[SOLVED] browser chromium hijacked

ppsalama · 2015-02-01 17:55:51

hello
I thought using linux I was safe, but I think my browser chromium is hijacked, because when I click randomly on some links, a tab opens showing the search engine scour.com.
I do not know what to do.
Can you help me?
Thank You

Last edited by ppsalama (2015-02-06 16:27:13)

Trilby · 2015-02-01 18:00:07

ppsalama wrote:

I thought using linux I was safe

Safe from what? Anyone who gave you this impression did you a horrible disservice. Linux allows for users to have more control of their system, and by doing so allows them to secure their system better (in many regards at least), but if you think simply running linux will keep you safe from everything you'll need to rethink your choice. With proprietary OSs users can remain ignorant about security issues and just trust others to take care of it for them. I don't like that system, but it is better than doing nothing at all. Linux is not a magic fix - it is a tool.

ppsalama wrote:

I think my browser chromium is hijacked, because when I click randomly on some links, a tab opens showing the search engine scour.com.
I do not know what to do.
Can you help me?
Thank You

Is scour set as your default search engine? Which links do you 'randomly' click? Does this happen on all sites? Only some? Does this happen after restarting chromium? After rebooting? Does it happen if you clean/move/remove the browser profiles? Have you tried with another user?

Head_on_a_Stick · 2015-02-01 18:03:35

Wikipedia wrote:

Scour redirect virus
Since as early as 2009 a web browsing virus related to Scour surfaced.[8] This virus hijacks the web browser being used and automatically redirects the user to Scour's search engine. Other websites have been reported to be redirected to as well with Scour being the primary one. The user's browser is redirected to scour.com after clicking a link, usually from Google.[9]

https://en.wikipedia.org/wiki/Scour_Inc..

Oh dear...

These things can only get on your system if you install software manually without using repositories -- what have you installed without the use of pacman?

ppsalama · 2015-02-01 18:21:43

Trilby wrote:

Is scour set as your default search engine? Which links do you 'randomly' click? Does this happen on all sites? Only some? Does this happen after restarting chromium? After rebooting? Does it happen if you clean/move/remove the browser profiles? Have you tried with another user?

It is not my default search engine (even it is not listed)

Which links do you 'randomly' click? Does this happen on all sites? Only some? only some. Last time when I was using my wordpress admin panel.

Does this happen after restarting chromium? After rebooting? Yes, yes

Does it happen if you clean/move/remove the browser profiles? I don't know how to manage browser profiles

Have you tried with another user? No

Head_on_a_Stick wrote:

These things can only get on your system if you install software manually without using repositories -- what have you installed without the use of pacman?

I only install with pacman (recommended repositories) and yaourt (from Aur)

karol · 2015-02-01 18:28:53

It may be a malicious browser add-on, DNS hijacking on the router etc.

ppsalama · 2015-02-01 18:59:00

karol wrote:

It may be a malicious browser add-on, DNS hijacking on the router etc.

thanks for your opinion
maybe it is an installed extension of chromium (surely flashfree -comments in chrome web store report it injects adds)
not solved for the moment till I test after removing extension

KimTjik · 2015-02-01 19:56:12

If you use Chrome/Chromium synchronizing be aware that you might inherit malicious adds and settings. Hence, if applicable, I would recommend that you disable synchronizing until you have solved the issue and then check each system where you use Chromium/Chrome to make sure it doesn't show up again.

arslonga · 2015-02-05 21:47:14

If you have you used free "anonymous" proxies, try deleting you browser's cache, an articled recently explained that free proxies inject malicous javascript in commonly used JS files.

I would remove any extension and I would enable them one by one to find out the culprit.

ppsalama · 2015-02-06 16:30:19

Solved, it was an installed extension of chromium (flashfree, it injects adds), removing it, no more problem.
Thanks to all (specially to karol for the clue)

abdullah · 2015-02-06 19:42:57

Trilby wrote:

Safe from what? Anyone who gave you this impression did you a horrible disservice. Linux allows for users to have more control of their system, and by doing so allows them to secure their system better (in many regards at least), but if you think simply running linux will keep you safe from everything you'll need to rethink your choice. With proprietary OSs users can remain ignorant about security issues and just trust others to take care of it for them. I don't like that system, but it is better than doing nothing at all. Linux is not a magic fix - it is a tool.

I disagree describing Linux as just a tool, Linux drives the high industrial, probably from the ground up including automations of heavy vehicles and so on, just imagine using another "tool", will your goals be achieved ?.

regarding the post, yes Linux is safe in paper, but in real word usage it includes issues "bugs", and what is worse than software bugs, the user.
The user is the weakest part in the ring, so be smart about what your usage, as an example make a use of virtual machines.

Ronaldlees · 2015-03-05 21:03:48

@ppsalama:

Your question about exploits and hijacking brings up an interesting issue. Most people think about security in a backwards way. Every browser has a zillion exploits in its history, many of which are patched, but at any one time there are both known and unknown unpatched exploit vulnerabilities in the wild. Using software with such vulnerabilities is a little like knowing that the road is absolutely infested with bloodthirty banditos, along every curve and narrow spot, but taking the horse and buggy through the pass every day in spite of knowing about those ugly characters. Instead, one should be taking the train (or the jet plane) - and not take the bad road at all. The bad road is the unencrypted one. Theoretically, an encrypted connection completely isolates your channel so that banditos cannot get into it (because you're flying way high up over their heads).

This works under three conditions: 1) Your cipher text cannot be broken on the fly. 2) Your authentication works (certificates), and you have no fuel leaks that cause you to crash in the desert. The fuel leaks are the unencrypted side channels (http) branching from a site that connects to you with https on the main page. (This mix of https/http is called mixed content=BAD).

Unfortunately, the cipher suites that are typically used by default after https handshakes are often broken (easily) "on the fly." This is because of the way server private keys have gotten into the wild. The use of ephemeral keys alleviates this issue in all but the most targeted attacks, assuming the actual data encryption is also up to snuff. Most ssl stack/browser combinations do not end up selecting a cipher suite that utilizes ephemeral keys (called DHE* cipher suites, or suites that use the diffie helman ephemeral key exchange mechanism). However; this can be remedied by modifying your ssl stack + browser to supply ONLY DHE* cipher suites in the preferences list sent to the server, and to allow only DHE cipher suites in the final connection produced after the handshake.

The fact that DHE* is not uniformly being used is one of the reasons the internet is broken, along with certificates, mixed content, and invasive proxies. Call your congressman.

Now, the good news: This site (bbs.archlinux.org) accepts DHE* cipher suites if your browser puts them in the preferences list! So, archlinux.org is one of VERY few sites that I feel comfortable visiting (Of course I have made the modifications to my ssl and browser). This is a pretty important issue. You should study it, or ask a techie friend about it. Sometimes the key mechanism is referred to as a PFS (perfect forward secrecy) mechanism, if you want more buzzwords. Sorry for such a long first post.

(See disclaimer in next message (below)).

Last edited by Ronaldlees (2015-03-08 14:47:33)

Ronaldlees · 2015-03-05 21:37:55

Of course, in your case, the above posted information is not that helpful, because the exploit came from the site you intended to connect to. I guess that problem we'll always have (even I have it) :-)

One other thing to keep in mind is that when/if you change your ssl stack + browser setup to disallow everything but DHE* cipher suites, you'll kill the various blacklist "protection" channels that your browser uses. This is because some/all blacklist providers provide those blacklist updates with ciphers that are less than DHE*. Note that I'm not referring to the ECDHE (elliptical curve variant of DHE) - which is a cipher suite I prefer NOT to use, as a matter of personal opinion/preference.

You'll find fewer sites to visit, because most servers will try to force the use of cipher suites that are less than DHE*, and will refuse to connect at all if you specify better cipher suites. If that sounds insane, it is. Some cipher suites in the DHE* range are better than others. I usually use the ones with AES256 for data, but can't say there aren't problems with my choice. It's the pick your poison thing :-) .

On the plus side, with DHE* you'll kill off some of the ad/marketing connections, because they tend not to support DHE* cipher suites. On the downside, some connections may not work as designed because less secure (side) channels are blocked by your cipher selection. So, there are problems with the idea, but those are acceptable to me :-) Some of my posts may contain opinions and/or conjecture. In any case, one should always be fairly knowledgeable before implementing cipher suite (selection) modifications - or know someone who has the savvy. DHE* suites may not be perfect. There may be flaws. It's a "use at your own risk" scenario, of course. One should be given the opportunity to pick his own poison. Software is bad, always has been, and probably will be for a long time. So, securing the channel the bad software runs in, seems a more plausibly successful approach. Looking at the channel from multiple angles easily proves that it's not yet up to the task.

In my opinion, mixed cipher suite environments are almost as bad as mixed content situations. Certificates are another thorny issue, best saved for another day.

BTW: I'm not really a security expert, so don't quote me in your next job interview...

Last edited by Ronaldlees (2015-03-08 15:02:42)

Arch Linux

#1 2015-02-01 17:55:51

[SOLVED] browser chromium hijacked

#2 2015-02-01 18:00:07

Re: [SOLVED] browser chromium hijacked

#3 2015-02-01 18:03:35

Re: [SOLVED] browser chromium hijacked

#4 2015-02-01 18:21:43

Re: [SOLVED] browser chromium hijacked

#5 2015-02-01 18:28:53

Re: [SOLVED] browser chromium hijacked

#6 2015-02-01 18:59:00

Re: [SOLVED] browser chromium hijacked

#7 2015-02-01 19:56:12

Re: [SOLVED] browser chromium hijacked

#8 2015-02-05 21:47:14

Re: [SOLVED] browser chromium hijacked

#9 2015-02-06 16:30:19

Re: [SOLVED] browser chromium hijacked

#10 2015-02-06 19:42:57

Re: [SOLVED] browser chromium hijacked

#11 2015-03-05 21:03:48

Re: [SOLVED] browser chromium hijacked

#12 2015-03-05 21:37:55

Re: [SOLVED] browser chromium hijacked

Board footer