Potential DNS compromise issue on HTTP server start

[chrisdcosta]

Quick, short summary: When starting up code kit occasionally the bonjour http server address is not as expected and in fact is linked to a malicious url.

I realise this may not be specifically a Codekit bug/issue but I'm raising it here to partly track it down, as this is where it is manifesting itself.

Expected results: The http server address for the local network should be comprised of the "computer name" acquired from sharing settings appending .local and the port :5757

Actual results: Currently I am seeing the following address instead http://ptr-7t1s6cghydz54g8s3vv.18120a2.ip6.access.telenet.be:5757 which is considered a malicious address. The domain is my ISP's domain, no spelling errors.

This only happens when connected to my ISP router via Wifi. It could be one of the following:

• the ISP router that has been compromised with DNS changer
• DNS functionality on the mac compromised with DNS changer
• bonjour functionality compromised
• http server of code kit compromised (hence I am posting here).

Exact steps to reproduce: This will not be reproducable as the specifics are localised. The reason I post this here is it may be an indicator of something bigger.

I can watch this in action if when I start up Codekit and this malicious address in the internal server status section or by clicking preview which executes a browser request to this malicious address.

If I turn off Wifi whilst I have the Internal Server Status popover open, the server restarts and I get the correct non-malicious address.

I can restart code kit many times without the malicious address appearing again. However, if I restart Wifi connected to the ISP's router, after several restarts this malicious address appears again, but not initially.

Your configuration (any details about your system that you think might be relevant) I am using a MacBook Air with High Sierra 10.13.1 and Codekit 2.8(19127) with MAMP PRO 3.5.2

[bdkjones]

CodeKit does not set that URL in any way. It merely asks macOS what it is. Many routers, especially the shitty ones you get from ISPs, will take over Bonjour network Administration. You’d have to follow up with Apple and your ISP to track down the source. It is definitely not related to CodeKit, however.

Sent from my iPhone

On Dec 12, 2017, at 10:08, chrisdcosta notifications@github.com wrote:

Quick, short summary: When starting up code kit occasionally the bonjour http server address is not as expected and in fact is linked to a malicious url.

I realise this may not be specifically a Codekit bug/issue but I'm raising it here to partly track it down, as this is where it is manifesting itself.

Expected results: The http server address for the local network should be comprised of the "computer name" acquired from sharing settings appending .local and the port :5757

Actual results: Currently I am seeing the following address instead http://ptr-7t1s6cghydz54g8s3vv.18120a2.ip6.access.telenet.be:5757 which is considered a malicious address. The domain is my ISP's domain, no spelling errors.

This only happens when connected to my ISP router via Wifi. It could be one of the following:

the ISP router that has been compromised with DNS changer DNS functionality on the mac compromised with DNS changer bonjour functionality compromised http server of code kit compromised (hence I am posting here). Exact steps to reproduce: This will not be reproducable as the specifics are localised. The reason I post this here is it may be an indicator of something bigger.

I can watch this in action if when I start up Codekit and this malicious address in the internal server status section or by clicking preview which executes a browser request to this malicious address.

If I turn off Wifi whilst I have the Internal Server Status popover open, the server restarts and I get the correct non-malicious address.

I can restart code kit many times without the malicious address appearing again. However, if I restart Wifi connected to the ISP's router, after several restarts this malicious address appears again, but not initially.

Your configuration (any details about your system that you think might be relevant) I am using a MacBook Air with High Sierra 10.13.1 and Codekit 2.8(19127) with MAMP PRO 3.5.2

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[chrisdcosta]

OK That's what I thought. Thanks for helping me rule that out.

As I am trying to track down when this occurs could you give me a pointer or snippet of code you use (suppose you use Xcode?) so I can try to build a trap and test? can DM me on twitter for my email address @cjdcosta .

[bdkjones]

You’re looking for NSHost. It has methods to get the computer’s current Bonjour name.

Sent from my iPhone

On Dec 13, 2017, at 04:09, chrisdcosta notifications@github.com wrote:

OK That's what I thought. Thanks for helping me rule that out.

As I am trying to track down when this occurs could you give me a pointer or snippet of code you use (suppose you use Xcode?) so I can try to build a trap and test? can DM me on twitter for my email address @cjdcosta .

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.