Object moved to here?
July 14, 2011 12:04 PM Subscribe
What the heck is going on with my web access today? DNS issues? Mysteries within...
First saw this on Google pages. Now it's happening on other sites (TiVo site, the Society for Neuroscience page, etc.). When I try to access sections of a site that have a login requirement, I get funneled through a series of redirects. Blank pages with notices like "Object temporarily moved to here" or "This page has been moved to here" or "Object has been found here". In each case, "here" is a link to the next page, but I am never automatically redirected. Sometimes getting to my desired destination requires a single redirect, other times it has multiple layers of redirect pages before I end up there. I can't understand what is going on.
I'm on a gigabit line directly connected to a large university internet. I am using the university DNS servers. There is no reasonable possibility that this is a man in the middle attack, as I know exactly where the local routers are that connect my non-shared line to the incoming University fiber. That room is locked and only accessible by the local IT people. I can see (and personally installed and configured) all the hardware between my computer and the wall. I can't find any explanation of why this is happening today. Anyone have any clues?
First saw this on Google pages. Now it's happening on other sites (TiVo site, the Society for Neuroscience page, etc.). When I try to access sections of a site that have a login requirement, I get funneled through a series of redirects. Blank pages with notices like "Object temporarily moved to here" or "This page has been moved to here" or "Object has been found here". In each case, "here" is a link to the next page, but I am never automatically redirected. Sometimes getting to my desired destination requires a single redirect, other times it has multiple layers of redirect pages before I end up there. I can't understand what is going on.
I'm on a gigabit line directly connected to a large university internet. I am using the university DNS servers. There is no reasonable possibility that this is a man in the middle attack, as I know exactly where the local routers are that connect my non-shared line to the incoming University fiber. That room is locked and only accessible by the local IT people. I can see (and personally installed and configured) all the hardware between my computer and the wall. I can't find any explanation of why this is happening today. Anyone have any clues?
Are you behind a proxy? Even if you think you aren't, the University may be using a transparent proxy and it's acting up.
DNS issues?
If you want to rule out DNS as a cause of your trouble, switch to one of the publicly available servers such as OpenDNS.
I can see (and personally installed and configured) all the hardware between my computer and the wall.
How about the software? You mention this is happening on login pages, are you sure it's not a trojan trying to steal your login credentials? Try booting from a live CD and see if things are behaving normally.
posted by Dr Dracator at 12:12 PM on July 14, 2011 [1 favorite]
DNS issues?
If you want to rule out DNS as a cause of your trouble, switch to one of the publicly available servers such as OpenDNS.
I can see (and personally installed and configured) all the hardware between my computer and the wall.
How about the software? You mention this is happening on login pages, are you sure it's not a trojan trying to steal your login credentials? Try booting from a live CD and see if things are behaving normally.
posted by Dr Dracator at 12:12 PM on July 14, 2011 [1 favorite]
Have you asked University IT? It's possible that they've installed something between you and the Internet (probably centrally, on their outbound links) which is hijacking your sessions for purposes of logging your activities. This is very common with large business watching their employees for the purposes of 'security' and 'risk mitigation'.
posted by mu at 12:22 PM on July 14, 2011
posted by mu at 12:22 PM on July 14, 2011
Best answer: Work your way from the browser to the university's connections:
- Install a different browser such as Chrome, Opera, or Firefox. Do not import settings from any of your other browsers (not sure if you're using IE or not)
- If it does not happen in other browsers, try clearing out the cache and uninstalling addins on the browser that is affected.
- If it's still occuring, check your system for malware. Deezil's profile has a decent guide for removing most trojans and rootkits. There's many "man in the browser" hijacks that cause behavior similar to what you're seeing.
- If no malware is to be found, check your network settings to make sure you have the correct DNS/VPN/Proxy settings (try OpenDNS or Google's DNS if unsure about the university's...just a note: external DNS requests might be blocked to personal computers by the university depending on how security is handled)
- Try another PC at the university if the problem still continues, this will help rule out your PC if it's happening on others.
- If it does not happen on other computers, try a live CD on your computer to rule out any port based rules for your PC's network connection.
- If it IS happening on more than one PC, check with your IT department to see if they have any capture portal, IDS, or similar technologies that could be badly configured or acting flakey.
posted by samsara at 2:11 PM on July 14, 2011
- Install a different browser such as Chrome, Opera, or Firefox. Do not import settings from any of your other browsers (not sure if you're using IE or not)
- If it does not happen in other browsers, try clearing out the cache and uninstalling addins on the browser that is affected.
- If it's still occuring, check your system for malware. Deezil's profile has a decent guide for removing most trojans and rootkits. There's many "man in the browser" hijacks that cause behavior similar to what you're seeing.
- If no malware is to be found, check your network settings to make sure you have the correct DNS/VPN/Proxy settings (try OpenDNS or Google's DNS if unsure about the university's...just a note: external DNS requests might be blocked to personal computers by the university depending on how security is handled)
- Try another PC at the university if the problem still continues, this will help rule out your PC if it's happening on others.
- If it does not happen on other computers, try a live CD on your computer to rule out any port based rules for your PC's network connection.
- If it IS happening on more than one PC, check with your IT department to see if they have any capture portal, IDS, or similar technologies that could be badly configured or acting flakey.
posted by samsara at 2:11 PM on July 14, 2011
Response by poster: Weird. I swear it was happening with Chrome yesterday. Neither Safari, Chrome, or Opera show the behavior today. But Fx still does. I started to suspect it was perhaps the HTTPS Everywhere extension causing a hang-up - trying to disable it showed me that Firefox thought I had no extensions at all installed. Well, that's what I get for running Fx 6 beta... moved back to Fx 5.01 and things are apparently fine now. So it was either a problem with plugin incompatibility or an issue with Fx beta.
The U doesn't run any monitoring software aside from checking unusual activity such as excessive traffic caused by viruses or worms. If they suspect something, they cut us off immediately, rather than capturing traffic. And in our working group I'm the guy they usually contact to let us know there's a problem.
(Didn't ever suspect malware, I'm running a Mac and have not connected to any untrusted networks or sites in the last month. I'm either at home, where I run all the networking hardware using open-source firmware, or at work, in a research hospital with strong security measures in place. But aside from it maybe being an issue with some major content host having a server failure resulting in temporary redirects, I couldn't figure out what might be happening...)
posted by caution live frogs at 6:42 AM on July 15, 2011
The U doesn't run any monitoring software aside from checking unusual activity such as excessive traffic caused by viruses or worms. If they suspect something, they cut us off immediately, rather than capturing traffic. And in our working group I'm the guy they usually contact to let us know there's a problem.
(Didn't ever suspect malware, I'm running a Mac and have not connected to any untrusted networks or sites in the last month. I'm either at home, where I run all the networking hardware using open-source firmware, or at work, in a research hospital with strong security measures in place. But aside from it maybe being an issue with some major content host having a server failure resulting in temporary redirects, I couldn't figure out what might be happening...)
posted by caution live frogs at 6:42 AM on July 15, 2011
Response by poster: Samsara, marking yours as best answer based on point 2 - since it does appear to be an add-on issue. Or a browser-specific issue. Or both. Thanks. If it had been earlier in the day I probably would have caught that without resorting to an AskMe.
posted by caution live frogs at 6:44 AM on July 15, 2011
posted by caution live frogs at 6:44 AM on July 15, 2011
FWIW, you can always directly query your DNS server via nslookup. I'm not a mac right now, but it should have it installed by default. Just type nslookup in the terminal.
Usage is simple: just type in the domain you want to test. To compare your results to a different DNS server just type in "server 8.8.8.8" and hit enter. Now you will be quering the google domain server. Re-type in your request. If they differ than it might be a DNS issue. Sometimes, load balancing happens at the DNS level so you may get different IPs, but generally this shouldn't happen often and not with smaller sites like the society you mention.
posted by damn dirty ape at 7:47 AM on July 15, 2011
Usage is simple: just type in the domain you want to test. To compare your results to a different DNS server just type in "server 8.8.8.8" and hit enter. Now you will be quering the google domain server. Re-type in your request. If they differ than it might be a DNS issue. Sometimes, load balancing happens at the DNS level so you may get different IPs, but generally this shouldn't happen often and not with smaller sites like the society you mention.
posted by damn dirty ape at 7:47 AM on July 15, 2011
This thread is closed to new comments.
posted by caution live frogs at 12:06 PM on July 14, 2011