Answered: Single website redirecting to GoodMayor



  • Nearly a week ago during a visit from my inlaws (who were kind enough to bring multiple old laptops and phones onto my network), one of my frequently visited websites began redirecting to goodmayor.com. I noticed it first on my desktop, but quickly discovered that it also happened on my iPhone. By turning off wifi and using the cellular connection, I was able to confirm that the website was still available outside of my home connection.

    Because all devices connecting to my network were impacted, I assumed that my router was somehow at fault. My router was running a very old version of PFSense (2.2.4 - the newest my old hardware could handle). I turned off DNS Resolver and enabled DNS Forwarder. Voila! Things worked for about an hour and then the redirect reared its ugly head again. I grabbed a spare gaming machine and put a fresh install of PFSense (v2.4.2) on it. Right out of the gate, the redirect happened on all devices.

    Manually setting the DNS server on my desktop/phone to Google's 8.8.x.x gives me the correct site.

    As another troubleshooting step, I installed a competing firewall OS on the new hardware. No redirect. I did a factory reset there, then reinstalled PFSense 2.4.2. Redirect is back. While I was writing this, 2.4.2.1 was released; I installed but there was no impact.

    I've tried multiple DNS servers, as well as following the guide at https://b3n.org/hijacked-slow-dns-unbound-pfsense/ to see if that'd help. No dice. Tracert confirms that a different IP and path is being taken while the redirect is happening.

    I have a new Qotom box arriving tomorrow and don't want to plug it in until I know what's going on. Any help would be greatly appreciated!

    EDIT:
    johnpoz determined that the issue was caused by a DNS hijack, not an issue with PFSense. The symptom was caused due to PFSense resolving the DNS from servers reporting the hijacked domain.


  • Netgate

    How about you cut loose with the site you are going to that is being redirected so people have a chance at being able to help you.

    Use DNS tools to see exactly what is being returned by pfSense and other resolvers around the internet, like 8.8.8.8 and 9.9.9.9.

    See if those destination sites are actually redirecting you or not.

    Unless you are running squid (or captive portal) there is nothing in pfSense that will perform a web redirect.



  • I'd rather not provide the url and I honestly don't believe it's relevant as the redirect wouldn't happen for anyone else. Not trying to be difficult, I promise. For me, it boils down to this:

    Route DNS through PFSense, get redirected.
    Manually override DNS or use a different router, get to the correct site.

    DNS lookup on router shows the correct site IP. Entering this IP into my phone on cell connection or desktop with manually-defined DNS will get me where I want to be. As soon as PFSense is in the mix as a DNS server, even entering the site IP will result in the redirect.


  • Netgate

    welp. good luck then.



  • Anyone willing to actually help? No offense @Derelict but the website itself is irrelevant. What difference does it make if the site is google, amazon, or some dubbed teletubbies site? This happens to be a torrent-related site and, though it doesn't deal with any copy written material, I make it a habit not to advertise specifics about that activity. If it works with a different router or by otherwise bypassing PFSense, the issue fairly clearly is somewhere in PFSense.

    There appears to be some kind of html injection occurring based on view-source for the website

    
    <title>One moment...</title>
    
    <noscript><META http-equiv="refresh" content="0;url=http://gussetmiser.com/?k=34f961cdf27f7595af00a23c3d64cd2b.1517441746.897.0.1.Z29vZG1heW9yLmNvbQ%3D%3D&subid=##SITE##&r="></noscript>
    
    

  • Rebel Alliance Global Moderator

    And how and the F do you think pfsense would have anything to do with that?  Come on really??  Are you running squid?  If not then pfsense has zero to do with your html..

    Who is your isp?  Some of them are known to do html injection.



  • What difference does it make if the site is google, amazon, or some dubbed teletubbies site?

    The difference is that we can try it ourselves and see what the behaviour is with multiple clients in different parts of the world using different gear.  Nobody cares if you visit TPB.

    I can guarantee you, along with the others, that pfSense is not redirecting anything.  It is either your ISP (unlikely but possible) or the site itself is doing it.  The random nature of the problem may have more to do with which load-balance server you hit and whether or not that server has been potentially hacked and is serving up some funky jscript or something like that.


  • Rebel Alliance Global Moderator

    Is it TPB??  I am on that almost daily - have never seen such an issue at all..

    There is tons of legit software/media/etc on TPB… Saying that is where you are at not going to look bad on you, etc.  Pointing out what specific torrent your grabbing have need for such info to be made public ;)



  • @KOM:

    The difference is that we can try it ourselves and see what the behaviour is with multiple clients in different parts of the world using different gear.  Nobody cares if you visit TPB.

    No, it's not TPB. But I do appreciate the calm and rational approach you've taken to asking. It's actually a torrent invite site (hence no copy written material will ever be there): www.torrent-invites.com. Still makes me a bit uneasy to post, but at least now I have a logical incentive to offset the risk I'm imagining.

    @KOM:

    The random nature of the problem may have more to do with which load-balance server you hit and whether or not that server has been potentially hacked and is serving up some funky jscript or something like that.

    I don't actually see anything random about what's happening - it's literally as simple as this: if PFSense is handling DNS for a device, the site is redirected. If PFSense is out of the loop (a different router firmware or manual DNS settings on a device) then I get the right site.

    @johnpoz:

    And how and the F do you think pfsense would have anything to do with that?  Come on really??  Are you running squid?  If not then pfsense has zero to do with your html..

    The reason I believe PFSense is somehow the cause is because when I reformatted one of the PFSense boxes and installed Untangle on it, the redirect immediately stopped for all devices. I left it on for a few hours and never got a redirect. I was ecstatic - reinstalled PFSense on the same box and immediately got redirects again.

    I found that squid was installed (not sure how on what I believed to be a blank installation), but it was not enabled and no rules were visible. I've uninstalled squid and rebooted; no difference.

    I'm not SURE that it's html injection - when I do view-source it's showing the source for the redirected site. Though I've made a living in the past on troubleshooting, networking has never been my strong suit: it's as close to black magic as I've seen in the digital world ;)

    @johnpoz:

    Who is your isp?  Some of them are known to do html injection.

    My ISP is Comcast. I would think that using a different router firmware and not getting the redirect would rule out my ISP as they're upstream.

    Thanks to everyone who's contributed so far.



  • A quick Google shows that redirecting URLs to goodmayor.com is not uncommon and is the result of malware.

    Are you sure your system isn't running some bogus local malware proxy that is intercepting your DNS lookups and replacing them with goodmayor?  Do you have any common browser plugins between desktop and phone?

    This is not a pfSense issue.



  • Unless the same malware has infected each computer and phone on my network, I'm not sure how that's possible. If it was just my desktop, I'd agree 100%. As is, if all desktops have been turned off, how would my iPhone get the same redirect? And for my phone, yes I put it into airplane mode to clear the DNS cache. I don't use any browser plugins on my phone and nothing too fishy on desktop. All desktop browsers (FF, Chrome, IE) redirect and have only Norton and LastPass plugins in common. I fired up an old iPad that hasn't been turned on in 6 months and it immediately redirected to goodmayor as well.

    Your idea of a local malware proxy makes sense, but I'm not sure how it's feasible since each device has been isolated. On one PFSense reinstall, I disconnected the wireless access point and had only a single desktop on the network; it still redirected. On another, I turned off all wireless devices and unplugged every wire except going to the WAP and connected only my phone; it still redirected.

    If you have any tips on how to figure out the source, I'd be incredibly grateful.

    Edit to add: I completed a full antivirus scan with Norton last night on my desktop. Nothing related to this came up (but Norton thought some of my 3 year old iPhone backups were suspicious).



  • I don't know what to tell you.  It's not a pfSense issue.  I don't have the time to put on my detective hat to get to the bottom of this.  Lots of people complaining about being hijacked and redirected to goodmayor going back to early 2016.  Problem started after external devices added to your network.



  • @KOM:

    I don't know what to tell you.  It's not a pfSense issue.  I don't have the time to put on my detective hat to get to the bottom of this.  Lots of people complaining about being hijacked and redirected to goodmayor going back to early 2016.  Problem started after external devices added to your network.

    OK. If it's not a PFSense issue, it's at least a proxy that either only targets PFSense or Untangle is somehow immune. Yes, the problem started after my father in law's laptop connected to my network. It's been out of my house for a few days now but the problem has persisted. I guess I'll just keep poking around and hope I get lucky.



  • I'll keep thinking about it and will reply if I come up with anything.  Hopefully others will also have suggestions.

    If you manage to figure it out yourself, please report back.  This one in interesting.



  • Needless to say chasing something nasty around a local network is not something new.

    I would start off by removing everything from the network. (Physically unplugging network connections and removing all wireless AP's)

    Change the default subnet of LAN and connect one device at a time, individually until the culprit rears it's ugly head.



  • @mudmanc4:

    Needless to say chasing something nasty around a local network is not something new.

    I would start off by removing everything from the network. (Physically unplugging network connections and removing all wireless AP's)

    Change the default subnet of LAN and connect one device at a time, individually until the culprit rears it's ugly head.

    I happen to be on paternity leave right now and could DEFINITELY use a project ;) I'll report back what I find… Thanks for a practical tip on how to isolate this more thoroughly than I've done so far.


  • Rebel Alliance Global Moderator

    So your saying when you point your client at 8.8.8.8 the redirect does not happen.  But when you let pfsense do dns it happens.  Well pfsense out of the box resolves it does not forward.  If some domain is poisoned that cold be a problem, especially if that domain is not dnssec signed.

    Why don't you just turn unbound into forwarder and forward to 8.8.8.8…

    ;; QUESTION SECTION:
    ;www.torrent-invites.com.      IN      A

    ;; ANSWER SECTION:
    www.torrent-invites.com. 14400  IN      CNAME  torrent-invites.com.
    torrent-invites.com.    604800  IN      A      190.2.131.62

    That is a really long TTL!!!  That is normally a sign of something wrong!!!

    When I ask 8.8.8.8 I get a different answer

    ;; QUESTION SECTION:
    ;www.torrent-invites.com.      IN      A

    ;; ANSWER SECTION:
    www.torrent-invites.com. 1361  IN      CNAME  torrent-invites.com.
    torrent-invites.com.    1361    IN      A      99.198.107.205

    ;; Query time: 27 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Thu Feb 01 14:08:15 Central Standard Time 2018
    ;; MSG SIZE  rcvd: 82

    When I do a trace I get this

    ;; Received 605 bytes from 192.12.94.30#53(e.gtld-servers.net) in 47 ms

    www.torrent-invites.com. 604800 IN      A      190.2.131.62
    ww9.torrent-invites.com. 604800 IN      A      166.78.101.108
    *.torrent-invites.com.  604800  IN      A      190.2.131.62
    torrent-invites.com.    604800  IN      A      190.2.131.62
    ;; Received 122 bytes from 190.2.131.63#53(ns2.torrent-invites.com) in 121 ms

    So what do you get when you try and resolve it from pfsense?

    Look When you got to the IP that dns is sending your getting a redirect 302 to goodmayor - see attached pic..

    That has nothing to do with pfsense, and everything to their dns being being bad..  Pfsense resolves out of the box.. Untangle most likely forwards.. See what happens when the cache expires on the google entry..

    edit: check here you can see some dns from all over showing this as bad..
    https://www.whatsmydns.net/#A/torrent-invites.com

    Yeah there is problem with their dns - its been hijacked... I show the NS should be

    ns1.torrent-invites.info and ns2.torrent-invites.info not .com... nor the an SOA pointing to dns.xzydns.com

    If they do not fix this is going to spread... Once the NS ttl expire and places start resolving this and get pointed to the wrong NS.. your going to end up with that redirect..




  • @johnpoz you're brilliant! Thank you, thank you!

    Where did you access that Q/A section? I've poked around but I'm over two years behind on released (was running 2.2.4 until this week). The DNS link was also very helpful. Thank you for disproving my earlier statement that the site itself was irrelevant.

    @Derelict - my apologies. You were right, I was wrong. Still don't like your style ;) but you were definitely right that the site itself was relevant in this case.

    Considering this closed. Looks like I didn't need to drop a few hundred bucks on new router hardware coughs I've had my eyes on an upgrade for a while anyways.


  • Netgate

    See how easy that was after took off your tinfoil hat?



  • @Derelict:

    See how easy that was after took off your tinfoil hat?

    :p Thankful for a resolution and still find your style abrasive. I know most everyone (if not everyone) here is a volunteer and I'm incredibly thankful for the sacrifice of time and knowledge. Still, more flies with honey than vinegar and all that. However I'll never know why anyone would want to collect flies.


  • Netgate

    And what I suggested in reply #1 was exactly what johnpoz ended up doing a WHOLE DAY AND A HALF later after you decided to cough up the domain name.

    I am thankful for people who don't waste our time with needless nonsense.



  • <sigh>I bet you're a blast at parties. Your inability to calculate the passage of time may inadvertently cause you to overstay your welcome though…

    I'm considering the thread closed as the problem has been solved. Your time is doubtlessly quite valuable. Thanks for your help. My inability to fully grasp your original suggestion is entirely on me and, had I understood it, I could have saved some time of some of the good folks who help around here. As previously mentioned, network troubleshooting is my Achilles heel.

    EDIT: Also, thanks for the -karma. Glad you could be my first.</sigh>


  • Rebel Alliance Global Moderator

    I find highly unlikely Derelict smited you.. He doesn't care about the smites.. Not exactly sure why your mad at him.. He asked you for the domain - without that it would be impossible to help you figure out what is wrong..

    Someone might want to try and contact the owner of site and let him know his dns has been hijacked..  If you check that dns link I gave - its spreading ;)  And even when they fix it going to take a week for it to clear up for everyone since they set that long ttl.. .Which is for sure what you do once you hijack someones dns.. Which is why made comment that such a long ttl is normally not a good sign.

    What Q/A section are you talking about??

    Smites come, notice mine.. If you make a wrong comment you might piss off the wrong person and then they will smite you every hour on the hour for days ;)


  • Galactic Empire Netgate

    Let's all chill, problem is solved. You think you guys have a problem with smites? ;)


  • Rebel Alliance Global Moderator

    hehehe Your almost on the neg side ivor ;)  I will be sure to throw you some applauds to get you leaning more on the + side…



  • Does PFSense have an "Oprah" for smites yet? I'd be willing to volunteer if not…

    "You get a smite! You get a smite! You get a smite! You get a smite! You get a smite! Everybody gets a smite! Karma (not) rising!"


  • Galactic Empire Netgate

    @johnpoz:

    hehehe Your almost on the neg side ivor ;)  I will be sure to throw you some applauds to get you leaning more on the + side…

    Working hard on my smites!