Something is injecting malware into my HTTP traffic

[Roman Ovseitsev]

Please forgive the slight off-topic, but I am experiencing a rather strange
issue while downloading a certain file over HTTP.

Instead of getting node.js installer as expected from here
http://nodejs.org/dist/v0.12.0/node-v0.12.0-x86.msi I am receiving a
completely different executable - an installer for Elcomsoft's Advanced EFS
Password Recovery whatever that is.

Both files are exactly the same size but SHA sums obviously don't match.

SSL version of the link -
https://nodejs.org/dist/v0.12.0/node-v0.12.0-x86.msi works as expected.
i.e. downloads the correct node.js installer.


I have verified this on three different machines running Fedora, CentOS,
and Windows. None of these machines ever exchanged any files or used
anything else but the default repos. In fact the windows machine is a 13
years old pc with a freshly installed OS. So presumably that dismisses any
possibility of rootkits.

It doesn't seems to be due to my router or ISP either. I am getting the
wrong executable on two of my neighbours' Wi-Fi networks and at least one
of them seems to be using a different ISP.
However it doesn't happen on another Israeli nor a couple of US and UK
servers I've tried so far.
I am not using any proxies either.

nodejs.org domain on all of the above resolves to the same IP.


What's going on?
Could be that the ISPs are the culprit?

Considering that the application is relatively popular and I am the only
one experiencing this issue it doesn't seem to be the case of nodejs.org
server doing this on purpose (knowingly or not).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20150320/8ed9a088/attachment-0001.html>