[WEB4LIB] RE: Browser Hijackings

Andrew Mutch amutch at waterford.lib.mi.us
Mon Jun 25 15:44:08 EDT 2001


Robert,

I'm pretty convinced that the problems that we experienced were at the DNS level
with spoofing or hacking of some kind going on.  We have local DNS servers so
our network administrator set them to resolve "bigred.com" to our Township web
site.  He might have done the same with the other domains that we found were
part of this spoofing.  We are hoping that this will address the issue in the
future.  Thomas Dowling also suggested modifying your "hosts" file to do
essentially the same thing so that these addresses would resolve to an address
of your choice or not at all.

Andrew Mutch
Library Systems Technician
Waterford Township Public Library
Waterford, MI

"Wing, Robert" wrote:

> Thanks Michael,
> You may be on to something... But the question remains, what can we do about
> it? Ask our DNS admin to flush the cache everyday? (I would have to ask
> around to even find out who that is and I doubt he/she would do that
> everyday.) Any thoughts on how to address this locally?
> Although it may have seemingly stopped for some libraries like Andrew's, we
> are now starting our 4th week of our browsers being hijacked.
> We don't get hijacked everyday, sometimes we go a day or two and everything
> is normal so it seems as if it has stopped, then it starts happening again.
> Any ideas would be appreciated.
> Regarding the box that pops up, as the bigred.com web page is loading, the
> box appears and it asks "Would you like to set your home page to...?" There
> are two buttons, "yes" and "no"
> Selecting "yes" changes the home page to "bigred.com" in the Internet
> Options/preferences. Thus bigred.com appears when the "home" button is
> clicked, or the next time the browser is launched. Selecting "no" closes the
> dialog box with no change to the homepage.
> As I mentioned in a previous posting, this box has been resized so that it
> is at least possible to see the buttons. At first when it would appear, the
> box was so big that the "yes/no" buttons were not visible on the screen and
> you could not even scroll to see them. Also, one day instead of bigred.com,
> we got two other web pages displayed (please see my posting on 6-21-01 for
> the text of those pages.) This seemed to indicate to me that an active
> "intelligence" was behind this rather than a virus/worm.
> Thanks for any ideas that you may have.
> Bob
>
> Robert Wing
> Librarian
> San Jose City College
> email: robert.wing at sjeccd.cc.ca.us
>
> On Thu, 21 Jun 2001, P. Michael McCulley wrote:
> [snip]
> >You might want to look at this ZDNET article on home page hijacking:
> >       Online battleground--has your home page been hijacked?
> >       http://www.zdnet.com/zdnn/stories/news/0,4586,2689655,00.html
> >Perhaps this is some variation on the PassThisOn.com tricks noted.
> >Since it has seemingly ended, and mysteriously, some variant of DNS
> spoofing >or hacking is perhaps involved after all. The name servers can be
> poisoned >>with false cache data in some cases. If some DNS admin has
> flushed or reset >the cache, it (the redirects) would "disappear"
> mysteriously as you describe.
> >It still is puzzling about the box that pops up, and what "happens" when
> the >user selects to re-set their homepage (opt-in?).
> [snip]
>
> Original posting by Andrew Mutch on Thu, 21 Jun 2001
> [snip]
> >
> >"Just in the past day or two, I've had a rash of staff and public
> >browsers that appear to have been victims of browser hijacking.  When a
> >user tries to browse to an invalid domain, they are redirected to this
> >site:
> >
> >http://www.bigred.com/"
> >
> [snip]



More information about the Web4lib mailing list