Answered: Single website redirecting to GoodMayor
-
What difference does it make if the site is google, amazon, or some dubbed teletubbies site?
The difference is that we can try it ourselves and see what the behaviour is with multiple clients in different parts of the world using different gear. Nobody cares if you visit TPB.
I can guarantee you, along with the others, that pfSense is not redirecting anything. It is either your ISP (unlikely but possible) or the site itself is doing it. The random nature of the problem may have more to do with which load-balance server you hit and whether or not that server has been potentially hacked and is serving up some funky jscript or something like that.
-
Is it TPB?? I am on that almost daily - have never seen such an issue at all..
There is tons of legit software/media/etc on TPB… Saying that is where you are at not going to look bad on you, etc. Pointing out what specific torrent your grabbing have need for such info to be made public ;)
-
@KOM:
The difference is that we can try it ourselves and see what the behaviour is with multiple clients in different parts of the world using different gear. Nobody cares if you visit TPB.
No, it's not TPB. But I do appreciate the calm and rational approach you've taken to asking. It's actually a torrent invite site (hence no copy written material will ever be there): www.torrent-invites.com. Still makes me a bit uneasy to post, but at least now I have a logical incentive to offset the risk I'm imagining.
@KOM:
The random nature of the problem may have more to do with which load-balance server you hit and whether or not that server has been potentially hacked and is serving up some funky jscript or something like that.
I don't actually see anything random about what's happening - it's literally as simple as this: if PFSense is handling DNS for a device, the site is redirected. If PFSense is out of the loop (a different router firmware or manual DNS settings on a device) then I get the right site.
And how and the F do you think pfsense would have anything to do with that? Come on really?? Are you running squid? If not then pfsense has zero to do with your html..
The reason I believe PFSense is somehow the cause is because when I reformatted one of the PFSense boxes and installed Untangle on it, the redirect immediately stopped for all devices. I left it on for a few hours and never got a redirect. I was ecstatic - reinstalled PFSense on the same box and immediately got redirects again.
I found that squid was installed (not sure how on what I believed to be a blank installation), but it was not enabled and no rules were visible. I've uninstalled squid and rebooted; no difference.
I'm not SURE that it's html injection - when I do view-source it's showing the source for the redirected site. Though I've made a living in the past on troubleshooting, networking has never been my strong suit: it's as close to black magic as I've seen in the digital world ;)
Who is your isp? Some of them are known to do html injection.
My ISP is Comcast. I would think that using a different router firmware and not getting the redirect would rule out my ISP as they're upstream.
Thanks to everyone who's contributed so far.
-
A quick Google shows that redirecting URLs to goodmayor.com is not uncommon and is the result of malware.
Are you sure your system isn't running some bogus local malware proxy that is intercepting your DNS lookups and replacing them with goodmayor? Do you have any common browser plugins between desktop and phone?
This is not a pfSense issue.
-
Unless the same malware has infected each computer and phone on my network, I'm not sure how that's possible. If it was just my desktop, I'd agree 100%. As is, if all desktops have been turned off, how would my iPhone get the same redirect? And for my phone, yes I put it into airplane mode to clear the DNS cache. I don't use any browser plugins on my phone and nothing too fishy on desktop. All desktop browsers (FF, Chrome, IE) redirect and have only Norton and LastPass plugins in common. I fired up an old iPad that hasn't been turned on in 6 months and it immediately redirected to goodmayor as well.
Your idea of a local malware proxy makes sense, but I'm not sure how it's feasible since each device has been isolated. On one PFSense reinstall, I disconnected the wireless access point and had only a single desktop on the network; it still redirected. On another, I turned off all wireless devices and unplugged every wire except going to the WAP and connected only my phone; it still redirected.
If you have any tips on how to figure out the source, I'd be incredibly grateful.
Edit to add: I completed a full antivirus scan with Norton last night on my desktop. Nothing related to this came up (but Norton thought some of my 3 year old iPhone backups were suspicious).
-
I don't know what to tell you. It's not a pfSense issue. I don't have the time to put on my detective hat to get to the bottom of this. Lots of people complaining about being hijacked and redirected to goodmayor going back to early 2016. Problem started after external devices added to your network.
-
@KOM:
I don't know what to tell you. It's not a pfSense issue. I don't have the time to put on my detective hat to get to the bottom of this. Lots of people complaining about being hijacked and redirected to goodmayor going back to early 2016. Problem started after external devices added to your network.
OK. If it's not a PFSense issue, it's at least a proxy that either only targets PFSense or Untangle is somehow immune. Yes, the problem started after my father in law's laptop connected to my network. It's been out of my house for a few days now but the problem has persisted. I guess I'll just keep poking around and hope I get lucky.
-
I'll keep thinking about it and will reply if I come up with anything. Hopefully others will also have suggestions.
If you manage to figure it out yourself, please report back. This one in interesting.
-
Needless to say chasing something nasty around a local network is not something new.
I would start off by removing everything from the network. (Physically unplugging network connections and removing all wireless AP's)
Change the default subnet of LAN and connect one device at a time, individually until the culprit rears it's ugly head.
-
Needless to say chasing something nasty around a local network is not something new.
I would start off by removing everything from the network. (Physically unplugging network connections and removing all wireless AP's)
Change the default subnet of LAN and connect one device at a time, individually until the culprit rears it's ugly head.
I happen to be on paternity leave right now and could DEFINITELY use a project ;) I'll report back what I find… Thanks for a practical tip on how to isolate this more thoroughly than I've done so far.
-
So your saying when you point your client at 8.8.8.8 the redirect does not happen. But when you let pfsense do dns it happens. Well pfsense out of the box resolves it does not forward. If some domain is poisoned that cold be a problem, especially if that domain is not dnssec signed.
Why don't you just turn unbound into forwarder and forward to 8.8.8.8…
;; QUESTION SECTION:
;www.torrent-invites.com. IN A;; ANSWER SECTION:
www.torrent-invites.com. 14400 IN CNAME torrent-invites.com.
torrent-invites.com. 604800 IN A 190.2.131.62That is a really long TTL!!! That is normally a sign of something wrong!!!
When I ask 8.8.8.8 I get a different answer
;; QUESTION SECTION:
;www.torrent-invites.com. IN A;; ANSWER SECTION:
www.torrent-invites.com. 1361 IN CNAME torrent-invites.com.
torrent-invites.com. 1361 IN A 99.198.107.205;; Query time: 27 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Feb 01 14:08:15 Central Standard Time 2018
;; MSG SIZE rcvd: 82When I do a trace I get this
;; Received 605 bytes from 192.12.94.30#53(e.gtld-servers.net) in 47 ms
www.torrent-invites.com. 604800 IN A 190.2.131.62
ww9.torrent-invites.com. 604800 IN A 166.78.101.108
*.torrent-invites.com. 604800 IN A 190.2.131.62
torrent-invites.com. 604800 IN A 190.2.131.62
;; Received 122 bytes from 190.2.131.63#53(ns2.torrent-invites.com) in 121 msSo what do you get when you try and resolve it from pfsense?
Look When you got to the IP that dns is sending your getting a redirect 302 to goodmayor - see attached pic..
That has nothing to do with pfsense, and everything to their dns being being bad.. Pfsense resolves out of the box.. Untangle most likely forwards.. See what happens when the cache expires on the google entry..
edit: check here you can see some dns from all over showing this as bad..
https://www.whatsmydns.net/#A/torrent-invites.comYeah there is problem with their dns - its been hijacked... I show the NS should be
ns1.torrent-invites.info and ns2.torrent-invites.info not .com... nor the an SOA pointing to dns.xzydns.com
If they do not fix this is going to spread... Once the NS ttl expire and places start resolving this and get pointed to the wrong NS.. your going to end up with that redirect..
-
@johnpoz you're brilliant! Thank you, thank you!
Where did you access that Q/A section? I've poked around but I'm over two years behind on released (was running 2.2.4 until this week). The DNS link was also very helpful. Thank you for disproving my earlier statement that the site itself was irrelevant.
@Derelict - my apologies. You were right, I was wrong. Still don't like your style ;) but you were definitely right that the site itself was relevant in this case.
Considering this closed. Looks like I didn't need to drop a few hundred bucks on new router hardware coughs I've had my eyes on an upgrade for a while anyways.
-
See how easy that was after took off your tinfoil hat?
-
See how easy that was after took off your tinfoil hat?
:p Thankful for a resolution and still find your style abrasive. I know most everyone (if not everyone) here is a volunteer and I'm incredibly thankful for the sacrifice of time and knowledge. Still, more flies with honey than vinegar and all that. However I'll never know why anyone would want to collect flies.
-
And what I suggested in reply #1 was exactly what johnpoz ended up doing a WHOLE DAY AND A HALF later after you decided to cough up the domain name.
I am thankful for people who don't waste our time with needless nonsense.
-
<sigh>I bet you're a blast at parties. Your inability to calculate the passage of time may inadvertently cause you to overstay your welcome though…
I'm considering the thread closed as the problem has been solved. Your time is doubtlessly quite valuable. Thanks for your help. My inability to fully grasp your original suggestion is entirely on me and, had I understood it, I could have saved some time of some of the good folks who help around here. As previously mentioned, network troubleshooting is my Achilles heel.
EDIT: Also, thanks for the -karma. Glad you could be my first.</sigh>
-
I find highly unlikely Derelict smited you.. He doesn't care about the smites.. Not exactly sure why your mad at him.. He asked you for the domain - without that it would be impossible to help you figure out what is wrong..
Someone might want to try and contact the owner of site and let him know his dns has been hijacked.. If you check that dns link I gave - its spreading ;) And even when they fix it going to take a week for it to clear up for everyone since they set that long ttl.. .Which is for sure what you do once you hijack someones dns.. Which is why made comment that such a long ttl is normally not a good sign.
What Q/A section are you talking about??
Smites come, notice mine.. If you make a wrong comment you might piss off the wrong person and then they will smite you every hour on the hour for days ;)
-
Let's all chill, problem is solved. You think you guys have a problem with smites? ;)
-
hehehe Your almost on the neg side ivor ;) I will be sure to throw you some applauds to get you leaning more on the + side…
-
Does PFSense have an "Oprah" for smites yet? I'd be willing to volunteer if not…
"You get a smite! You get a smite! You get a smite! You get a smite! You get a smite! Everybody gets a smite! Karma (not) rising!"
