Author Topic: Mediacom is Hijacking HTTP Requests to Google and 404 Responses from Other Sites  (Read 26712 times)

JoshL

  • Newbie
  • *
  • Posts: 23
    • View Profile
All,

Mediacom has used DNS hijacking to steer customers toward their revenue-generating search portal for a long time. However, they have recently started using an even more unacceptable practice in Iowa. Now, Mediacom is actually hijacking legitimate HTTP requests to Google and legitimate HTTP responses from other sites that have status code 404. This is happening regardless of whether you have "opted out" at their preferences page or not. I have written a blog including technical details, network captures, and a YouTube video demonstrating the problem. That blog can be found here:

http://mediacomhijacking.blogspot.com

I have opened a support ticket on my home account and my employer's business account and have filed an FCC complaint with regard to this issue, but I am posting this as well to make other users aware of exactly how Mediacom is hijacking their traffic. My blog post also provides solutions to two of the three unacceptable behaviors being exhibited by Mediacom.

Thanks,
Josh

MediacomBryan

  • Mediacom Social Media Relations Team
  • Global Moderator
  • *****
  • Posts: 304
    • View Profile
Josh-

I'm investigating your failure to opt out of 404 redirects when you opt out of the rest. I'll get back with you shortly.

Bryan

JoshL

  • Newbie
  • *
  • Posts: 23
    • View Profile
Bryan,

Thank you. To be clear - I am also currently intermittently experiencing the Google redirects in addition to the 404 redirects. The only redirect I don't experience is the DNS redirect, and that is probably only because I do not use Mediacom's DNS servers. My place of employment is experiencing both the 404 and Google redirects and has also opted out and a friend's home connection is displaying the same behavior so this is not something isolated to my account or even the local node I am connected to. (The business and friend's house are both more than 20 miles away in a separate city)

Josh

JoshL

  • Newbie
  • *
  • Posts: 23
    • View Profile
Has there been any progress on this issue? As of right now, Mediacom is still perpetrating a man in the middle attack on 404 URLs to direct traffic to the Mediacom search engine.

Josh

MediacomBill

  • Mediacom Social Media Relations Team
  • Global Moderator
  • *****
  • Posts: 10531
    • View Profile
Hello I was reviewing this thread. Can you please supply me with your account number or home phone number via personal message. To send me a personal message just click on the "voice bubble" next to my name.
Thank you

MediacomBryan

  • Mediacom Social Media Relations Team
  • Global Moderator
  • *****
  • Posts: 304
    • View Profile
Josh-

No, not yet. I have a good guess what may be causing this but I'm waiting on another group to continue it's investigation. I likely won't have an update until Mon/Tue.

Thanks
Bryan

2ndirritatedcustomer

  • Guest
I am also experiencing the same problem.  What is going on?

Psyfer9983

  • Jr. Member
  • **
  • Posts: 97
    • View Profile
I replied to the other topic about this problem, I had this to say.

I am also getting this, I live in IL. This is nonsense!!! In my firefox browser you can clearly, AND I DO MEAN CLEARLY, see that the google searchs gets redirected to mediacom. You type your keyword or words in the firefox address bar, firefox runs to google and searches, then I can see the url for the google search and then gets redirected to assist.mediacom.com. THIS HAS TO STOP!!! Its very annoying. I have read tons of forums on this problem and I agree that this is a method of hijacking url requests. So far I only get this when typing a keyword or words in the address bar. This is happening on all my PCs on my network, 5 total, and 2 of the PCs are clean installs of Windows 7. So its not a virus or malware or anything similar. I know its not google. I have taken my laptop which does this crap and took it to my friends house. It does not redirect to assist.mediacom.com, he has DSL through Clearwave. I also don't get this when I tether through my phones 3G which is Verizon. So its clear to me that it is mediacom at fault.

MediacomBill

  • Mediacom Social Media Relations Team
  • Global Moderator
  • *****
  • Posts: 10531
    • View Profile
Please send me your account information via personal message. To do so just click on the "voice bubble" under my name on the left side of the post

JoshL

  • Newbie
  • *
  • Posts: 23
    • View Profile
Psyfer,

You can change the keyword.URL about:config key in firefox to use SSL or to not have the particular signature Mediacom is using to hijack your requests. I agree that this needs to be fixed at the server level because it is simply wrong for Mediacom to be stealing a legitimate site's traffic, but better to change that key in the short term than reward Mediacom with ad views for perpetrating this attack.

My keyword.URL key value is:
https://encrypted.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

Josh

MediacomChrisL

  • Mediacom Social Media Relations Team
  • Global Moderator
  • *****
  • Posts: 9315
    • View Profile
All,

   we are now doing retesting of this and need some fresh examples. If any of your could please recreate this redirect and please PM me your Account#, Name on the account & Telephone# it would be a lot of help.

Thanks
Chris

JoshL

  • Newbie
  • *
  • Posts: 23
    • View Profile
Chris,

As of right now, I am unable to reproduce the behavior from my home account. I want to very sincerely thank you and the entire team for working on this issue. I'll keep checking to make sure it doesn't return at home and I will check it on the business account tomorrow when I return to the office.

I also updated the blog from the original post with the information about a possible resolution.

Let me know if I can provide any additional testing or diagnostic information.

Josh

MediacomBill

  • Mediacom Social Media Relations Team
  • Global Moderator
  • *****
  • Posts: 10531
    • View Profile
I pass that on to Chris.

MediacomChrisL

  • Mediacom Social Media Relations Team
  • Global Moderator
  • *****
  • Posts: 9315
    • View Profile
JoshL,

  Thank you very much, its appreciated! If this does happen again please let me know so we can get this fixed asap. I apologize for this happening in the first place.

Chris

JoshL

  • Newbie
  • *
  • Posts: 23
    • View Profile
All,

I spoke too soon. The Google hijacking has returned. Do you still have my account info or do you need it again? As of right now, the 404 hijacking is not occurring.

Josh

MediacomBill

  • Mediacom Social Media Relations Team
  • Global Moderator
  • *****
  • Posts: 10531
    • View Profile
We still have it.

JoshL

  • Newbie
  • *
  • Posts: 23
    • View Profile
Any update on this issue? I am still seeing Google hijacking. On the plus side, 404 hijacking hasn't returned since yesterday.

Thanks,
Josh

MediacomBill

  • Mediacom Social Media Relations Team
  • Global Moderator
  • *****
  • Posts: 10531
    • View Profile
Engineering is working on it as we speak. I do not have a fix date yet. Will post here when completed.

JoshL

  • Newbie
  • *
  • Posts: 23
    • View Profile
Bill,

Thank you. I appreciate the update.

Josh.

amish_geek

  • Newbie
  • *
  • Posts: 3
    • View Profile
We are experiencing this issue as well.  I have a ticket # that I opened to day with support for our commercial internet account.


The hijacking is specific.  It only redirects when it detects specific useragents, and it appears to be whitelisting major domains.  IE I cannot get a 404 error on google.com, youtube.com, digg.com etc.  But every single 404 error on my personal websites and company servers which actually returns a 404 header response gets redirected.   

Code: [Select]

== Mimicking a standard Mozilla user-agent ==

C:\>curl --trace-ascii dump.txt -iL http://login.myinnsite.com/notf
ound -H "Accept: text/xml,application/xhtml+xml" -H "User-Agent: Mozilla/4.0 (co
mpatible; MSIE 6.0; Windows NT 5.0)" -H "Cookie: innsiteLocationPlan=0"
HTTP/1.1 200 OK

<HTML><script>window.location='http://assist.mediacomcable.com/mediacomassist_pn
f/dnsassist/main/?domain='+escape(window.location);</script><body>The Search Gui
de redirection service has been enabled to provide helpful searches from browser
queries. You entered a non-existent url and your browser attempted to redirect
you with Javascript. To enable this please update your browser preferences. <a h
ref='http://search.mediacomcable.com/prefs.php'>To turn off this feature please
click this here</a></body></HTML>

== Not mimicking user-agent ==


C:\>curl --trace-ascii dump.txt -iL http://login.myinnsite.com/notf
ound -H "Accept: text/xml,application/xhtml+xml"
HTTP/1.1 404 Not Found
Date: Mon, 31 Jan 2011 21:50:27 GMT
Server: Apache/2.2.11 (FreeBSD) mod_ssl/2.2.11 OpenSSL/0.9.8e DAV/2 PHP/5.2.8 wi
th Suhosin-Patch
Content-Length: 206
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /notfound was not found on this server.</p>
</body></html>




EDIT:  It appears that any 404 error/page with a <meta name="generator" /> in it does not get hijacked.  So wordpress and other 404 errors which include a generator value are not hijacked, but default server 404's are.


So Mediacom is filtering 404's without a "generator" and match most major user agents, while whitelisting major domains like google.
« Last Edit: January 31, 2011, 05:22:55 PM by amish_geek »