Getting URL hijacked on random websites

Forums › Desktop computing › Getting URL hijacked on random websites - quite irregular

kiwikiwi

455 posts

Ultimate Geek

#175877 14-Jul-2015 18:07

Sso I'm not gonna URL link this because it is pretty much malicious but I'm getting random URL hijacks in my browser, I've only so far seen this in my machine I haven't had anyone else complain in my household.

I've gone through my programs list, process list and addons for both Firefox and Chrome and I've already done my scans except for MBAM which I will be doing now.

Normally I'm good at fixing my issues(ha I'm qualified I should know :P) but I'm actually quite stumped.

Basically randomly every few days I get this(2nd time) and this has ONLY started when I switched to Spark(coincidence I hope and I hope that this isn't Spark). Hitting back and re-loading the URL I was trying to access works fine after and it's all happy days.

And it looks like this.

Screenshot I can't constrain proportions again.

Anyone else had this issue?

You can also follow me on twitter here @kiwifortw I do twitch streams every now and then at twitch.tv/kiwiforthewin :)

HTTP 404 Sarcasm not found.

richms

28172 posts

Uber Geek

Trusted

Lifetime subscriber

#1343271 14-Jul-2015 19:43

Thats just a normal intrusive scam ad.

Happens all the time on the pirate bay if I have no adblocker running, and some other websites that will take ad's from anybody.

Richard rich.ms

kiwikiwi

455 posts

Ultimate Geek

#1343273 14-Jul-2015 19:44

richms: Thats just a normal intrusive scam ad.

Happens all the time on the pirate bay if I have no adblocker running, and some other websites that will take ad's from anybody.

This has happened here on Geekzone, Tomshardware and normal websites every day people would browse. And I am running adblocker.

You can also follow me on twitter here @kiwifortw I do twitch streams every now and then at twitch.tv/kiwiforthewin :)

HTTP 404 Sarcasm not found.

richms

28172 posts

Uber Geek

Trusted

Lifetime subscriber

#1343279 14-Jul-2015 19:52

Ok well then your PC or router has been compromised.

Many routers have had cross site scripting problems in the past that have allowed a simple bit of html on a page to hit them with new DNS settings, which then get ads displayed if you are logged into the web interface from the same browser, so that would be first place to check, that the router is correclty getting dns from the ISP or is specified to what you want it to be, and then log out of the router. Check you dont have default passwords on it etc.

Richard rich.ms

kiwikiwi

455 posts

Ultimate Geek

#1343281 14-Jul-2015 19:57

richms: Ok well then your PC or router has been compromised.

Many routers have had cross site scripting problems in the past that have allowed a simple bit of html on a page to hit them with new DNS settings, which then get ads displayed if you are logged into the web interface from the same browser, so that would be first place to check, that the router is correclty getting dns from the ISP or is specified to what you want it to be, and then log out of the router. Check you dont have default passwords on it etc.

Yeah router(HG659B) is getting Spark's DNS servers. I also did change that default password the day that I got it(this was before my Spark connection went live which is why I'm still fishy it's something to do with Spark because as soon as the switch over happened from Orcon this happened)

Also I have done a ipconfig /flushdns when I got it the first time hoping it was just some old dns cache record that was still being stored, so that hasn't helped.

Malware scan came back clean. Same with Avast. Should also point out this happens as well on my Debian install and my Windows 10 Insider install.

You can also follow me on twitter here @kiwifortw I do twitch streams every now and then at twitch.tv/kiwiforthewin :)

HTTP 404 Sarcasm not found.

freitasm

BDFL - Memuneh
79263 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1343411 14-Jul-2015 22:59

It has to be your router or network adapter. Since it happens on Linux as well I'd say router.

kiwikiwi

455 posts

Ultimate Geek

#1343412 14-Jul-2015 23:00

freitasm: It has to be your router or network adapter. Since it happens on Linux as well I'd say router.

Hmm factory resetting the HG659B will be a pain but I guess I can live and spend 30 minutes securing it with a better password and re-port forward the ports I need. It's a task but I can deal with it.

Will report back when I've done it.

You can also follow me on twitter here @kiwifortw I do twitch streams every now and then at twitch.tv/kiwiforthewin :)

HTTP 404 Sarcasm not found.

kiwikiwi

455 posts

Ultimate Geek

#1348024 20-Jul-2015 20:38

Hi there sorry for the long-ish wait.

I ended up just nuking every install and factory resetting the router.

Haven't seen it since.

You can also follow me on twitter here @kiwifortw I do twitch streams every now and then at twitch.tv/kiwiforthewin :)

HTTP 404 Sarcasm not found.

Sharesies kids

Free kids accounts - trade shares and funds (NZ, US) with Sharesies (affiliate link).

DravidDavid

1907 posts

Uber Geek

#1348106 21-Jul-2015 01:49

I've recently started getting this on my Galaxy S4!

I use my phone mainly for mind numbing entertainment and email for when I'm waiting for something. I typically break my personal "click-bait" rules for something to read. I initially put it down to these websites being slightly less than legitimate and redirecting me.

All of a sudden I open Google, I'm typing away and I get immediately re-directed to a random over-seas page, advertising company website, or websites far less safe for work! Quite embarrassing when you're trying to show someone something.

I've looked all over the internet and it looks as if the only solution is a factory reset. :|

Now that you mention it being the router, it does seem to only ever happen at work, never really at home. I'll have to investigate further!

kiwikiwi

455 posts

Ultimate Geek

#1348107 21-Jul-2015 01:50

DravidDavid: I've recently started getting this on my Galaxy S4!

I use my phone mainly for mind numbing entertainment and email for when I'm waiting for something. I typically break my personal "click-bait" rules for something to read. I initially put it down to these websites being slightly less than legitimate and redirecting me.

All of a sudden I open Google, I'm typing away and I get immediately re-directed to a random over-seas page, advertising company website, or websites far less safe for work! Quite embarrassing when you're trying to show someone something.

I've looked all over the internet and it looks as if the only solution is a factory reset. :|

Now that you mention it being the router, it does seem to only ever happen at work, never really at home. I'll have to investigate further!

Are you also on Spark? Do you also happened to be hooked up to a HG659B?
edit Removing the Answer because this hasn't been closed yet I'd like to see this issue resolved fully

You can also follow me on twitter here @kiwifortw I do twitch streams every now and then at twitch.tv/kiwiforthewin :)

HTTP 404 Sarcasm not found.

DravidDavid

1907 posts

Uber Geek

#1348109 21-Jul-2015 01:56

kiwikiwi:
DravidDavid: I've recently started getting this on my Galaxy S4!

I use my phone mainly for mind numbing entertainment and email for when I'm waiting for something. I typically break my personal "click-bait" rules for something to read. I initially put it down to these websites being slightly less than legitimate and redirecting me.

All of a sudden I open Google, I'm typing away and I get immediately re-directed to a random over-seas page, advertising company website, or websites far less safe for work! Quite embarrassing when you're trying to show someone something.

I've looked all over the internet and it looks as if the only solution is a factory reset. :|

Now that you mention it being the router, it does seem to only ever happen at work, never really at home. I'll have to investigate further!

Are you also on Spark? Do you also happened to be hooked up to a HG659B?
edit Removing the Answer because this hasn't been closed yet I'd like to see this issue resolved fully

Slingshot at home on a Netgear DG834G V3 at home. 100/50 Fibre at work (not Spark) on a Draytek router. Just did some surfing on the phone now, not a single re-direct. But it's usually the first thing I have to stop when I hook up to the WiFi at work when trying to use my standard browser. Everyone else but me is an Apple user, so I'll ask around.

I wonder how many of these virus/adware applications can cross platforms? Surely if someone else is experiencing a problem on an Apple device, it would be network based. I have no experience with these things though. It's actually the only IT related issue I haven't been able to solve in years and I'm feeling totally defeated!

freitasm

BDFL - Memuneh
79263 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1348120 21-Jul-2015 04:01

Your case is different. One thing is a URL go to wrong address due to DNS hijacking, another thing is the phone showing signs of a malware running. Reset your phone, buy an antivirus and don't open crap. Same rules for PCs apply to smartphones now. Don't open unknown files, don't click links you don't know about.

michaelmurfy

meow
13242 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1348163 21-Jul-2015 08:31

If it wasn't DNS changed on the router I wonder what was changed and what was used to exploit it?

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

DravidDavid

1907 posts

Uber Geek

#1373655 25-Aug-2015 11:00

Just an update on my case specifically.

My S4 recently went in for warranty repair and I have a loan phone for the time being. Before sending it, I factory reset the phone and was STILL redirected. I removed a file from the android folder that somehow survived the reset (or perhaps installed shortly after) and it went away.

Anti-virus/anti-malware was doing absolutely nothing apart from badly draining my battery life.

Now this loan phone I have is experiencing exactly the same issue, so my guess is it's the router. As much as I'd like to believe that, it happens when using mobile data too! Perhaps my router(s) are compromised and once the file (or whatever it's putting on my phone) continues the problem regardless of what network I use it on.

I have a fibre connection at work. I don't know much about ONT systems. Is it possible that it could be compromised as well as the router attached to it?
I have changed the password on the router (which I've read will stop the issue) but not sure how to proceed next.

Talk about annoying!