[colug-432] WOW is hijacking my Google searches, but how?
Rob
res at colnet.cmhnet.org
Tue Mar 26 17:12:32 EDT 2013
For the past few days, I have been working on building Mint 14 system
on a second disk on my main PC. I hate to transition, but my preferred
OS for the past three years (Ubuntu 10.04) will be going EOL next month
and I have to do something. Frankly, I've run into a number of problems
with Mint that I find rather disturbing -- is Mint really being marketed
as made-for-prime-time? -- but perhaps the most disturbing might not
even involve Mint, although I'm increasingly suspicious it does.
First, I'm a WOW customer for broadband, and have generally been happy
with them. The Firefox disseminated with Mint comes with several
add-ons which cannot be removed (at least not easily), although they
can be disabled. One is "Mint Search Enhancer 1.0" (whatever that is).
I told Firefox early-on to disable it and it said it did. Mint Firefox
also does not have a Google option in the search box on the Navigation
toolbar by default, but it is fairly easy to add it. And that's where
the trouble starts:
When I add Google, and then try to use it to search from the search box,
I (often, but not always) get redirected to the following website:
http://64.233.232.17/bg/search-col/index.html?policy=1285&q=tab+groups
(Here, I was searching for "tab groups" at the time.) This website
has WOW branding -- that is, if it returns at all, I often get left
high and dry -- but no useful information that I can tell, and a
small opt-out URL at the very bottom. If I opt out, it appears to
leave me alone for good, i.e., it doesn't seem to rely on a cookie.
However, if I go to another userid on that machine and again invoke
Firefox, it's back, so it does seem to be browser dependent.
A reverse DNS lookup yields 64-233-232-17.static.nap.wideopenwest.com
When I first click on the search box with Google selected as the
engine, my DNS server sees two google.com inquiries and nothing else.
My question: How are they doing this? First, I run my own DNS
servers on my local LAN. I do not use WOW (or any other external)
servers for my DNS. A dump of my Bind named cache only shows the
64.233.232.17 IP on a reverse lookup which I did. But, it does seem
to more-or-less happily be serving up the copious lookups that Firefox
requests of it. So, it would appear to me this cannot be a DNS exploit.
So, how is it being perpetrated? If I visit Google directly, the browser
globs onto its https entry, and of course, then I get the real McCoy.
Even if force a non-encrypted connect, it seems to work OK there.
Did Mint serve me a doctored search-engine add-on that redirects my
queries to WOW? (But, if so, how did they even know I'm a WOW customer?)
Is WOW doing something really nefarious like masquerading as Google's IP
addresses on their network and then doing a redirect? Has anyone else
encountered this? There does seem to be some hits about this when I
query the search engines, but nothing that comes close to a good
explanation of that's going on. It's really got me baffled.
Any ideas?
Rob
More information about the colug-432
mailing list