Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search results redirected to fake flash player update links (Ubuntu)


  • Please log in to reply
19 replies to this topic

#1 Al1000

Al1000

  • Global Moderator
  • 7,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:40 PM

Posted 26 March 2014 - 08:43 AM

Hi,

 

I recently started getting these redirects using XP and Google Chrome, most often on links to youtube pages but also to other web pages. I then found that my computer was badly infected with malware when I downloaded Spybot Search and Destroy. It found several infections that antvir had not found, but was unable to remove many of them. The problem seems to affect Google Chrome more than Firefox, which I started using after I began to get these redirects. When I tried to log into internet banking, Chrome wouldn't connect to the page, and instead displayed a message saying that it was unable to make a secure connection and that something might be interfering with my internet connection, although I was able to connect with Firefox.

 

So I (fully) formatted and partitioned my hard drive, installed XP on one partition, Ubuntu on another, with a fat32 swap area in-between.

 

(This is my first foray into Linux)

 

A few days later I began to get the same redirects in Firefox using Ubuntu, and downloaded ClamAV but it couldn't find anything wrong. I also downloaded NoScript, but subsequently enabled bbc.co.uk, and shortly after that got a fake redirect on Firefox when I tried to click on a link to a Google search result to a page on bbc.co.uk. Clearing my temporary internet files usually fixes the links, but the problem reappears again shortly after.

 

So I formatted that partition of the hard drive again, re-installed Ubuntu, and also rkhunter, and all seemed fine for a day. The following day I downloaded Google Chrome for Ubuntu, and just a few minutes later I began to get the same redirects again!

 

I purged Chrome from my pc, ran rkhunter again, and also downloaded and ran chkrootkit and Unhide. Neither chkrootkit or Unhide seemed to find anything wrong, and the positives that rkhunter reports seem to be consistent with false positives that other people say it reports. I have also read through the system log, copied and pasted anything that looks (to me) to be suspicious into Google, and searched to see if anyone else has reported the same lines from their log as being suspicious. So far, I have been unable to find any trace of malware on my Ubuntu installation, but the problem remains.

 

The first thing I did after re-installing Ubuntu, was to enable the firewall with the following commands:

 

sudo ufw allow ssh/tcp

sudo ufw logging on

sudo ufw enable

sudo ufw status

 

...and everything seemed fine until I downloaded Chrome (from the official site) the next day.

 

After each time I change the software, I open a terminal and type:

 

sudo rkhunter --propupd

 

I also understand that I am supposed to add the line:

 

APT_AUTOGEN=''yes''

 

to:

 

/etc/default/rkhunter

 

...after software updates, but I have been unable to locate the latter to add the former to it, so I'm not even sure if I am using rkhunter effectively.

 

I use the standard firewall on XP and the free version of antivir anti-virus. I haven't used XP much since re-installing it, but did get one such redirect on yet another link to youtube when using Firefox, and when I tried to close the page, my anti-virus software caught TR/Crypt.ZPACK.Gen7 being downloaded. Fortunately it seems to have dealt with it sucessfully, but I haven't dared to install Chrome on XP again.

 

I have also noticed that every time I run Spybot Search and Destroy on XP after restarting my computer, it finds a few problems including changes to the Registry, although it reports them as minor, and is able to fix them. Perhaps I should post this in a seperate topic in the XP section of the forum, but I thought I should mention it here in case it's relevant.

 

I am now wondering if there could be a nefarious rootkit hidden somewhere on my hardware, that somehow affects Chrome more than Firefox, and is able to affect Ubuntu to a greater extent than XP, possibly due to the lack of effective (and free) anti-malware software (or my lack of ability to use it effectively) available for Ubuntu.

 

Any advice would be much appreciated, as I am still very much a beginner with Linux. Please let me know if I should post any logs etc.



BC AdBot (Login to Remove)

 


#2 jonuk76

jonuk76

  • Members
  • 2,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales, UK
  • Local time:09:40 PM

Posted 26 March 2014 - 08:57 AM

How are you connecting to the internet?  There have been some attacks on consumer routers recently.  This is just one of many media stories about this.  EDIT Better one here.  Any malware which affects the router will be able to redirect web pages regardless of operating system on the attached PC.


Edited by jonuk76, 26 March 2014 - 09:07 AM.

7sbvuf-6.png


#3 Al1000

Al1000
  • Topic Starter

  • Global Moderator
  • 7,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:40 PM

Posted 26 March 2014 - 08:57 AM

Sorry, forgot to mention that after the problem first appeared, I bought an additional hard drive and transferred all of the files I wanted to keep (but did not include any programs, applications or .exe files etc) onto it, prior to formatting the original hard drive. I disconnected the new hard drive before installing Windows on the original one, and connected it back up again after.

 

I have also scanned the hard drives using BitDefender, but it doesn't report any problems on either the Windows partition on my original hard drive or on the new hard drive, and it doesn't seem to work on the Ubuntu partition.

 

Does anyone know of a live CD like DitDefender, that works on Linux installations?



#4 Al1000

Al1000
  • Topic Starter

  • Global Moderator
  • 7,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:40 PM

Posted 26 March 2014 - 08:59 AM

How are you connecting to the internet?  There have been some attacks on consumer routers recently.

I use an ethernet cable.

 

I have also searched the internet for people reporting the same symptoms, but have been unable to find anyone doing so.



#5 jonuk76

jonuk76

  • Members
  • 2,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales, UK
  • Local time:09:40 PM

Posted 26 March 2014 - 09:02 AM

Ethernet cable connected to what?  A cable modem?  A combined router with cable or ADSL modem? Something else?


Edited by jonuk76, 26 March 2014 - 09:09 AM.

7sbvuf-6.png


#6 Al1000

Al1000
  • Topic Starter

  • Global Moderator
  • 7,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:40 PM

Posted 26 March 2014 - 09:11 AM

How are you connecting to the internet?  There have been some attacks on consumer routers recently.  This is just one of many media stories about this.  EDIT Better one here.  Any malware which affects the router will be able to redirect web pages regardless of operating system on the attached PC.

 

Thanks for the link. I just noticed that you had edited your post. Coincidentally, I reset my router just this morning, and haven't had any problems today, but I will read that article and see if I can follow the steps that it advises.

 

Ethernet cable connected to what?

 

 

It's connected to a TP-Link modem/router.

 

Is that what you are asking?

 

(sorry if my answers seem insubstantial)


Edited by Al1000, 26 March 2014 - 09:22 AM.


#7 Al1000

Al1000
  • Topic Starter

  • Global Moderator
  • 7,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:40 PM

Posted 26 March 2014 - 09:13 AM

Ethernet cable connected to what?  A cable modem?  A combined router with cable or ADSL modem? Something else?

 The computer plugs into the modem, which in turn plugs into a tiny white box that seperates the phoneline and broadband (always connected), and the white box plugs into the phone socket on the wall.



#8 Al1000

Al1000
  • Topic Starter

  • Global Moderator
  • 7,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:40 PM

Posted 26 March 2014 - 09:19 AM

EDIT Better one here.  Any malware which affects the router will be able to redirect web pages regardless of operating system on the attached PC.

 

That's interesting.

 

Likely hacks include a recently disclosed cross-site request forgery (CSRF) that allows attackers to inject a blank password into the Web interface of TP-Link routers.

 

That just so happens to be the router that I have.

 

Many thanks for these links. This will give me more to look into.



#9 Al1000

Al1000
  • Topic Starter

  • Global Moderator
  • 7,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:40 PM

Posted 26 March 2014 - 10:09 AM

After reading about the problems with TP-Link modems, I contacted my ISP and arranged for them to send me a new modem.

 

When that arrives I'll install it, try downloading Chrome for Ubuntu again, and report back here.



#10 jonuk76

jonuk76

  • Members
  • 2,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales, UK
  • Local time:09:40 PM

Posted 26 March 2014 - 11:07 AM

 

How are you connecting to the internet?  There have been some attacks on consumer routers recently.  This is just one of many media stories about this.  EDIT Better one here.  Any malware which affects the router will be able to redirect web pages regardless of operating system on the attached PC.

 

Thanks for the link. I just noticed that you had edited your post. Coincidentally, I reset my router just this morning, and haven't had any problems today, but I will read that article and see if I can follow the steps that it advises.

 

Ethernet cable connected to what?

 

 

It's connected to a TP-Link modem/router.

 

Is that what you are asking?

 

(sorry if my answers seem insubstantial)

 

 

Yes that's what I was asking :)  I suspected it could be more an issue with the router rather than the installation of Linux, knowing that these types of attacks are on the increase.

 

Sorry I did edit my posts and added more, I tend to type first and think later sometimes... 

 

One of the best security precautions you can take with a router is to replace the default login password with a strong one.  This is essential.  Also update the firmware to the latest available.


7sbvuf-6.png


#11 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,002 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:40 PM

Posted 28 March 2014 - 12:27 AM

Another thing that helps is to rename the network, to something that won't directly identify you. Most routers, as shipped, after setup will display the name & possibly even model when looking for a network to log onto. This needs to be changed, however if provided by the ISP, you may need to ask first.

 

You need to make sure in the router's settings that remote administration is disabled. This ensures that only a computer plugged into the modem & not wirelessly, has access to settings.

 

Finally, check to make sure security is set to WPA-PSK2 & have a passphrase that's easy for you to remember, but difficult for anyone else to guess. Be sure to use some of the specialized keys in the code, such as these: !@#$%^&*()_+. The more you add, the harder for intrusion. Data theives & wi-fi freeloaders will move on to an easier target.

 

Hopefully this should help to prevent future infections.

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#12 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:40 AM

Posted 02 April 2014 - 05:40 AM

How are you connecting to the internet?  There have been some attacks on consumer routers recently.  This is just one of many media stories about this.  EDIT Better one here.  Any malware which affects the router will be able to redirect web pages regardless of operating system on the attached PC.

Rabbit out of the hat... well picked Jonuk. :thumbup2:



#13 Al1000

Al1000
  • Topic Starter

  • Global Moderator
  • 7,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:40 PM

Posted 07 April 2014 - 04:53 PM

I'm still waiting on the new router, but that is definitely the problem. Resetting the router did the trick until yesterday, when I was redirected to a fake Chrome download page when I tried to access Google. Again, resetting the router did the trick, and this time after the advice on his forum, I changed the password to something more complex than ''admin,'' and also switched off some ''broadcast'' setting. Hopefully it will now hold out until I receive the new router.



#14 rburkartjo

rburkartjo

  • Members
  • 3,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:austin,tx
  • Local time:03:40 PM

Posted 07 April 2014 - 06:02 PM

try disable all your google extensions except adblock(if you use and see what happens). i have read that this could be a problem. worth a try . note there is a chrome extension called disable extensions temporarily avail in the google chome webstore.


quote:He that would live in peace & at ease, Must not speak all he knows,nor judge all he sees.'

#15 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,002 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:40 PM

Posted 07 April 2014 - 11:57 PM

How are you connecting to the internet?  There have been some attacks on consumer routers recently.  This is just one of many media stories about this.  EDIT Better one here.  Any malware which affects the router will be able to redirect web pages regardless of operating system on the attached PC.

These aren't new tricks, either. For some time, there's been sites, many adult related in nature, that upon visiting, has been known to redirect traffic to malicious sites in Eastern Europe. Those who are at the most risk are the ones who runs subpar or misconfigured security, or none.

 

Once a system is compromised, anything can happen, including machine/router settings, or the exploiting of backdoors.

 

Some of these router backdoors has been known since 2005. In reality, being the OEM's of these routers & taking no action to inform it's customers, it seems to be an issue that was swept under the rug. There are some of these routers that has no firmware updates, however there's DD-WRT & Tomato (open source) options. However, my advise is to have a spare on hand if attempting to flash firmware. There is some degree of risk involved.

 

http://it-beta.slashdot.org/story/14/02/19/1435202/routers-pose-biggest-security-threat-to-home-networks

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users