Really odd redirect issue.

[Stevie]

Had to create a new account here due to forums moving and me not being here for ages.

Anyway. I run into this weird issue the other day on an XP machine. No matter what site you went to in firefox, you ended up at hugedomainsDOTcom. I thought it was a HOST hijack but checked and I'd deleted the host file long ago to stop anything hijacking it. I scanned the machine, found nothing. I looked at a Process Monitor trace, nothing. Both IE and Firefox appeared to be affected pointing to some sort of possible DNS poisioning? Never tried Chrome.

Rebooted. Logged back in and all now fine. Odd, maybe it was memory based.

Anyway. Attempting to fix the issue I was VNCed into the machine via a Windows 7 machine. Suddenly the Windows 7 machine started to have similar issues, nowhere near as bad though. Example vid:

on the Windows 7 machine it only affects Firefox, IE and Chrome are fine and only appears to happen if you do a search in the address bar. Instead of going off and searching Google, it redirects to hugedomains.

Both machines are on a domain (a test domain setup at home). It's probably not a perfect Domain setup as I'm still learning and I think DNS on it really isn't that good. So I thought it might be that.

I disable the NIC on the Windows 7 machine and do the search again in Firefox again and it attempts to do a Google search but obviously fails. Turn the NIC back on, do the same search and get redirected to hugedomains again.

So maybe the TCP/IP stack is infected if possible?

I start up a VM in VMWare of XP that has been turned off for months. It is connected to the domain, I do a test straight away, suffers the same issue in Firefox. The NIC on the VM is setup as Bridged so "Connected directly to the physical network". I roll the VM back to the last snapshot which was an old version of FF and off the domain. No longer suffers the issue.

I connect it to the domain, update FF, test suffers the issue again.

DC is 10.0.0.100 and the Primary DNS on the VM XP is 10.0.0.100 and the secondary is 10.0.0.1 (which is the router). I did this because I'm no expert and I think DNS is bit messed on the DC, so machines can look at the router instead.

With this setup the VM XP has the issue, only in FF. I then note, if I remove the secondary 10.0.0.1 and just let it use the DNS of the DC, it no longer suffers the issue (oh and it's default gateway is the 10.0.0.1). As soon as I enable the secondary DNS again of 10.0.0.1, issue comes back.

This was now pointing to the router being the issue. I remove the secondary from the Windows 7 machine, do a test in FF and the issue disappears. I renable the secondary, still issue has gone. But do the same on the VM and it was still doing it.

Really weird issue that is pointing to an possible issue with the router? It's a Draytek Vigor2800VG.

[Stevie]

No one?

[digip]

Check your routers DNS settings, or do a DNS flush, might have been poisoned on your ISP's side. I use OpenDNS both on my router, but also manually set on each of my workstations as well, and I even have gone as far as putting my ISP's DNS server, in my hosts file to 127.0.0.1, so comcast DNS can't interfere. If only one browser is doing it though, possible it somehow hit a poisoned DNS server before the other browsers did the lookups. Possible that the pre-fetch, syncronous dns settings in FF are screwed or their side is messed up. Try updated FF, or like you did in XP, reboot, but I think it was a DNS hijack most likely. Reboot would clear your DNS cache, but you could also restart the dhcp and dns service in windows or do a flush via ipconfig from the command line. I leave the DNS service off on my box, so my system doesn't even cache DNS at all, does a look up every time I go to a site. services.msc will pull up services for windows, you can set the DNS one to disabled. Then restart DHCP, should flush it at that point and not cache DNS at all from then on. You can add OpenDNS to your nic settings too.

Edited November 20, 2012 by digip

[Stevie]

Thanks for suggestions. I did think it might be my ISP but then would assume they'd be getting lots of complaints. I've already set to the router to use Comodo's DNS. I'll try the other options and turning of DNS so it doesn't cache is a good idea. Also thinking of turning off the DC for a while, in case it is actually that.

[Stevie]

It's doing my nut in. It's not making any sense what's going on. Well maybe it is, but it just seems like it's pointing to DNS but then it only affects Firefox. However, I booted another XP machine to test, both IE and Firefox were having the issue but not Chrome. So even if it was on the router where the issue was, how comes its only affecting certain browers? Then blocking said sites via the host file and using an IP block in Comodo, neither IE or Firefox could go to the site. Then suddenly, they stopped and starting using Google search again for finds searches typed into the address bar.

Now logged on to the DC. Removed Firefox and all profile info. Checked in IE and no issue. Installed Firefox fresh and clean, old Firefox profile wiped. Was doing it again, in Firefox but not IE, on the DC.

Totally confused where this redirect is hiding. 3 different machines having same issue would point to DNS, but why only affecting certain browsers? Even after flushing DNS, turning of Cached DNS on the Windows 7 box. Router DNS pointing to Comodo's.

This new test is me typing ESXI in the address bar. Instead of going to Google Search (my default) goes to hugedomains instead. I've even changed the default search to Bing, but makes no difference.

Is anyone able to setup some VMs and do some testing? Visit the mentioned site. Then do as I've done in the video and see if it causes the same issue?

Next thing is to change out the Router. I've already got a newer Draytek in, just need to install it. And I guess raise a ticket with my ISP to check its not them.

[digip]

Possibly an intruder on the network, redirecting you?

What are you doing to watch the traffic on your network though? Make sure on your domain controller you have some sort of packet capturing going on and watch the traffic for a bit or if you have to, insert a clean machine and lan tap the traffic going in and out of the thing as well as your routers and switches, check arp and see knwon on the lan and if you can find something that doesn't belong on there, but sounds like maybe you got whacked by malware, or someone is in the network and has control of things, like a root kit or such.

[Stevie]

Think I'll try putting something on to monitor. Maybe Wireshark? Probably the only one I know a tiny amount of. Also my DNS knowledge isn't exactly good and found out last night, on the DC, in the Forwarder in DNS, it was pointing to 10.0.0.100 which is also the DC. Apparently this is wrong, hence the same DNS error showing up in the logs for ages. When I setup the DC, I was always taught that if the IP of the DC is for example 10.0.0.100 (just used the 10 range as easier to type), then the Preferred DNS in the TCP/IP settings should also be 10.0.0.100. This has worked for me in Server 2003 and when setting up the DC. Clients have been able to connect to it etc. But looks like this then put an entry in the Forwarder.

I was in the forwarder last night to add the OpenDNS servers and kept getting an error about the IP being invalid. That turned out to be the 10.0.0.100 address because the DNS server can’t point to itself I think I’ve learnt. Since removing that entry and adding OpenDNS. Then flushing DNS on all machines, the redirect, at the moment, appears to have gone on all machines.

But it’s early days. I’ve had it disappear before only to then suddenly come back at a later date. For all these test this time around I’ve been using

esxi

As mentioned, in the address field. But I can then do a random search a few days later for something that should then pull up a google search but then it will redirect.

I’ll monitor it for a few days. Need to replace the Router as well. I also have two Netgear unmanaged switches that I rebooted last night (unplugged and plugged back in again), as they haven’t been rebooted for months. I assume it’s not possible for them to hold any DNS cache for some odd reason? I’m pretty sure I know the answer to that is a no, but I ask here as people here appear to be able amazingly get kit to do what it was never designed for J

OpenDNS is now on the router as well as the DC. However, I did noticed when I set it on the Router, the router would connect to the ISP & for a brief couple of seconds keep the OpenDNS settings, then flip back to using the ISP DNS. Doing an NSLOOKUP on the IPs a search on the results found the DNS they are using is Cable & Wireless DNS. I’m with Xilo. They seem pretty good support wise. I think I’ll ask them why OpenDNS isn’t kicking it, and why it’s forcing it back to using their DNS. After all, it could end up being Cable & Wireless DNS causing the issue.

I also now and then do sniff of the network with Cain and Abel but that’s buggered up again recently on the NIC as when you go to Config the IP is showing as 255.255.255.255 I’ve had this before and found a fix but the fix isn’t working this time as appears to be a different issue. Pretty sure that’s not related to this redirect issue as during the redirect it had been working fine, then suddenly went. It’s the only took I know to give me a list of kit that is currently on the network.

Edited December 3, 2012 by Stevie

[digip]

On the router, you may have to set manually OpenDNS and force it if possible. On my router, DHCP tries to set comcast as the DNS, but I have entries that I fill manually listing OpenDNS first, and comcast shows at the bottom, so 2 entries for OpenDNS up top, and 1 for comcasts which I block on the hosts file of my workstation. I also manually have OpenDNS set on all my workstations as well and disable DNS caching on all workstations.

AS for switches, thy don't really do routing unless they are layer 3 switches, so for the most part, they only know MAC addresses and then foward to the gateway to tell it where to set stuff, then it learns what is on each port connected to it and passes back the broadcast data to only the specified mac target in the frame. They don't care about DNS, so much as what is connected on each switch port, and who is the gateway. Once it knows the gateway it just passes data back and forth at layer 2, and the gateway routes and works its magic for the rest mostly. Having your own DNS server since you run it in a domain setting and a domain controller, means you can setup DNS on the domain controller to use OpenDNS while the router may not let you override the DHCP settings from the ISP, although thats pretty unheard of. You should be able to manually enter what DNS provider you want on the router though. Not sure what hardware you are using for a router, but would look into the documentation to see if its set to auto and if it can be set manually. Assuming a more off the shelf consumer router? SInce things like Cisco routers require manually configuring pretty much everything on the damn things. I;ve never heard of Draytek so not familiar with setting one of them up. If all else fails, see about reloading the firmware on the Draytek just to be sure it wasn't hacked via the wan side and someone put a custom bin file on it to mask their access.

[Stevie]

Thanks. I've have a look. It's a Draytek Vigor2800VG. A business grade router with inbuilt firewall, VOIP and Vlan. I got it mainly to play with. I set OpenDNS on it manually and although on connection it briefly says my DNS is OpenDNS, it flicks back to the Cable & Wireless one that Xilo use. I think I'll speak to them about that issue, if that's their end doing it.

[digip]

ISP shouldn't ab able to change router settings other than DHCP config. If its an all in one modem and router, then yeah, you're at the mercy of the ISP, but for the most part, routers are customer owned and configured. The ISP can send DHCP settings for DNS and such, but ultimately your router should give you the ability to override DNS in them. If not, its a limitaiton of the router more than anything. I've setup some home networks for people who didn't evne have the option to change their DNS in the routers they owned. Some older Buffalo and Netgear equipment that would only accept what the ISP sent them from DHCP, so that might be that your router honors the ISP's DNS only on the router side, but on the lan side you cna set all servers and workstations to use OpenDNS for that side regardless of what is in the router. One way to test, sign up with OpenDNS, set a specific domain as blocked, and then from a workstation configured to only use OpenDNS, try to reach the blocked site. You should get a page created by OpenDNS stating it was blocked. Nice thing about OpenDNS you can filter both content and specific domains, add parental controls for filtering specific content, etc.

[Stevie]

In all the searching I've done on this issue, this was the oddest thing I came across:

http://youtu.be/B0dHDD9fFM4

Why did he ever agree to do it that way? It's embarrassing having the fake audience. It's so clear they are actors and the fake clapping at the end even worse!

[digip]

Dan is actually a genius. Most people don't give him enough credit. You should check out some of his talks from conferences and his work. He knows what he is talking about, regardless of this video.

[Stevie]

Don't get me wrong, I wasn't knocking or mocking him. I just thought it was a really odd decision to do the video infront of the fake audience. He looked so uncomfortable at the end. The audience wasn't needed.

[digip]

I don't know that it was a fake audience, but it was certainly not a normal talk or presentation you would see at a conference.

[Stevie]

Been a few days and all seems clear now since I removed the wrong forwarder in DNS on the DC, that pointed to the DC itself. And since putting in the OpenDNS entries in the forwarder. So I wonder if that points to the DC being the suspect. Hmmm. Will investigate if possible.

[Stevie]

IT'S BACK!!!! New PC, router has been replaced (needed to replace it) so I know the router hasn't been infected or the issue. Now possibly pointing to my Firefox profile as I copied the profile from my old setup.

However, I still believe that can't be the issue, as when testing on VMs, fresh VMs, freshly installed, after a few minutes of searching it kicks in and starts to do it on the VM. Only thing I can think of now is it is something on the DC.

[digip]

If its part of a domain, and not a home network, your domain controller's DNS server probably got hijacked or DNS poisoning. Possible even a user on the network having fun with ettercap and messing with you since its a domain, could be anyone on the lan. i would try lan tapping and packet capturing machines exhibiting this so you can see if its being intercepted on the lan, or if the DC is just foobared. Either way, not good when a domain controller is compromised since it trickles down the line to everyone, surprised no one else complaining of the issue.

[Pwnd2Pwnr]

Who is your ISP? Big name? No name?

[digip]

Who is your ISP? Big name? No name?

If its on a domain controller, its most likely a business server and corporate lan, which makes me think the internal DNS server got whacked or poisoned, or someone on the lan, is messing with things. People at home, aren't usually running their own domain controllers unless they have a lab for something like Active Directory and Windows Server 2003/2008 setup with workstations tied to the lan as a domain, not a home network. Still, the ISP could be an issue, but I highly doubt that it would be on their end redirecting him. Most likely one of the servers or boxes got whacked with malware.

[Pwnd2Pwnr]

@Digip : I would definitely agree that I have never heard of an ISP redirecting to sites like that. One would think that they would nip that in the ass quickly.

@Stevie : Have you slapped any firmware changes to your router? Or, if you have wireless connectivity; you may have been "reaved". Do you have WPS setup? Check your router configs and make sure your not forwarding your traffic to bigwebhost.com (or whatever site it may be). Also, have you ran a netstat -ano? The answer is there; were just not looking in the right place... hopefully your kernel hasn't been rooted.

[Stevie]

@Digip : I have my own domain setup at home for testing but instead of it being in a lab I put it on the main network so I could start rolling out software updates and software to PCs on the network. And being an IT Tech it was helping me learn. But I haven't really managed it properly, the DC does do updates whenever they are available and will reboot during the night if its done any updates. I did have a replication server setup but have recently decommisioned that but not made any difference.

@Pwnd2Pwnr : ISP is Xilo.net they are a reseller I believe and are using BE on my line (used to be using Cable & Wireless via Xilo but had speed issues and Xilo said C&W were slow at fixing anything and had old kit in the exchange, so I asked for the move to BE). They've said they can't see anything their end.

The odd thing is when it happens, if I fire up IE, it doesn't do it. If I also disable the NIC and do the same search in Firefox, instead of attempting to go to hugedomains, it does attempt to go to Google instead.

One thing I've notice in the Process Monitor trace I took is when it tries to connect to that address, just before the connection or just after I see an active.adobe.com connection. Don't know if it's related or not. I'll try and get an image of what I'm talking about up.

It's really odd.

[digip]

active.adobe.com is probably just flash checking for new version updates, but something seems foul with the redirects. Is there any wireless involved in your network? Maybe someone got on the network and is MITM/Ettercap attacking, but sounds more like malware or even something you installed, that is taking over FireFox, like an add-on or plug-in. I still think a lan tap of the machines exhibiting it in a passive manner, might show traffic on the line, and local mac addresses if its a local hack, you would see mac addresses not tied to one of the local machines if someone managed to get onto the home network. Either way, I'd be firing up wireshark, and tracking all traffic to this site, and like mentioned using netstat to see what programs are making the connections. You can also use Sysinternals GUI version TCPview which lets you see netstat connections, to established endpoints, and the process/program in use to the foreign network. Might show firefox, but might also show some other programs hidden you don't see in task manager, like fake services disguised as svchost.

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

You can also try running some WMI commands, to see if there are hidden services, that run in the background, but don't show under services.msc, that could be taking over the connection or just targetting FireFox users(which makes me think its malware - but go into the under the hood section of FireFox and check all its settings. Pretty sure they have one for syncronous DNS lookups, and it may be poisoned ->

type about:config in the FireFox address bar to access extra settings not under normal FireFox preferences. You may find the redirect in there, which may have switched your default search engine or doing the redirects. Once in there you can search the name of the site or keyword, might show up under the hood).

Edited May 9, 2013 by digip

[Pwnd2Pwnr]

It seems to link all to FFx. Perhaps an extension?

[digip]

It seems to link all to FFx. Perhaps an extension?

Thats what I was thinking, like an add-on or plug-in for FF. Looking under the hood might show something too if he can search part of the domain it directs to, see if it shows anywhere in there, but thats just one more thing to check off the list of places to look.

[Pwnd2Pwnr]

Any luck, Stevie?