[colug-432] WOW is hijacking my Google searches, but how?

Rick Hornsby richardjhornsby at gmail.com
Tue Mar 26 19:25:33 EDT 2013



On Mar 26, 2013, at 16:40, Rick Troth <rmt at casita.net> wrote:

> Others will know better details than I do,
> but it comes to mind that it's *easy* for any provider to insert their
> own caching layer between you and the world.  Not saying WOW is doing
> this, but it's trivial for them to trap all port 80 traffic and serve
> up cached content ... or doctored content (or redirection, or
> whatever!).  Caching is justified by reducing their upstream port 80
> burden.  (For varying values of "justified".)
> 

If I was an ISP and wanted to do this nonsense, a web cache/proxy is exactly how I would do it.

If you have an offsite ssh server, you can try tunneling your HTTP traffic (so WOW can't see it) and try to make Firefox behave the same way (Urls etc).  

ssh -D1080 your-remote-host

Tell FF to use a SOCKS5 proxy, localhost port 1080.

I used this technique years ago to thwart a jerk of a BOFH sysadmin who wasn't very bright. http://blog.flyovercountry.org/2006/10/no-more-spying

If you don't have an offsite ssh account, let me know and I'll set you up with a temp account on my rr hosted box.  It would be better to use a non-ISP ssh server -ie a hosting provider like dream host.  Barring that this should at least give some indication.

If the problem is WOW, it should go away.  If the problem is local - say a plugin - you'll likely have the same kind of issue.

If the problem is WOW, you can very likely complain and opt out.  When the ISPs started rewriting/redirecting misspelled URL hostnames to their own search engines (argh!), there was usually a way somewhere on the page to opt out, which was supposed to get tied to your cable modem's MAC address.



> Conspiracy theorists unite!   :-)
> 
> -- R; <><
> 
> 
> 
> On Tue, Mar 26, 2013 at 5:12 PM, Rob <res at colnet.cmhnet.org> wrote:
>> For the past few days, I have been working on building Mint 14 system
>> on a second disk on my main PC.  I hate to transition, but my preferred
>> OS for the past three years (Ubuntu 10.04) will be going EOL next month
>> and I have to do something.  Frankly, I've run into a number of problems
>> with Mint that I find rather disturbing -- is Mint really being marketed
>> as made-for-prime-time? -- but perhaps the most disturbing might not
>> even involve Mint, although I'm increasingly suspicious it does.
>> 
>> First, I'm a WOW customer for broadband, and have generally been happy
>> with them.  The Firefox disseminated with Mint comes with several
>> add-ons which cannot be removed (at least not easily), although they
>> can be disabled.  One is "Mint Search Enhancer 1.0" (whatever that is).
>> I told Firefox early-on to disable it and it said it did.  Mint Firefox
>> also does not have a Google option in the search box on the Navigation
>> toolbar by default, but it is fairly easy to add it.  And that's where
>> the trouble starts:
>> 
>> When I add Google, and then try to use it to search from the search box,
>> I (often, but not always) get redirected to the following website:
>> 
>> http://64.233.232.17/bg/search-col/index.html?policy=1285&q=tab+groups
>> 
>> (Here, I was searching for "tab groups" at the time.)  This website
>> has WOW branding -- that is, if it returns at all, I often get left
>> high and dry -- but no useful information that I can tell, and a
>> small opt-out URL at the very bottom.  If I opt out, it appears to
>> leave me alone for good, i.e., it doesn't seem to rely on a cookie.
>> However, if I go to another userid on that machine and again invoke
>> Firefox, it's back, so it does seem to be browser dependent.
>> 
>> A reverse DNS lookup yields 64-233-232-17.static.nap.wideopenwest.com
>> 
>> When I first click on the search box with Google selected as the
>> engine, my DNS server sees two google.com inquiries and nothing else.
>> 
>> My question:  How are they doing this?  First, I run my own DNS
>> servers on my local LAN.  I do not use WOW (or any other external)
>> servers for my DNS.  A dump of my Bind named cache only shows the
>> 64.233.232.17 IP on a reverse lookup which I did.  But, it does seem
>> to more-or-less happily be serving up the copious lookups that Firefox
>> requests of it.  So, it would appear to me this cannot be a DNS exploit.
>> So, how is it being perpetrated?  If I visit Google directly, the browser
>> globs onto its https entry, and of course, then I get the real McCoy.
>> Even if force a non-encrypted connect, it seems to work OK there.
>> 
>> Did Mint serve me a doctored search-engine add-on that redirects my
>> queries to WOW?  (But, if so, how did they even know I'm a WOW customer?)
>> Is WOW doing something really nefarious like masquerading as Google's IP
>> addresses on their network and then doing a redirect?  Has anyone else
>> encountered this?  There does seem to be some hits about this when I
>> query the search engines, but nothing that comes close to a good
>> explanation of that's going on.  It's really got me baffled.
>> 
>> Any ideas?
>> 
>> Rob
>> _______________________________________________
>> colug-432 mailing list
>> colug-432 at colug.net
>> http://lists.colug.net/mailman/listinfo/colug-432
> 
> 
> 
> -- 
> -- R;   <><
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20130326/b68e684c/attachment-0001.html 


More information about the colug-432 mailing list