Something is injecting malware into my HTTP traffic
Amos Shapira
amos.shapira at gmail.com
Sat Mar 21 08:30:06 IST 2015
Just speculating, but could it be that your ISP uses a caching transparent
proxy (which would explain why it doesn't happen on SSL) and its cache got
corrupted?
The "other ISP" case could be explained if it's actually
upstream/downstream from your ISP, or they share a proxy cache for other
reasons.
On 21 March 2015 at 04:07, Roman Ovseitsev <romovs at gmail.com> wrote:
> Please forgive the slight off-topic, but I am experiencing a rather
> strange issue while downloading a certain file over HTTP.
>
> Instead of getting node.js installer as expected from here
> http://nodejs.org/dist/v0.12.0/node-v0.12.0-x86.msi I am receiving a
> completely different executable - an installer for Elcomsoft's Advanced EFS
> Password Recovery whatever that is.
>
> Both files are exactly the same size but SHA sums obviously don't match.
>
> SSL version of the link -
> https://nodejs.org/dist/v0.12.0/node-v0.12.0-x86.msi works as expected.
> i.e. downloads the correct node.js installer.
>
>
> I have verified this on three different machines running Fedora, CentOS,
> and Windows. None of these machines ever exchanged any files or used
> anything else but the default repos. In fact the windows machine is a 13
> years old pc with a freshly installed OS. So presumably that dismisses any
> possibility of rootkits.
>
> It doesn't seems to be due to my router or ISP either. I am getting the
> wrong executable on two of my neighbours' Wi-Fi networks and at least one
> of them seems to be using a different ISP.
> However it doesn't happen on another Israeli nor a couple of US and UK
> servers I've tried so far.
> I am not using any proxies either.
>
> nodejs.org domain on all of the above resolves to the same IP.
>
>
> What's going on?
> Could be that the ISPs are the culprit?
>
> Considering that the application is relatively popular and I am the only
> one experiencing this issue it doesn't seem to be the case of nodejs.org
> server doing this on purpose (knowingly or not).
>
> _______________________________________________
> Linux-il mailing list
> Linux-il at cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>
>
--
<http://au.linkedin.com/in/gliderflyer>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20150321/64bf950b/attachment.html>
More information about the Linux-il
mailing list