[SOLVED] Browser hijacker

Fixit7 · 06-28-2015, 12:41 PM

This site took over my 2 browsers. It is set up as my home page and my bookmarks go to it.

How do I get rid of iit.

Code:

https://wifilogin.xfinity.com

John VV · 06-28-2015, 05:48 PM

are you trying to login to your comcast xfinity box ?
for running linux OS with comcast you NEED!!!!! do disable what comcast calls there " ?? firewall ?? "
( for YOUR protection they will "protect you from BAD icky programs" )

it ONLY blocks GOOD programs
tor
bittorrent
ClamAV
ftp
ssh
svn

Fixit7 · 06-28-2015, 06:26 PM

Do not have an xfinity box.

But Verizon is my ISP.

I put the site in my hosts file.

John VV · 06-28-2015, 06:34 PM

then are you trying to loggin or use to your Neighbors comcast wi-fi

the Comcast xfinity box is set to DEFAULT to a public wi-fi
there are two wi-fi channels used
a public and a private

Fixit7 · 06-28-2015, 07:31 PM

I do not use wifi.

I have a ethernet cable from modem to my laptop.

astrogeek · 06-28-2015, 08:21 PM

Quote:

Originally Posted by Fixit7

I put the site in my hosts file.

Could you be more explicit about this - what exactly did you put in your hosts file (paste here) and for what purpose?

Fixit7 · 06-28-2015, 08:32 PM

This blocks the offending site.

Quote:

127.0.0.1 localhost puppypc24566
192.168.1.1 pc2
192.168.1.2 pc3
192.168.1.3 pc4
0.0.0.0 wifilogin.xfinity.com

astrogeek · 06-28-2015, 08:45 PM

I thought that was what you meant, but wanted to be sure, thanks.

So if that site is somehow now set to be your browsers' home page, why is less important, simply change the home page in your browsers...?

... afterthoughts ...

Will the homepage reset to something else?

You also say all your bookmarks go there - what about non-bookmarked URLs, can you reach other sites at all?

Fixit7 · 06-28-2015, 09:11 PM

Though my homepage was altavista.com, it went to the xfinity site in both Seamonkey and Firefox.

I had to uninstall both browsers as well as delete the .mozilla directory.

This also happened a couple of months ago.

astrogeek · 06-28-2015, 09:17 PM

That sounds like browser malware or plugin hi-jacker then.

You might try to correlate it with some plugin or some particular site, probably not the site you are being directed to.

But it does not sound like a Linux or network config problem actually.

Is there more than one user account on that computer? If so, does this happen for all users or just one?

frankbell · 06-28-2015, 09:19 PM

I don't know what's going on, but this might help.

A dig gave me this. Apparently it's a legit address.

Code:

$ dig wifilogin.xfinity.com

(snip)

; <<>> DiG 9.10.2 <<>> wifilogin.xfinity.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18122
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;wifilogin.xfinity.com.         IN      A

;; ANSWER SECTION:
wifilogin.xfinity.com.  6135    IN      CNAME   xfwweb.g.comcast.net.
xfwweb.g.comcast.net.   25      IN      A       69.252.205.105

;; Query time: 24 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jun 28 22:09:24 EDT 2015
;; MSG SIZE  rcvd: 100

Trying to go to wifilogin.xfinity.com in a private window on Firefox produced this. There was no attempt to hijack my browser or set the homepage. Note that Comcast does not have a presence in my part of the world. Here it's either Cox or Verizon and, in some parts, Charter.

Code:

There was a problem connecting to the XFINITY WiFi Network.

    If the problem persists, please contact a customer service representative at 1-800-XFINITY (1-800-934-6489).
    Comcast Business customers please call 1-800-391-3000.

Similarly, a traceroute produces an output that looks quite legit. Here's the bit after it left my router.

Code:

 10.5.48.1 (10.5.48.1)  11.652 ms  12.584 ms  12.584 ms
 3  68.10.8.213 (68.10.8.213)  12.988 ms  12.988 ms  12.993 ms
 4  172.22.51.96 (172.22.51.96)  90.859 ms  91.976 ms  91.965 ms
 5  ashbbprj02-ae3.0.rd.as.cox.net (68.1.4.246)  22.875 ms  21.830 ms  22.862 ms
 6  * te-1-0-0-5-cr01.seattle.wa.ibone.comcast.net (75.149.228.17)  15.674 ms  14.761 ms
 7  he-0-3-0-1-cr02.ashburn.va.ibone.comcast.net (68.86.82.209)  19.249 ms he-0-3-0-2-cr02.ashburn.va.ibone.comcast.net (68.86.82.221)  19.647 ms he-0-3-0-9-cr02.ashburn.va.ibone.comcast.net (68.86.88.109)  20.600 ms
 8  be-10114-cr02.56marietta.ga.ibone.comcast.net (68.86.85.10)  33.241 ms  31.928 ms  33.235 ms
 9  be-11314-cr01.dallas.tx.ibone.comcast.net (68.86.85.21)  53.199 ms  52.184 ms  53.184 ms
10  be-11317-cr02.denver.co.ibone.comcast.net (68.86.84.230)  63.959 ms  60.456 ms  61.472 ms
11  be-7922-ar02-d.potomac.co.ndcwest.comcast.net (68.86.95.10)  67.960 ms  66.751 ms  67.957 ms
12  te-6-1-ur02-d.potomac.co.ndcwest.comcast.net (68.86.206.18)  65.657 ms  65.634 ms  65.632 ms
13  xfwweb-po-vip.sys.comcast.net (69.241.73.141)  65.620 ms  65.184 ms  65.186 ms

astrogeek · 06-28-2015, 09:24 PM

Quote:

Originally Posted by frankbell

I don't know what's going on, but this might help.

A dig gave me this. Apparently it's a legit address.

Yes, I think the URL itself is legit, but it is probably NOT the hijacker - it is just being used as a dead-end target by the hijacker.

astrogeek · 06-28-2015, 09:31 PM

A little googling turned up this link.

The text-speak gibberish in some comments was too much for me to slog through, but I surmize that it is a browser hijacker maybe called "Hijack this" that is installed by many games, malware, browser plugins and generally bundled with third party crapware, mostly for M$ machines but other OSs as well.

What plugins do you have installed? Have you installed software from places other than the distro repos?

frankbell · 06-28-2015, 09:41 PM

Quote:

Yes, I think the URL itself is legit, but it is probably NOT the hijacker - it is just being used as a dead-end target by the hijacker.

Astrogeek, could you expand on this? "Dead-end target" is a term I haven't run into before. A web search turns up mostly stuff about the Target stores' website being hacked.

Fixit7 · 06-28-2015, 09:46 PM

I fixed the problem and am happy with the results.

Thanks for all the investigating.