1

--thanks everyone this has been resolved, see my answer below--

I created an Debian/OpenVPN server several months ago for private use but in the last two days I've noticed something extremely unsettling and strange.

It happens just with a single google search, but it can only be recreated while connected over OpenVPN. I've already tried changing DNS servers/different computers/etc...

This is what happens:

I go to news.google.com , search for the string 'russia syria'. When I click the link "Explore in Depth", a page of results comes up.

However, this page now seems to include links redirecting to "search.news.cn".

It only seems to do this for this particular search.

enter image description here

When I access the google page via wget on the server, it pulls down HTML including similar links.

The OpenVPN server is located in Canada, and I'm not in China.

Any ideas on what might be going on?

  • I've also run rkhunter which detected no threats
KauriNZ
  • 29
  • 4
  • I've attached a screenshot, I can't find any mention of this type of attack, if it is one, online – KauriNZ Oct 20 '15 at 13:57

3 Answers3

1

I can only assume that you have created an OpenVPN Server using a template or accessing said VPN Server through Proxy or the Server is infected, if they by any chance are affiliated by whatever unruly problem, that is the probable answer.

If you want to create an OpenVPN Server, I suggest a SeedBox which is in the Netherlands as to provide anonymity and no bandwith issues. (Assuming the OpenVPN is the fault)

If you want a proxy, don't try unless you have to as it is leakable.

If it is infected (which is most probable) then in that case you need to reset your VPS Server to Block 1 (New Install).

1

It appears that the DNS servers being pushed by the OpenVPN server configuration weren't being utilized by clients. Instead the DNS servers listed in the servers /etc/resolv.conf were still being used.

These servers were configured to the defaults for my cloud server provider. Once changed the injection stopped.

If any systems were compromised, it may have been those systems and not my individual cloud server.

KauriNZ
  • 29
  • 4
1

You said the OpenVPN server is in Canada. Is it? Are you sure of that? How do you know you're not connecting to a Mainland Chinese VPN? (it's Simplified, not Traditional)

Here are some possibilities:

  1. The server you're connecting to was detected by Google as being in China using geolocation, but it isn't in China. This could happen if the owner of said addresses changed relatively recently.
  2. The server you're connecting to is infected. This would be one of the dumbest pieces of malware I'd ever see.
  3. Your VPN program is connecting you to the wrong VPN.
  4. There's a bug in Google's news aggregator.
  5. You're connecting to a VPN in Canada in a location where there's a large Chinese population, so it would make sense to include those. Toronto? Vancouver?
  6. You have Chinese as a language pack installed on your computer, and your browser detects this and informs Google. However, you said this is not happening unless you're connected to the VPN, so it's unlikely to be this issue. I think it's very likely #5, but I could be wrong.

You said it just happens during a single search, correct? Am I correct in assuming that if you search for other things in the news, and explore in depth, it doesn't show up? It's possible that these results don't exist on Xinhua's website.

It's also possible Google is just returning results related to those.

Mark Buffalo
  • 22,508
  • 8
  • 74
  • 91
  • The server is indeed operating in Canada. I've been a long term client and the IP, traceroute show it to be in Montreal. I setup the VPN server myself using a clean (so I believe) image of Debian, I'm not connecting to any strange servers. This behavior only started with the last two days, even though I've been searching the news on google that way for at least two weeks now. I'd be surprised that Google would geolocate it elsewhere, the block of addresses has been registered to this company for a long time. I tried to recreate it with other searches, but only this one shows. – KauriNZ Oct 20 '15 at 18:55
  • it had something to do with DNS poisoning or perhaps their own DNS server was compromised. Once I changed these settings the issue resolved itself. – KauriNZ Oct 20 '15 at 19:00
  • the surprising thing is I could only reproduce it for that exact search... – KauriNZ Oct 20 '15 at 19:02