12

From past couple of days, we are facing this issue where sites are automatically being routed to an adult site, although we get a 404 Not Found HTTP error.

First guess is obviously that my system is infected with a virus or malware. So, I did a complete scan and Avast removed some viruses. But the problem persists.

The redirection doesn't happen all the time, it happens randomly. Also it is not specific to some sites, it happens for any site.

But, I found that I am not the only victim, every one in my network is facing this problem.

On Googling I only got suggestions that it is a doing of a virus or malware in my system.

But, how come our Android devices and iPads are also affected. It is happening in all browsers, Chrome, Firefox and IE.

I've no clue where the problem is and how to fix it. Please advise.

Update:

Checked the router configuration. Found that the remote administration was ON. The password was the default one. Changed the password. Also, saw that the DNS server configuration, it was set to take the details from ISP.

So, not sure how something got hold of my DNS translation.

But, after changing my router's password I haven't noticed the issue even once. So, it makes me think that my router was compromised.

Also, would like to give one more info to the curious ones out there which is puzzling me. When I was opening a url, say abc.com, the page was actually loading and was then getting redirected. So, if the DNS was compromised I guess when we were hitting a link, it should have directly gone to the malicious site. But for us the page was loading and within a split of a second it was being redirected.

Still don't know the root cause, but I'm happy that the issue is fixed.

nitgeek
  • 229
  • 2
  • 5
  • 1
    Can you disconnect from the wifi network your ipad and any other mobile devices and try to connect to the internet with 3/4G. – Michal Koczwara Apr 19 '15 at 08:50
  • 12
    Perhaps your router has been infected. Perhaps it has been configured to use a malicious DNS server. – CodesInChaos Apr 19 '15 at 09:07
  • 1
    It's possible the hosts file on your router has been tampered with. Try to telnet into your router and find the hosts file and check it. – Blue Wizard Apr 20 '15 at 04:48
  • @unixunited, its also possible its on the computers own hosts file. – Dog eat cat world Apr 20 '15 at 09:47
  • 1
    @Dogeatcatworld I'm less inclined to think their system is affected when every single device on the network is infected. It could be every hosts file is tampered with, but with both phones and computers on multiple operating systems I think it's more likely the router is infected and using a poisoned DNS server instead of a good one. – Thomas Ward Apr 21 '15 at 02:49

2 Answers2

22

If your devices can connect to the internet (without redirection to Adulttube.info) through 3/4G then I suppose your router is infected with a trojan

(Trojan:32/DNSChanger) https://www.f-secure.com/v-descs/dnschang.shtml

Trojan :32/DNSChanger compromised the router weak default password using brute-force attacks.

The Trojan then changed the routers DNS table to malicious DNS servers...redirecting Domain Name resolutions to unsolicited, illegal and malicious sites the attacker wanted victims to access.

Michal Koczwara
  • 1,580
  • 3
  • 15
  • 27
  • 9
    It's also worth noting that DNS settings on the router may have been tampered with. Some routers can have their DNS addresses reset via a drive-by attack with no malware necessary at all. – James Snell Apr 19 '15 at 15:31
  • 1
    A good way to prevent any malicious router to do that is simple manually setting the DNS your machine will use – Freedo Apr 19 '15 at 22:35
  • 1
    @Freedom Depends on whether your device is now pointing to a rogue DNS or whether the router's DNS (which your device points to by default) is affected/poisioned – BlueCacti Apr 20 '15 at 09:26
-2

One of connected devices could do MITM attack. Maybe your PC, a neighbor, or your router if it is infected. A rooted android device can also do MITM attacks with dspolit/csploit

Louis CAD
  • 101
  • 2
  • This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post - you can always comment on your own posts, and once you have sufficient [reputation](http://security.stackexchange.com/help/whats-reputation) you will be able to [comment on any post](http://security.stackexchange.com/help/privileges/comment). – M'vy Apr 20 '15 at 09:47
  • 1
    The author says he don't know where the problem is. I'm answering by giving him clues, right ? – Louis CAD Apr 20 '15 at 09:54
  • Yeah, well technically you did answer the question. Just throwing 'possible' cause(s) of the problem without providing at least a solution to solve it is not considered an answer for this site. Anyway, I agree that the question itself is pretty bad and inclined to ask for answers like yours. Nothing personal. I voted to close the question as well. – M'vy Apr 20 '15 at 10:01