by Jonathan Rothwell

Redirecting oddity—or, what lies at

Who the fuck is /‽

This evening (well, this morning) I started up my computer from cold after a reboot to install some updates, and booted into Ubuntu 12.04 testing.

I opened Firefox as usual, and noticed something odd about the Google homepage: it was using the old top bar design, made no reference to Google+, and appeared to show me as signed out. Trying to go to any other Google search page (images, videos, YouTube, reader, etc.) returned me straight back to the suspicious-looking Google homepage. Clicking the “Sign In” button took me to the old Google sign-in page. Instant wasn’t available when searching, and

Something was very fishy, so I didn’t enter my details, dug my phone out, and began sniffing.

The first thing I noticed was that only traffic to Google’s servers seemed to be being intercepted. Trying to go to YouTube would either return me to the fake, or throw up a 404 Not Found error generated by ngnix. This confirmed my suspicions that my traffic was being hijacked: I know for a fact that Google doesn’t use ngnix.

Interestingly, the BBC’s homepage was working fine, as was Twitter (thankfully over SSL, so it’s very unlikely my Twitter account has been compromised.) So, someone was hijacking my traffic for Google and redirecting it to a fake Google search page.

iptraf is a useful tool that can be installed from the Ubuntu repositories to help identify the origin and destination of network traffic. Using it, I detected a lot of packets heading to and from the address I also tried a few “odd” pages in Firefox, which all redirected to the 404 page at a server called

At this point, three alarming questions were running through my head:

  1. Who are /

  2. Why are they trying to hijack my Google searches and probably illicitly obtain my account information‽

  3. Does the problem lie with the network in my halls of residence, or has my machine been compromised in some way?

A quick whois reveals that is registered through GoDaddy and via a domain proxy service. This probably indicates that the owner of the fake Google page (which we now know resided at is probably a generic internet miscreant, who, had I entered my account details, would probably have turned my GMail address of seven years into a spam factory.

So, the question is, how? How, on my machine running Ubuntu, did I begin receiving these weird redirections? It was at least at the system level, because the fake Google homepage was showing up in Midori too, and attempts to ping Google resulted in this:

jonathan@Durandal-Ubuntu:~$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_req=1 ttl=52 time=90.4 ms
64 bytes from icmp_req=2 ttl=52 time=21.8 ms
64 bytes from icmp_req=3 ttl=52 time=23.3 ms

However, when connecting to the internet via my phone using tethering, pings were returned and the correct Google home page reached. Similarly, when I connected my phone and my laptop back to the eduroam wireless network, normal service was resumed as if nothing had happened.

So, this is mysterious. We also know that didn’t want you researching them: a query put through their fake Google front-end linux became, simply, linux.

My conclusion is that it’s safe to assume that is nefarious. Do not go there on an unsecured machine. You may end up downloading all sorts of malware nasties and you won’t even know.

I’m still unsure how, though. An intrusion into my machine? Possible—it could be a zero-day Flash vulnerability. An intrusion into the JANET/eduroam systems? Again, possible. If you have any ideas about what might have caused this, or you’ve also experienced this hijacking, please get in touch: this is disturbing enough that I feel compelled, almost duty-bound, to follow it up. My mail address is at the bottom of this article.

For now, though, I am in the alarming position where I must consider it nominally safer to do my online banking in Windows than under Linux.