
>>
>> For some reason this changed to *** SPAM *** in the subject
>> line. Please give ATTN to the List Moderator to fix this. I don't want
>> this filtered.
>>
>> # ON Quad9
>>
>> $ dig whoami.akamai.net
>>
>> ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> whoami.akamai.net
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10586
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 512
>> ;; QUESTION SECTION:
>> ;whoami.akamai.net. IN A
>>
>> ;; ANSWER SECTION:
>> whoami.akamai.net. 180 IN A 74.63.16.248
>>
>> # This IP is registered to WoodyNet
>>
>> ;; Query time: 49 msec
>> ;; SERVER: 192.168.1.1#53(192.168.1.1)
>> ;; WHEN: Wed Sep 01 18:22:46 PDT 2021
>> ;; MSG SIZE rcvd: 62
>>
>> # On OpenNIC Wiki's Anycast
>>
>> ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> whoami.akamai.net
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42082
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;whoami.akamai.net. IN A
>>
>> ;; ANSWER SECTION:
>> whoami.akamai.net. 174 IN A 104.156.252.143
>>
>> ;; Query time: 5 msec
>> ;; SERVER: 192.168.1.1#53(192.168.1.1)
>> ;; WHEN: Wed Sep 01 18:23:33 PDT 2021
>> ;; MSG SIZE rcvd: 62
>>
>> # This IP is registerd to The Constant Company, LLC
>>
>> Note that /this time/ when I changed back to the OpenNICProject's
>> Wiki's Anycast, it now has the MITM again, redirecting sites to the
>> 190.vip fradulent Chinese domain register.
>>
>> --
>> |-----/ | Se7en
>> / The One and Only! | se7en AT cock.email
>> / | 0x0F83F93882CF6116
>> / | https://se7en-site.neocities.org
>
>
>
>   


-- 
Mit freundlichen Grüßen,
Lennart Seitz
PGP-Schlüssel: 0x187abd76a5660379 (https://pgp.lseitz.de/key.asc)
--