Netgate SG-1000 microFirewall

Author Topic: Answered: Single website redirecting to GoodMayor  (Read 487 times)

0 Members and 1 Guest are viewing this topic.

Offline Crlaozwyn

  • Newbie
  • *
  • Posts: 15
  • Karma: +10/-2
    • View Profile
Answered: Single website redirecting to GoodMayor
« on: January 31, 2018, 03:40:57 pm »
Nearly a week ago during a visit from my inlaws (who were kind enough to bring multiple old laptops and phones onto my network), one of my frequently visited websites began redirecting to goodmayor.com. I noticed it first on my desktop, but quickly discovered that it also happened on my iPhone. By turning off wifi and using the cellular connection, I was able to confirm that the website was still available outside of my home connection.

Because all devices connecting to my network were impacted, I assumed that my router was somehow at fault. My router was running a very old version of PFSense (2.2.4 - the newest my old hardware could handle). I turned off DNS Resolver and enabled DNS Forwarder. Voila! Things worked for about an hour and then the redirect reared its ugly head again. I grabbed a spare gaming machine and put a fresh install of PFSense (v2.4.2) on it. Right out of the gate, the redirect happened on all devices.

Manually setting the DNS server on my desktop/phone to Google's 8.8.x.x gives me the correct site.

As another troubleshooting step, I installed a competing firewall OS on the new hardware. No redirect. I did a factory reset there, then reinstalled PFSense 2.4.2. Redirect is back. While I was writing this, 2.4.2.1 was released; I installed but there was no impact.

I've tried multiple DNS servers, as well as following the guide at https://b3n.org/hijacked-slow-dns-unbound-pfsense/ to see if that'd help. No dice. Tracert confirms that a different IP and path is being taken while the redirect is happening.

I have a new Qotom box arriving tomorrow and don't want to plug it in until I know what's going on. Any help would be greatly appreciated!

EDIT:
johnpoz determined that the issue was caused by a DNS hijack, not an issue with PFSense. The symptom was caused due to PFSense resolving the DNS from servers reporting the hijacked domain.
« Last Edit: February 01, 2018, 03:25:32 pm by Crlaozwyn »

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9825
  • Karma: +1111/-311
    • View Profile
Re: Single website redirecting to GoodMayor
« Reply #1 on: January 31, 2018, 04:11:41 pm »
How about you cut loose with the site you are going to that is being redirected so people have a chance at being able to help you.

Use DNS tools to see exactly what is being returned by pfSense and other resolvers around the internet, like 8.8.8.8 and 9.9.9.9.

See if those destination sites are actually redirecting you or not.

Unless you are running squid (or captive portal) there is nothing in pfSense that will perform a web redirect.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Crlaozwyn

  • Newbie
  • *
  • Posts: 15
  • Karma: +10/-2
    • View Profile
Re: Single website redirecting to GoodMayor
« Reply #2 on: January 31, 2018, 04:25:12 pm »
I'd rather not provide the url and I honestly don't believe it's relevant as the redirect wouldn't happen for anyone else. Not trying to be difficult, I promise. For me, it boils down to this:

Route DNS through PFSense, get redirected.
Manually override DNS or use a different router, get to the correct site.

DNS lookup on router shows the correct site IP. Entering this IP into my phone on cell connection or desktop with manually-defined DNS will get me where I want to be. As soon as PFSense is in the mix as a DNS server, even entering the site IP will result in the redirect.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9825
  • Karma: +1111/-311
    • View Profile
Re: Single website redirecting to GoodMayor
« Reply #3 on: January 31, 2018, 05:11:07 pm »
welp. good luck then.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Crlaozwyn

  • Newbie
  • *
  • Posts: 15
  • Karma: +10/-2
    • View Profile
Re: Single website redirecting to GoodMayor
« Reply #4 on: January 31, 2018, 05:38:13 pm »
Anyone willing to actually help? No offense @Derelict but the website itself is irrelevant. What difference does it make if the site is google, amazon, or some dubbed teletubbies site? This happens to be a torrent-related site and, though it doesn't deal with any copy written material, I make it a habit not to advertise specifics about that activity. If it works with a different router or by otherwise bypassing PFSense, the issue fairly clearly is somewhere in PFSense.

There appears to be some kind of html injection occurring based on view-source for the website
Code: [Select]
<!DOCTYPE html><HTML><HEAD><TITLE>One moment...</TITLE><META name="viewport" content="width=device-width, initial-scale=1"><META name="description" content="related content to what you are looking for"><SCRIPT type="text/javascript">var z = (new Date()).getTimezoneOffset(); try { var r = window.document.referrer; } catch(e) { r = false; } var u = 'http://gussetmiser.com/?k=34f961cdf27f7595af00a23c3d64cd2b.1517441746.897.'+((navigator.cookieEnabled)?'2':'1')+'.1.Z29vZG1heW9yLmNvbQ%3D%3D'+'&subid=##SITE##&r='+((r !== false)?escape(r):'')+'&z='+z; document.write('<META http-equiv="refresh" content="0;url='+u+'">');</SCRIPT><NOSCRIPT><META http-equiv="refresh" content="0;url=http://gussetmiser.com/?k=34f961cdf27f7595af00a23c3d64cd2b.1517441746.897.0.1.Z29vZG1heW9yLmNvbQ%3D%3D&subid=##SITE##&r="></NOSCRIPT><META name="referrer" content="no-referrer"><link rel="icon" href="data:;base64,iVBORw0KGgo="></HEAD><BODY>&nbsp;</BODY></HTML>
« Last Edit: January 31, 2018, 06:01:57 pm by Crlaozwyn »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15193
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Unanswered: Single website redirecting to GoodMayor
« Reply #5 on: February 01, 2018, 03:51:35 am »
And how and the F do you think pfsense would have anything to do with that?  Come on really??  Are you running squid?  If not then pfsense has zero to do with your html..

Who is your isp?  Some of them are known to do html injection.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline KOM

  • Hero Member
  • *****
  • Posts: 5609
  • Karma: +688/-23
    • View Profile
Re: Unanswered: Single website redirecting to GoodMayor
« Reply #6 on: February 01, 2018, 08:10:06 am »
Quote
What difference does it make if the site is google, amazon, or some dubbed teletubbies site?

The difference is that we can try it ourselves and see what the behaviour is with multiple clients in different parts of the world using different gear.  Nobody cares if you visit TPB.

I can guarantee you, along with the others, that pfSense is not redirecting anything.  It is either your ISP (unlikely but possible) or the site itself is doing it.  The random nature of the problem may have more to do with which load-balance server you hit and whether or not that server has been potentially hacked and is serving up some funky jscript or something like that.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15193
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Unanswered: Single website redirecting to GoodMayor
« Reply #7 on: February 01, 2018, 09:28:47 am »
Is it TPB??  I am on that almost daily - have never seen such an issue at all..

There is tons of legit software/media/etc on TPB... Saying that is where you are at not going to look bad on you, etc.  Pointing out what specific torrent your grabbing have need for such info to be made public ;)
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline Crlaozwyn

  • Newbie
  • *
  • Posts: 15
  • Karma: +10/-2
    • View Profile
Re: Unanswered: Single website redirecting to GoodMayor
« Reply #8 on: February 01, 2018, 11:18:11 am »
The difference is that we can try it ourselves and see what the behaviour is with multiple clients in different parts of the world using different gear.  Nobody cares if you visit TPB.
No, it's not TPB. But I do appreciate the calm and rational approach you've taken to asking. It's actually a torrent invite site (hence no copy written material will ever be there): www.torrent-invites.com. Still makes me a bit uneasy to post, but at least now I have a logical incentive to offset the risk I'm imagining.

The random nature of the problem may have more to do with which load-balance server you hit and whether or not that server has been potentially hacked and is serving up some funky jscript or something like that.
I don't actually see anything random about what's happening - it's literally as simple as this: if PFSense is handling DNS for a device, the site is redirected. If PFSense is out of the loop (a different router firmware or manual DNS settings on a device) then I get the right site.

And how and the F do you think pfsense would have anything to do with that?  Come on really??  Are you running squid?  If not then pfsense has zero to do with your html..

The reason I believe PFSense is somehow the cause is because when I reformatted one of the PFSense boxes and installed Untangle on it, the redirect immediately stopped for all devices. I left it on for a few hours and never got a redirect. I was ecstatic - reinstalled PFSense on the same box and immediately got redirects again.

I found that squid was installed (not sure how on what I believed to be a blank installation), but it was not enabled and no rules were visible. I've uninstalled squid and rebooted; no difference.

I'm not SURE that it's html injection - when I do view-source it's showing the source for the redirected site. Though I've made a living in the past on troubleshooting, networking has never been my strong suit: it's as close to black magic as I've seen in the digital world ;)

Who is your isp?  Some of them are known to do html injection.
My ISP is Comcast. I would think that using a different router firmware and not getting the redirect would rule out my ISP as they're upstream.

Thanks to everyone who's contributed so far.
« Last Edit: February 01, 2018, 11:25:16 am by Crlaozwyn »

Offline KOM

  • Hero Member
  • *****
  • Posts: 5609
  • Karma: +688/-23
    • View Profile
Re: Unanswered: Single website redirecting to GoodMayor
« Reply #9 on: February 01, 2018, 12:28:19 pm »
A quick Google shows that redirecting URLs to goodmayor.com is not uncommon and is the result of malware.

Are you sure your system isn't running some bogus local malware proxy that is intercepting your DNS lookups and replacing them with goodmayor?  Do you have any common browser plugins between desktop and phone?

This is not a pfSense issue.

Offline Crlaozwyn

  • Newbie
  • *
  • Posts: 15
  • Karma: +10/-2
    • View Profile
Re: Unanswered: Single website redirecting to GoodMayor
« Reply #10 on: February 01, 2018, 12:47:23 pm »
Unless the same malware has infected each computer and phone on my network, I'm not sure how that's possible. If it was just my desktop, I'd agree 100%. As is, if all desktops have been turned off, how would my iPhone get the same redirect? And for my phone, yes I put it into airplane mode to clear the DNS cache. I don't use any browser plugins on my phone and nothing too fishy on desktop. All desktop browsers (FF, Chrome, IE) redirect and have only Norton and LastPass plugins in common. I fired up an old iPad that hasn't been turned on in 6 months and it immediately redirected to goodmayor as well.

Your idea of a local malware proxy makes sense, but I'm not sure how it's feasible since each device has been isolated. On one PFSense reinstall, I disconnected the wireless access point and had only a single desktop on the network; it still redirected. On another, I turned off all wireless devices and unplugged every wire except going to the WAP and connected only my phone; it still redirected.

If you have any tips on how to figure out the source, I'd be incredibly grateful.

Edit to add: I completed a full antivirus scan with Norton last night on my desktop. Nothing related to this came up (but Norton thought some of my 3 year old iPhone backups were suspicious).

Offline KOM

  • Hero Member
  • *****
  • Posts: 5609
  • Karma: +688/-23
    • View Profile
Re: Unanswered: Single website redirecting to GoodMayor
« Reply #11 on: February 01, 2018, 12:59:46 pm »
I don't know what to tell you.  It's not a pfSense issue.  I don't have the time to put on my detective hat to get to the bottom of this.  Lots of people complaining about being hijacked and redirected to goodmayor going back to early 2016.  Problem started after external devices added to your network.

Offline Crlaozwyn

  • Newbie
  • *
  • Posts: 15
  • Karma: +10/-2
    • View Profile
Re: Unanswered: Single website redirecting to GoodMayor
« Reply #12 on: February 01, 2018, 01:09:06 pm »
I don't know what to tell you.  It's not a pfSense issue.  I don't have the time to put on my detective hat to get to the bottom of this.  Lots of people complaining about being hijacked and redirected to goodmayor going back to early 2016.  Problem started after external devices added to your network.
OK. If it's not a PFSense issue, it's at least a proxy that either only targets PFSense or Untangle is somehow immune. Yes, the problem started after my father in law's laptop connected to my network. It's been out of my house for a few days now but the problem has persisted. I guess I'll just keep poking around and hope I get lucky.

Offline KOM

  • Hero Member
  • *****
  • Posts: 5609
  • Karma: +688/-23
    • View Profile
Re: Unanswered: Single website redirecting to GoodMayor
« Reply #13 on: February 01, 2018, 01:26:24 pm »
I'll keep thinking about it and will reply if I come up with anything.  Hopefully others will also have suggestions.

If you manage to figure it out yourself, please report back.  This one in interesting.

Offline mudmanc4

  • Full Member
  • ***
  • Posts: 107
  • Karma: +16/-2
  • Thou Shall Not ~kill -9 -1
    • View Profile
    • Lime/IT
Re: Unanswered: Single website redirecting to GoodMayor
« Reply #14 on: February 01, 2018, 01:43:02 pm »
Needless to say chasing something nasty around a local network is not something new.

I would start off by removing everything from the network. (Physically unplugging network connections and removing all wireless AP's)

Change the default subnet of LAN and connect one device at a time, individually until the culprit rears it's ugly head.