[colug-432] WOW is hijacking my Google searches, but how?

[tom]

On 03/26/2013 04:12 PM, Rob wrote:
> For the past few days, I have been working on building Mint 14 system
> on a second disk on my main PC.  I hate to transition, but my preferred
> OS for the past three years (Ubuntu 10.04) will be going EOL next month
Still have Win 98SE running on one of my computers.
> and I have to do something.  Frankly, I've run into a number of problems
> with Mint
> that I find rather disturbing -- is Mint really being marketed
> as made-for-prime-time? -- but perhaps the most disturbing might not
> even involve Mint, although I'm increasingly suspicious it does.
I have been running it for several months. No problems.

>
> First, I'm a WOW customer for broadband, and have generally been happy
> with them.  The Firefox disseminated with Mint comes with several
> add-ons which cannot be removed (at least not easily), although they
> can be disabled.  One is "Mint Search Enhancer 1.0" (whatever that is).
> I told Firefox early-on to disable it and it said it did.  Mint Firefox
> also does not have a Google option in the search box on the Navigation
> toolbar by default, but it is fairly easy to add it.  And that's where
> the trouble starts:
>
> When I add Google, and then try to use it to search from the search box,
> I (often, but not always) get redirected to the following website:
>
> http://64.233.232.17/bg/search-col/index.html?policy=1285&q=tab+groups
>
> (Here, I was searching for "tab groups" at the time.)  This website
> has WOW branding -- that is, if it returns at all, I often get left
> high and dry -- but no useful information that I can tell, and a
> small opt-out URL at the very bottom.  If I opt out, it appears to
> leave me alone for good, i.e., it doesn't seem to rely on a cookie.
> However, if I go to another userid on that machine and again invoke
> Firefox, it's back, so it does seem to be browser dependent.
>
> A reverse DNS lookup yields 64-233-232-17.static.nap.wideopenwest.com
>
> When I first click on the search box with Google selected as the
> engine, my DNS server sees two google.com inquiries and nothing else.
>
> My question:  How are they doing this?  First, I run my own DNS
> servers on my local LAN.
>   I do not use WOW (or any other external)
> servers for my DNS.  A dump of my Bind named cache only shows the
> 64.233.232.17 IP on a reverse lookup which I did.  But, it does seem
> to more-or-less happily be serving up the copious lookups that Firefox
> requests of it.  So, it would appear to me this cannot be a DNS exploit.
> So, how is it being perpetrated?  If I visit Google directly, the browser
> globs onto its https entry, and of course, then I get the real McCoy.
> Even if force a non-encrypted connect, it seems to work OK there.
>
> Did Mint serve me a doctored search-engine add-on that redirects my
> queries to WOW?  (But, if so, how did they even know I'm a WOW customer?)
> Is WOW doing something really nefarious like masquerading as Google's IP
> addresses on their network and then doing a redirect?  Has anyone else
> encountered this?  There does seem to be some hits about this when I
> query the search engines, but nothing that comes close to a good
> explanation of that's going on.  It's really got me baffled.
>
> Any ideas?
>
> Rob
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>