Hacked/Redirected/WTF?????

[JSngry]

Just got in from work after 15-20 minutes of trying and failing b/c my bookmark kept taking me to "goodmayor.com" as the landing site for the link and then the url read something like "id=www.organissimo.org". My work security blocker stopped that dead in it tracks, and looking up goodmayor.com, it does not seem to be a good place to be.

So...what happened?

[HutchFan]

I was seeing the same.

[jlhoots]

Some kind of malware?

[mjzee]

Delete your bookmark and create a new one.

[Misterioso]

Same here on an Android device  I don't have any bookmarks I could use. Problem was "solved" by switching to another network.

[HutchFan]

I switched Web browsers (from Chrome to Internet Explorer), and the issue disappeared.

[Jim Alfredson]

That's very strange. I will contact tech support but I'm not sure it's on my end.

[Niko]

I had the same problem of redirection to phony websites around the same time. I don't use bookmarks and definitely have a different internet service provider than jsngry. So wherever the problem was, it's unlikely that is was on our end 

[Chuck Nessa]

No problems here on any of my devices. Anyone have this problem on Apple machines?

[Rooster_Ties]

Same redirect issues on my iPhone, much of the afternoon. Just rebooted it, which is the only reason I seem to have gotten through to the site now.

Never tried from my PC at work.

But yeah, same issues here (on an old IPhone 5).

[lipi]

I saw nothing. Given the somewhat inconsistent reports above, I'd bet it's a DNS issue. Jim, I'd start with whomever you registered the domain name through (Google, GoDaddy, ...). (The problem disappearing when you switch browsers or reboot a device suggests flushing your local DNS cache fixes things, which in turn suggests there was a bad entry in the DNS server it grabbed the data from the first time around.)

If none of that meant anything to you: don't worry.

If anyone still has a computer with the bad redirect (obviously not the one you're reading this from...), you can test my theory by following these steps to flush your DNS cache:

https://documentation.cpanel.net/display/CKB/How+To+Clear+Your+DNS+Cache

If after that song and dance you get the organissimo site, you indeed had a bad DNS entry. If you still get the bad redirect, then it was something else and my deduction was incorrect.

[mjzee]

5 hours ago, Chuck Nessa said:

No problems here on any of my devices. Anyone have this problem on Apple machines?

I have not.  In fact, my connections with the board, especially since the upgrade, have been fast and flawless.

[kh1958]

Yes, I had the same issue on my iMac this evening.

[Jim Alfredson]

According to the server folks, it isn't coming from them. I'll contact my DNS registrar (Go Daddy).

[Kevin Bresnahan]

I am still getting this on my two Linux machines this morning. Since I've never heard of malware working on a Linux box, I would guess that it's the DNS as well.

[Dan Gould]

Using phone to access. Above suggestion does not work!!

However hijack message doesn't seem to disable pc. I ran Norton last night it did not find anything.

[mjzee]

This all sounds similar to something I encounter every so often when I visit a website (usually on Real Clear Politics).  A couple of times a week, I'm on Real Clear and all of a sudden a message appears over the screen: "You've won an iPhone 8" etc etc, with a strange URL at the top of the screen.  I think it's actually a form of advertising pop-up box (similar to what's becoming more common on a lot of news web sites, where you want to read an article but an ad appears over the article and you must X to get out).

I've found the solution in those cases to be simple: go to the URL box at the top of the screen, and enter a different web site.  The problem message disappears.  And if I then go back to Real Clear, I don't encounter the problem again (at least for that day).

[clifford_thornton]

Yeah, was getting this problem last night on my home Mac, though it's not an issue as of today on my work Mac.

[JSngry]

Reaching the site just fine from work now, after getting the re-direct all morning. Have not changed bookmark link.

Also got it from home last night and very early this AM. Same thing on my phone (android) & Brenda's tablet (I-Pad).

The board link is the only one that gets redirected, on all machines, all other links function normally.

Gotta wonder about the choices of redirection - at work, it gets blocked at goodmayor.com. That's the business's security blocking it. On all other devices, it goes thorugh goodmayor.com and lands at various sketchy looking app/utility download sites. If you don't click on anything, I don't see where you get anything harmful.

My question is simple - what is triggering the redirect to goodmayor.com? When it blacks at work, the link is something like goodmayor.com/site ID = www.organissimo.org. That's not exact, but close.

[Jim Alfredson]

This is the reply I got from Liquid Web, my server company.

I see that after requesting organissimo.org/forum the request is redirected to www.organissimo.org which according to DNS records points to a different server:

;; ANSWER SECTION:
www.organissimo.org.    671    IN    A    190.2.131.62

;; AUTHORITY SECTION:
organissimo.org.    532    IN    NS    ns2.organissimo2.com.
organissimo.org.    532    IN    NS    ns1.organissimo2.com.

;; ADDITIONAL SECTION:
ns2.organissimo2.com.    671    IN    A    190.2.131.63
ns1.organissimo2.com.    671    IN    A    190.2.131.62

The IP address 190.2.131.62 shows the following ownership:

owner:       WorldStream B.V.
ownerid:     NL-WOBV-LACNIC
responsible: Dirk Vromans

After hitting this server then a second redirect is sent to send the user to goodmayor.com @

;; ANSWER SECTION:
goodmayor.com.        290    IN    A    34.196.13.28

Before getting then redirected several more times to the eventual ad. I would recommend looking at godaddy and seeing what is set there and if any changes have been made. As well I would recommend looking into this doppelgänger domain is as it appears to be the first step in the redirects:

;; ANSWER SECTION:
organissimo2.com.    900    IN    A    190.2.131.62

;; AUTHORITY SECTION:
organissimo2.com.    900    IN    NS    ns1.xzydns.com.
organissimo2.com.    900    IN    NS    ns2.xzydns.com.

   Domain Name: ORGANISSIMO2.COM
   Registry Domain ID: 2223693508_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.antagus.de
   Registrar URL: http://www.vautron.de
   Updated Date: 2018-02-06T16:19:25Z
   Creation Date: 2018-02-06T16:19:25Z
   Registry Expiry Date: 2019-02-06T16:19:25Z
   Registrar: Vautron Rechenzentrum AG
   Registrar IANA ID: 1443
   Registrar Abuse Contact Email:
   Registrar Abuse Contact Phone:
   Domain Status: ok https://icann.org/epp#ok
   Name Server: NS1.XZYDNS.COM
   Name Server: NS2.XZYDNS.COM
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
 

The new server is called host.organissimo2.com. The old server, which is now turned off and gone, was called host.organissimo.org. I accidentally put .com in the new one and supposedly there is an actual site called www.organissimo2.com that is the source of all this. So for some reason we're getting our wires crossed, so to speak.

The DNS configuration at GoDaddy, which is my site registrar, are set correctly as far as I can tell. I'm wondering if the problem is the name of my server. Now that the old server is gone, I've asked if they can change the name of the new one to host.organissimo.org

[JSngry]

Glad to see that there's documentation supporting the logic behind this.

Back on now, but in the interim, I had the redirect thing. It seems to be an interim occurrence, although for me it's been mostly miss rather than hit.

Also, can I use "Dirk Vromans" as my secret spy name? Please?

fwiw - closed the window after the post above, tried getting back in a few minutes later, got the goodmayor.com block Closed the window, tried again a few minutes later, and voila, aqui estoy.

[mjzee]

Weird.  I wonder why I never experienced this redirect.  My bookmark is set to the unread content page; maybe that’s why.

Edited February 7, 2018 by mjzee

[JSngry]

Oh, I tried accessing the band page, the root page for all this, www.orgainissimo.org and it still happened. Something in the DNS chain has to be, if not off, then fragile.

[Jim Alfredson]

They just changed the name of the server. It might take a while to propagate through the system, but it should fix the problem.

From LiquidWeb:

At this time it looks like you do not have ownership of the domain: organissimo2.com

This has allowed a 3rd party to register the domain and setup a malicious nameserver allowing the redirects to take place.

In a situation of changing servers we would normally recommend domain names like the following:

host.organissimo.org

to new server:

host2.organissimo.org

This would allow for the new server creation with domain names under your ownership.

I would recommend that we update the server hostname to host2.organissimo.org as well as set the nameserver GLU records to the following after we change the server hostname:

ns1.organissimo.org  67.225.241.38
ns2.organissimo.org  67.225.241.38

Please confirm and I will proceed.

[Kevin Bresnahan]

I was telling Jim on Facebook that I had to laugh at one of the redirect websites I got today. It was an official-looking "Microsoft Support" website with a serious voiceover telling me that my Windows computer has been compromised and I must immediately call their tech support number shown on the screen or I would be disconnected from the network.

I was seeing this while using my Linux/Ubuntu laptop.