cancel
Showing results for 
Search instead for 
Did you mean: 

Web page redirects to adfoc.us

jonathandgreen
Newbie
Posts: 4
Registered: ‎24-11-2014

Web page redirects to adfoc.us

As of this evening, almost all web pages loading on any device connected to our local network are redirecting to a URL shortening service called adfoc.us. Worryingly, these are sometimes further redirecting to sites containing explicit adult content.
I've isolated the problem to the DNS servers, which on my ADSL router were set to use the default service provider (I.e. PlusNet). I have now set them to use Open DNS servers instead, which resolves the problem. Switching mobile devices off the local network (whilst it was still using PlusNet's DNS servers) to their mobile data providers also resolved the issue.
So all evidence at this end suggests a problem with PlusNet's DNS servers, but if that's the case, I can't believe there's not more on this forum; on PlusNet's status page; or web searches generally about the problem. There's currently a wait of an hour for phone support, which may be indicative of a bigger problem, but I don't know what's normal in terms of their response time.
Is anyone else experiencing this or does this sound familiar in any way?
7 REPLIES 7
RPMozley
Pro
Posts: 1,339
Thanks: 83
Fixes: 13
Registered: ‎04-11-2011

Re: Web page redirects to adfoc.us

What make and model is your ADSL router? There have been some in the past that have been compromised by an exploit, specifically changing the DNS server to a 'dodgy' one.
There was a thread awhile back here with some info about these sort of security breaches. Will have to look for the link after posting as it's not an easy task on a mobile device.
Edit:
Ah, here we are. Found it. Have a look at this thread.
https://community.plus.net/forum/index.php/topic,124783.0.html
That's RPM to you!!
Chris
Legend
Posts: 17,724
Thanks: 600
Fixes: 169
Registered: ‎05-04-2007

Re: Web page redirects to adfoc.us

As you mentioned if it was our DNS causing the issue I'd expect to see much more noise about this. Having just done a quick web search I can see that a few people are reporting this starting from yesterday. Have a read through the thread linked in the previous reply, I'd also run virus and malware scans on your PC just in case.
Former Plusnet Staff member. Posts after 31st Jan 2020 are not on behalf of Plusnet.
jonathandgreen
Newbie
Posts: 4
Registered: ‎24-11-2014

Re: Web page redirects to adfoc.us

Thanks very much both. It is indeed an ADSL modem hack. It's still occurring (albeit more rarely) with the OpenDNS servers.
My modem is a D-LINK 320b (Z1). Firmware is up to date, which suggests it's a new exploit D-LINK are not aware of yet. I'm just going to reset and turn on the device firewall (which was off) in the hope that might stop the exploit, but I'll switch my attention to D-LINK support forums now.
jelv
Seasoned Hero
Posts: 26,785
Thanks: 971
Fixes: 10
Registered: ‎10-04-2007

Re: Web page redirects to adfoc.us

Have you tried setting the DNS servers on your PC and not using the router's DNS - or is it intercepting DNS requests?
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)
Anonymous
Not applicable

Re: Web page redirects to adfoc.us

OMG !  Shocked - why was the firewall switched off ? - you should never do that !
You should have your Plusnet Broadband Firewall set to a minimum of "Low".
You should check that all the settings for remote WAN access for the router management interface is set to 'Disabled' for ALL protocols.
Disable "UPnP" on your router, as that will reduce the chances of malware on your LAN allowing remote access.
It might be worth changing the password that you use to access your router's web interface.
Try using "ShieldsUP!" to check your firewall ("All Service Ports" test) and UPnP ("Exposure Test") for router vulnerabilities.
You might also want to read about more secure DNS implementations such as OpenDNS DNSCrypt.
Cry
Anonymous
Not applicable

Re: Web page redirects to adfoc.us

I've just re-read this topic and realized you are talking about a modem and not a router   Embarrassed
Are you running the modem as a PPPoE connection straight into a PC,  or does the modem connect to a separate wired router ?
I had assumed you meant router, because you mentioned -

  • "device firewall", - and modems don't generally have built in firewalls !

  • "any device connected to our local network" - which implies the use of a router.


So I'm confused as to how your network and broadband gateway is configured ?
Sad
jonathandgreen
Newbie
Posts: 4
Registered: ‎24-11-2014

Re: Web page redirects to adfoc.us

Thanks @jelv - yes, that would work, though ultimately is only a temporary solution. What I'm looking at is a factory restore of the modem itself to hopefully remove the malicious code and remove the root of the problem (it is a modem, though strangely the DSL-320b is also a DHCP server so does act as my network router).
Thanks for the pointers @purleigh - the PlusNet firewall is on 'low'. It's the modem's internal firewall that is off, which is the factory setting. I'm certainly going to go through the default settings once it's restored to make sure security is higher.