Browser Hijackings

Wing, Robert Robert.Wing at sjeccd.cc.ca.us
Thu Jun 21 19:08:50 EDT 2001


On Thu, 21 Jun 2001 09:20:49 -0400 Andrew Mutch wrote:
>
>"Just in the past day or two, I've had a rash of staff and public
>browsers that appear to have been victims of browser hijacking.  When a
>user tries to browse to an invalid domain, they are redirected to this
>site:
>
>http://www.bigred.com/"
>

Both our student and staff PCs have been getting BigRed.com off and on for
the last 3 weeks with both IE 5.5 and Navigator 4.07
At first, we would get the BigRed page with a huge dialog box asking "Would
you like to set your homepage to 'http://
hit enter or return to continue"
The dialog box was so big that it was larger than the size of our 17"
monitors set at 800x600, so it was not even apparent that there was an
option to click the "no" button, and there was no vertical scroll bar. The
only apparent option was to press return/enter, thus making BigRed the
homepage.
There are actually yes/no buttons but they were not visible because the
dialog box was so big, the buttons were only visible if the screen
resolution was increased. Once we knew there were indeed yes/no buttons, we
could just tap the right arrow key to select "no" and then hit enter.
Knowing this kept us from having to reset staff PC homepages, but patrons
did not know about the "no" button and would continue to hit enter which
would make BigRed the homepage.
On June 4th, when typing in an invalid URL, a page titled "Test Page for Red
Hat Linux's Apache Installation" appear and said in part "It Worked! If you
can see this, this means that the installation of Apache software on this
Red Hat Linux system was successful. You may now add content to this
directory and replace this page. If you are seeing this instead of the
content you expected, please contact the administrator of the site
involved..."
This message appeared that morning, then in the afternoon the same day, we
started to get a new web page that said "This domain is temporarily
unavailable. We apologize for any inconvenience." (This message did not look
like a normal web page, but rather like a text document imported from
Word.)This lasted for the remainder of the day and then BigRed has been back
intermittently since then. However, the dialog box to reset the homepage is
now smaller and the yes/no buttons are readily visible. (I find this
interesting since it seems like whoever is doing this is trying to be nice,
at least they resized the dialog box!)
Note that we do not get BigRed every single time, it goes in spurts,
sometimes we get a normal 404 error, etc. 
One of our IT people at first said that a new server at our district office
was being setup and that was probably what was going on.
Later, another technician said that it was a virus/worm, but we have since
run McAfee (definitions 4.0.4140) and come up clean. Also, some of our PCs
have Deep Freeze, which supposedly have been in a frozen state for 6 months
or more and any new virus/worm would disappear upon reboot, but we still get
BigRed on these too.

Bob

Robert Wing
Librarian
San Jose City College
2100 Moorpark Avenue
San Jose, CA 95128-2799
Phone: 408-298-2181, ext. 3945
Fax: 408-293-4728
E-mail: robert.wing at sjeccd.cc.ca.us




More information about the Web4lib mailing list