The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours.
hugge at nordu.net
Tue Apr 24 20:22:19 UTC 2018
Well there is quite abit of data around that particular server.
So it definitely happened.
This tweet is a good start.
The server answer to me right now and google safe browsing has flagged it as well for being insecure (no the regular
cert-fail warning but deceptivness warning)
The SSL-cert is a self-signed one impersonating MyEtherWallet.com.
Id take it that 15169 accepted the prefix for some reason over a bilateral peering-sesssion (to the best of my knowledge
the equinix routeservers does indeed do filter, but please correct me on this one) with 10297 and hence poisoned the
126.96.36.199 resolver for some time with the wrong ip-addr.
> On Tue, Apr 24, 2018 at 08:35:17PM +0200,
> Fredrik Korsbäck <hugge at nordu.net> wrote
> a message of 28 lines which said:
>> Surprised this hasnt "made the news" over at this list yet.
> It was discussed several hours before on the Outages mailing list.
> Also, there are not a lot of hard facts. The BGP hijacking is clear
> and easy to find in the usual places.
> The supposed rogue DNS server is much more elusive. Nobody apparently
> thought of querying it with dig during the hijack. There are reports
> of people being directed to a rogue www.myetherwallet.com but, again,
> no detail, no IP address, not the certificate of the rogue server,
>> seems to be some kind of transparent proxy out of russia with a
>> bogus SSL-cert (but still pretty good) (https://188.8.131.52/)
> DNSDB does not confirm this:
> % isc-dnsdb-query rdata ip 184.108.40.206
> pigroot.sciencesupply.eu. IN A 220.127.116.11
> value.rollliquid.com. IN A 18.104.22.168
> campsprings.collaspepaw.com. IN A 22.214.171.124
> bronchopneumonic.collaspepaw.com. IN A 126.96.36.199
> server42.woodorganism.com. IN A 188.8.131.52
> ;;; Returned 5 RRs in 0.03 seconds.
> ;;; DNSDB
> Currently, this machine does not accept connections.
More information about the NANOG