Browser Hijackings

Wing, Robert Robert.Wing at sjeccd.cc.ca.us
Mon Jun 25 15:13:05 EDT 2001


Thanks Michael,
You may be on to something... But the question remains, what can we do about
it? Ask our DNS admin to flush the cache everyday? (I would have to ask
around to even find out who that is and I doubt he/she would do that
everyday.) Any thoughts on how to address this locally?
Although it may have seemingly stopped for some libraries like Andrew's, we
are now starting our 4th week of our browsers being hijacked.
We don't get hijacked everyday, sometimes we go a day or two and everything
is normal so it seems as if it has stopped, then it starts happening again.
Any ideas would be appreciated.
Regarding the box that pops up, as the bigred.com web page is loading, the
box appears and it asks "Would you like to set your home page to...?" There
are two buttons, "yes" and "no"
Selecting "yes" changes the home page to "bigred.com" in the Internet
Options/preferences. Thus bigred.com appears when the "home" button is
clicked, or the next time the browser is launched. Selecting "no" closes the
dialog box with no change to the homepage. 
As I mentioned in a previous posting, this box has been resized so that it
is at least possible to see the buttons. At first when it would appear, the
box was so big that the "yes/no" buttons were not visible on the screen and
you could not even scroll to see them. Also, one day instead of bigred.com,
we got two other web pages displayed (please see my posting on 6-21-01 for
the text of those pages.) This seemed to indicate to me that an active
"intelligence" was behind this rather than a virus/worm.
Thanks for any ideas that you may have.
Bob

Robert Wing
Librarian
San Jose City College
email: robert.wing at sjeccd.cc.ca.us

On Thu, 21 Jun 2001, P. Michael McCulley wrote:
[snip]
>You might want to look at this ZDNET article on home page hijacking:
>	Online battleground--has your home page been hijacked?
>	http://www.zdnet.com/zdnn/stories/news/0,4586,2689655,00.html
>Perhaps this is some variation on the PassThisOn.com tricks noted.
>Since it has seemingly ended, and mysteriously, some variant of DNS
spoofing >or hacking is perhaps involved after all. The name servers can be
poisoned >>with false cache data in some cases. If some DNS admin has
flushed or reset >the cache, it (the redirects) would "disappear"
mysteriously as you describe.
>It still is puzzling about the box that pops up, and what "happens" when
the >user selects to re-set their homepage (opt-in?).
[snip]

Original posting by Andrew Mutch on Thu, 21 Jun 2001 
[snip]
>
>"Just in the past day or two, I've had a rash of staff and public
>browsers that appear to have been victims of browser hijacking.  When a
>user tries to browse to an invalid domain, they are redirected to this
>site:
>
>http://www.bigred.com/"
>
[snip]


More information about the Web4lib mailing list