My ISP is by-passing Firefox's Location bar search

MozillaZine ^ | 27 April 2010 | Gothicawakening

[ShadowAce]

Hi All,

I just got back from 10 days abroad and noticed my Firefox at home was acting oddly. My preferred way to go to many websites is simply to type their name into the location bar, and then let Google's "I'm feeling lucky" feature take me to the actual site. I realize this might not be the most conventional way to do it (sure, I could have bookmarks etc.), but it's they way I like to do it.. I also use KDE's Alt-F2 launcher to start programs.

Today I noticed that this great feature of Firefox (combined with Google of course) has stopped working, and has instead been replaced with an add-laden search result from another website. For example, typing in just "slashdot" into the location bar used to get me to the Slashdot website, but now I end up with this instead (full size version):



I've confirmed that my keyword.URL setting is still pointed at Google, so this must be happening at the traffic level, I would imagine either by use of a web proxy or something to do with DNS lookup, which makes we wonder if this new 'feature' my ISP (Netvigator by PCCW in Hong Kong) has introduced is also affecting my privacy?

Is there anyway to get Firefox working the way it used to again? For me using that feature was my main way of visiting websites, and it's really annoying that I can't do that any more. In addition, the search provider my ISP is forcing on me does not seem to know about many websites, I would rather be receiving result from Google when the word typed does not have an obvious site match, not from yp.com.hk

As a last though, if other ISPs start doing this too, will it have any affect on the deal Mozilla has with Google, as this effectively replaces that feature in Firefox, so the traffic does not go though Google anymore.

Any help or advise would be much appreciated.

[ShadowAce]

Another discussion on this is at Slashdot.

[ShadowAce]

[TChris]

I had a similar thing happen to me a few weeks ago, and it turned out to be a virus. It had changed my DNS settings and inserted itself into registry entries which associated file types with executables.

I'd scan your computer with a few different A/V products to check.

It's even possible that your router got hacked. Might be worth trying a connection bypassing your router to test for it.

[jcwky]

Probably some type of “re-director” malware. Had a PC at work that had the exact problem and it was a malware/Trojan Horse infection.

That’s where I’d start anyway.

[ShadowAce]

heh--it wasn't me. I just copied the entry from MozillaZine.

That is a good explanation for it, though.

[fremont_steve]

Uhm - the “I use KDE Ctl-F2” was a clue that a “virus” was likely not his problem. He’s using Linux.

That being the case - look at your resolv.conf to make sure it’s pointing at the DNS you expect it to be pointing at. Perhaps reinstall Firefox - or better yet - use Konqueror to determine if it has similar behavior. This will tell you whether your DNS is being hi-jacked, or it’s a problem with just Firefox.

Hope these help some.

[Malsua]

Sounds like Malware to me.

[martin_fierro]

I also use KDE's Alt-F2 launcher to start programs.

You're running Linux?

[PapaBear3625]

works for me — I suspect a virus on you machine. Check it now.

[ShadowAce]

I respectfully request your attention to post #5.

This is not my issue. This was a post on MozillaZine that I posted here.

This does not affect me (yet). I was merely pointing out the potential for ISPs to hijack network traffic to their own purposes.

Malware, or a virus, is a good explanation of this, though.

[Melas]

Textbook browser hijacker.

[VeniVidiVici]

The obvious answer is somebody ****** with his box while he was away.

[Bloody Sam Roberts]

Could be a piece of spyware has installed a BHO...Browser Helper Object...that is doing a redirect to this site you posted the pic of. Use "HiJack This" (free) to find anything unusual and eliminate it.

Do you get to this same page no matter what you search for? it looks like a website in and of itself...PCCW.

[Psycho_Bunny]

The last time I saw this it was just a Firefox add-on that was installed by the open source software PDFCreator.

All one has to do is remove the add-on.

[fremont_steve]

Okay - but a virus or malware isn’t a good explanation because of the simple fact that it’s linux.

Linux systems can certainly be “rooted” but this is going to be through a direct attack over the net through some loop-hole like BIND being broken, or some such. Linux just doesn’t get infected by email or website problems.

If the guy is nutty enough to be running root while he is doing web browsing - maybe. But because of the admin setup within Linux... and it’s different model of security AND the fact that it isn’t a dominant environment. The likelyhood of this being the explanation is maybe 0.001%

I run linux - have for better than 15 years. I’ve had a couple of “rooted” systems. These systems were compromised by direct attack. People managed to setup an ftp site one time, and another time managed to modify my web server. They didn’t get in through “malware” but rather holes in the web-server or ftp client themselves.

You could say that the results are the same - what I’m trying to explain is that the method of attack is different than you are offering.

[fremont_steve]

I stand corrected on the malware portion of the explanation. A malevolent Fire-fox add-on could be called “malware.” He had to agree to add this though. They don’t just download automatically.

I don’t believe a “virus” is likely to be the culprit.

[shorty_harris]

Don’t use your ISP’s DNS servers (I use OpenDNS, www.opendns.com).

[klystron]

Someone installed a BHO in the White House, too. Wasn’t me.

[martin_fierro]

Ees no prollem, esse.

< |:)~

[Bloody Sam Roberts]

Someone installed a BHO in the White House, too.

Would that removal of that infection were as easy.

T'would be a grand day indeed.