cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Unusual problem

FIXED
gleneagles
Aspiring Legend
Posts: 11,105
Thanks: 2,459
Fixes: 17
Registered: ‎02-08-2007

Unusual problem

‎29-07-2017 12:00 PM - edited ‎29-07-2017 12:02 PM

I have a couple of desktop PC's which are a few years old along with a Android Tablet.

The Desktops are only connected to the internet when using Linux (Mint 18.1)

Using my bookmark link to to Plusnet using the tablet, no problem.

Using the bookmark link to plusnet using either Desktop I get some other website appearing showing someone with a cup of tea along with a obscene message.

I have tried deleting the link and tried to log into the PN website but the same thing keeps appearing.

I am not aware of anything I can use to check for malware or a virus in Linux.

Would be grateful for some advice on the above as the best way forward.

Bookmarks to all other bookmarked sites seem to work ok

Thanks

 

 

 

 

We are born into history and history is born into us.
Message 1 of 28
(1,859 Views)
Reply
0 Thanks
27 REPLIES 27
Anonymous
Not applicable

Re: Unusual problem

‎29-07-2017 12:11 PM

It looks to me that you've been hijacked in some way, so may be an exploit on the browser you are using which is? This is where my money is.

 

Message 2 of 28
(1,850 Views)
Reply
0 Thanks
Mustrum
Community Veteran
Posts: 3,502
Thanks: 1,023
Fixes: 75
Registered: ‎13-08-2015

Re: Unusual problem

‎29-07-2017 12:18 PM

Time to run AntiMalwareBytes and see what it finds.

Message 3 of 28
(1,841 Views)
Reply
0 Thanks
Alex
Community Veteran
Posts: 5,500
Thanks: 921
Fixes: 13
Registered: ‎05-04-2007

Re: Unusual problem

‎29-07-2017 12:19 PM - edited ‎29-07-2017 12:21 PM

Interesting, it's been ages since I used Linux, so what I say is most probably wrong. I haven't heard of many exploits on it, it is more locked down and has a fewer user base so malware writers don't usually bother.

Can you check the hosts file .. I think you can either use an editor (I liked vi, never got on with emacs), or print it out, so say:

vi \etc\hosts
more \etc\hosts

Message 4 of 28
(1,834 Views)
Reply
0 Thanks
Anonymous
Not applicable

Re: Unusual problem

‎29-07-2017 12:34 PM

@Alex - I was referring to an exploit in the browser being used, or more probable a plugin.

In order to modify the hosts file you need to be root and if that has been changed then there is much more of a problem than a hijack.

@gleneagles - If you do want to view then check it's timestamp first just to see when it was modified last

ls -la /etc/hosts
then
cat /etc/hosts
Message 5 of 28
(1,820 Views)
Reply
0 Thanks
gleneagles
Aspiring Legend
Posts: 11,105
Thanks: 2,459
Fixes: 17
Registered: ‎02-08-2007

Re: Unusual problem

‎29-07-2017 1:58 PM

Thanks,

Will check that out later today.

We are born into history and history is born into us.
Message 6 of 28
(1,799 Views)
Reply
0 Thanks
gleneagles
Aspiring Legend
Posts: 11,105
Thanks: 2,459
Fixes: 17
Registered: ‎02-08-2007

Re: Unusual problem

‎29-07-2017 3:18 PM

When using the PN Bookmark or entering PN in Google Search engine the page that displays is,

WWW.zenzoneforum.com/threads/2153-nice-hot-cup-of-STFU

Looking in Linux using the instructions suggested get me,

DESKTOP-PC ~ $ ls -la /etc/hosts

-rw-r--r-- 1 root root 232 Aug 22 2014 /etc/hosts

DESKTOP-PC ~ $ cat /etc/hosts

127.0.0.1 localhost

127.0.1.1 DESKTOP-PC

 

# The following lines are desirable for IPv6 capable hosts

::1 ip6-localhost ip6-loopback

fe00::0 ip6-localnet

ff00::0 ip6-mcastprefix

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

DESKTOP-PC ~ $

 

Not sure what any of that means.

We are born into history and history is born into us.
Message 7 of 28
(1,782 Views)
Reply
0 Thanks
Anonymous
Not applicable

Re: Unusual problem

‎29-07-2017 3:55 PM

@gleneagles - There's is nothing wrong with the content of that file at all. So it looks like it might be related to your browser.

So what browser are you running?

Who are you using for DNS?

Also can you get here (46.19.168.229) this is the IP of the community?

What about a traceroute as well?

 

Message 8 of 28
(1,765 Views)
Reply
ReedRichards
Seasoned Pro
Posts: 4,927
Thanks: 145
Fixes: 25
Registered: ‎14-07-2009

Re: Unusual problem

‎29-07-2017 3:59 PM

If you try to go to web site A and end up at different web site B then this suggest to me that the process of translating from web address to internet IP address may be failing.  If I understand correctly, the computer first checks for entries in the 'hosts' file so a bad entry there could cause a problem.  If there is nothing in the host file then the computer refers to whatever Domain Name Server is specified.  Check that your DNS server is set to be something sensible.  By deault it may well be set to be your router.     

Message 9 of 28
(1,762 Views)
Reply
gleneagles
Aspiring Legend
Posts: 11,105
Thanks: 2,459
Fixes: 17
Registered: ‎02-08-2007

Re: Unusual problem

Fix

‎29-07-2017 4:48 PM

Using Firefox web browser in Linux

46.19.168.229 does get me directly into the forum, having bookmarked that and then trying it, it works ok so that has solved the problem.

Namedserver is showing as 127.0.1.1

I did not perform a trace route as I was unsure how, is there some free trace route program or instruction in linux.

Thanks.

We are born into history and history is born into us.
Message 10 of 28
(1,740 Views)
Reply
0 Thanks
Anonymous
Not applicable

Re: Unusual problem

‎29-07-2017 4:57 PM

Well no its not, that's simply treating the symptom and not the cause. 127.0.1.1. Is a very odd address for a DNS server so you need to see why that is. As you're using DHCP then the DNS server used are configured in your router so you ought to check that out as well then restart your network on your PC. To do a trace route use:

traceroute community.plus.net

from a terminal.

 

Message 11 of 28
(1,727 Views)
Reply
0 Thanks
MisterW
Superuser
Superuser
Posts: 13,691
Thanks: 4,900
Fixes: 357
Registered: ‎30-07-2007

Re: Unusual problem

‎29-07-2017 5:19 PM - edited ‎29-07-2017 5:23 PM

127.0.1.1 is the address that dnsmasq ( local forwarding DNS server ) listens on. That's the default for Ubuntu(and Mint) installations that use resolvconf.

To see the real DNS servers that are being used you need to use (well in Ubuntu anyway) Network manager -> connection information. I assume MInt has something similar...

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

Message 12 of 28
(1,716 Views)
Reply
gleneagles
Aspiring Legend
Posts: 11,105
Thanks: 2,459
Fixes: 17
Registered: ‎02-08-2007

Re: Unusual problem

‎29-07-2017 5:52 PM

OK,

Will check that out tomorrow and post back the results.

thanks

We are born into history and history is born into us.
Message 13 of 28
(1,697 Views)
Reply
0 Thanks
Anonymous
Not applicable

Re: Unusual problem

‎29-07-2017 5:58 PM

I didn't know that (evidently) thanks for that @MisterW

Message 14 of 28
(1,693 Views)
Reply
0 Thanks
MisterW
Superuser
Superuser
Posts: 13,691
Thanks: 4,900
Fixes: 357
Registered: ‎30-07-2007

Re: Unusual problem

‎29-07-2017 6:16 PM

If I'm honest, I didn't know that until I did an nslookup on my Ubuntu desktop and did some googling

 

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

Message 15 of 28
(1,681 Views)
Reply
0 Thanks