• cnchi uses a hijacked site to get external IPs


    I tried to install Antergos today, but cnchi kept freezing after the “System Check” step. After some investigative work I found out that cnchi was making requests to http://antergos-beta.tk:3000/ip which were timing out, explaining why the program froze. What’s especially interesting is that http://anteros-beta.tk/ redirects to http://twero.com/, an adult (NSFW) dating site. A quick look at the WHOIS records reveals that the domain has been hijacked by Freenom. This begs the question, why does Antergos even use .tk domains?

    Something else that I find very interesting is this line in geoip.py. Why are the URLs written from right the left in the list and then reversed when they’re actually used in line 88? My only possible explanation for this is to hide the URLs from commands like grep, but why?

    I feel like there is definitely something wrong here and would like an explanation.

  • Can @developers comment on this?

  • @bramhaag

    Hi,

    Well, thanks for noticing this.

    I’ll try to explain.

    That server is an Antergos server, of course. We use it to find out user’s ip address, so we can determine their time location.

    The IP (and name and port) is reversed in geoip.py just so we avoid web crawlers, nothing more.

    Anyways, we will change this code asap so it uses a public ip api service instead.

    Thanks!

cnchi161 site7 uses2 hijacked1 Posts 4Views 275
Log in to reply
Bloom Email Optin Plugin

Looks like your connection to Antergos Community Forum was lost, please wait while we try to reconnect.